Wondering about security of in-app payments.

[electricpete]

I was always a little uneasy about in-app payments. If you have your google account set up to require password for purchases (which seems like a prudent thing to me), then it'll ask you for your google password during the in-app purchase. But what's to prevent the app from spoofing the google popup dialogue to steal your password???? Programming a popup to look like google popup and record a password is easy. All they'd lose is the single payment, which is a lot less valuable to me than my password.

So I do watch carefully for that confirmation of the transaction to pop up in my email (usually almost immediately), which makes me feel better that the popup was legitimate and my password hasn't been stolen. To steal my password AND still process the transaction they'd need some kind of man in the middle attack....considering the security built into everything google, I imagine that'd be a whoooole lot tougher to pull off than the simple pop-up input window to steal your password without processing the transaction to google.


What do you think?
Do you agree it would be easy for an app developer to spoof google popup and steal your password (if he's willing to forego the payment)?
Do you think it is safe as long as we get the google confirmation email (or maybe that could be spoofed too...).
Or maybe it's not worth worrying about as long as we have 2-factor authentification?

 

[scary alien]

Interesting and scary thought, @electricpete, but I think (and hope) the risk is fairly low, but certainly possible as you speculated:

- you'd have to have a malicious dev publishing a nefarious app

- the dev's app would have to still be present in the app store (i.e., Google would not have yet pulled the nefarious app from the Play Store)

- the app in question would have to be a free app with in-app purchases (if they user that downloaded this did not expect it, that would/could be a red flag, although I'm sure it would make it past some folks)

- the user would have to have the password requirement enabled (or then subsequently be suspicious of the proposed pop-up)

- you'd only see this happening from the specific app that is spoofing the password-stealing pop-up -- or at least you should since the trigger for the in-app purchase should be some action taken from within that specific app itself, where an astute user would/could see what is going on and report it (being able to identify which nefarious app it was).

- in fact, the malicious dev and the nefarious app could only get away with this if the user didn't have the password requirement enabled since you would get a separate, legit pop-up from Google for the real in-app purchase, otherwise you'd see TWO pop-up requests--yet another suspicious action.

Given all of that and the salient points that you made, I do think it would be possible given that a lot of people are inattentive, gullible, or naive.

 

[AZgl1500]

I guard against this security/password theft issue but refusing to install any app that does not have 1,000s of happy users.

I will not be the suffragette that tries it out first, or even in the 100s....

so far, either the theory is working for me, or the Play Store is fairly well managed for security issues??

 

[Deleted User]

I guard against this security/password theft issue but refusing to install any app that does not have 1,000s of happy users.

I will not be the suffragette that tries it out first, or even in the 100s....

so far, either the theory is working for me, or the Play Store is fairly well managed for security issues??

Unless the app had a programmed time delay of say, a few months, to allow loads of people to download and install it, before starting the account identity and password harvest..
To be honest, I'm surprised that abuse like this hasn't already happened. But I think Google must be carefully screening all submitted apps. They must have quite a big team working on it.

 

[MLSS]

I get an email receipt from Google as soon as I click "okay", so they would have to find a way to get around that as well.
Google would catch on way to quickly.
All in app payments still get processed through Google. At least all of the iap I've dealt with.

 

[dan330]

very interesting....

I am guessing ..
Google searches every new app submitted for pop ups.
confirms all security measures are met.

and....
I normally stay away from in-app purchases.
only when it is for a major app that has been supported for over 10k users.
and to get full apps that I like.
never games for stuff and refills.. that is just silly.

 

[scary alien]

...
I am guessing ..
Google searches every new app submitted for pop ups.
confirms all security measures are met.

I would think it would be very difficult to automatically or programmatically scan the code to catch something like this since there are so many ways to assemble and obfuscate things.

One should always be vigilant just in case .

 

[EarlyMon]

Agree about the need to be vigilant!

And maybe important to point out that while not perfect, thanks to the Google Play Store Bouncer, you're 6 times more likely to get a nefarious app from outside the Play Store than in it.

http://www.pcmag.com/article2/0,2817,2456388,00.asp

That's by no means a guarantee - absolute security guarantees are impossible.

But we're not in it alone either.

 

[shalemail]

Here's the thing. Anytime you put your info out there - be it on your cell phone, on your computer, on WiFi, or a land line - you have put your info out there and it's subject (in varying degrees) to being hijacked. I take certain precautions, I do not have any of my CC info on my phone, I do not use google pay, I do not even buy things from google using my CC or debit card. I go and buy a google play card at a brick and mortar and I enter money onto my google account that way. I only buy online what I can not get in person or what I can save a substantial amount on. I do book my travel via CC online of course but my wife and I have 3 CC's total and we use one and only one for online purchases. So we have out firewalls up as much as possible. All that said, you're never safe 100% unless you exclusively use cash, just ask all the Target, Home Depot, etc customers that had their info stolen. And even if you went 100% cash only (is that even possible anymore?) there's still a chance your ID will be stolen and you still get the shaft.

So I guess, long story short is, be careful. That's all you can do. Make it as difficult as possible to get got.

 

[dan330]

I like your idea of google gift cards...
I just don't buy much on google play store... less than $15 a year.. if at all.