I just received the following email from Google Play

'Hello Google Play Developer,

We detected that your app(s) listed at the end of this email are invoking the in-app billing service without setting a target package for the intent. This can enable a malicious package to bypass the Play store billing system and access items that have not been purchased.

Next Steps

If you are using IabHelper, please start using the latest SDK. If you are manually invoking the in-app billing service, make sure you are calling Intent.setPackage(“com.android.vending”) on any intents to "com.android.vending.billing.InAppBillingService.BIND". Sign in to your Developer Console and submit the updated version of your app. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.'

I am not sure what is the fix for this problem. Can anyone tell where to specify the code? Is it somewhere in Java Class or the Manifest?

I received the same warning a few days ago and was already setting the package for the intent like this:

Intent serviceIntent = new Intent("com.android.vending.billing.InAppBillingService.BIND");
serviceIntent.setPackage("com.android.vending");
bindService(serviceIntent, mServiceConn, Context.BIND_AUTO_CREATE);

The issue has gone away by updating to the latest versions of Google Play Services and targeting Lollipop (5.1) instead of KitKat (4.4)... if you're using any Google Play Apis make sure you update them to the newest versions and hopefully that'll fix it for you too.

We have also received this alert, and checked our apks. We found that old version of Google-Play-Service.jar seem to use intent for "com.android.vending.billing.InAppBillingService.BIND", witout setting setPackage.

We have also checked the latest Google-Play-Service.jar and this one was fine, so I'd suggest checking your library.

Search your whole code repository for the following code statement.

Intent serviceIntent = new Intent("com.android.vending.billing.InAppBillingService.BIND");

Wherever you have used the above intent, don't forget to add this code below serviceIntent.setPackage("com.android.vending");

There was two occurrences of the above intent in my whole code base, one was in IabHelper java file were if u use the latest in app billing sdk, this statement would be already added, Another occurrence, I used this intent to check if InApp Billing service was available, I have forgot to add the serviceIntent.setPackage("com.android.vending");, once i figured that out and updated my App in developer console, the warning message was removed after few hours.

You must update your IabHelper files with last SDK from:

https://github.com/googlesamples/android-play-billing/tree/master/TrivialDrive/app/src/main/java/com/example/android/trivialdrivesample/util

When you overwrite old files, Eclipse or Android Studio will display errors and you have to fix them, for example add try catch, or add one parameter to queryInventory function.

Remember update package name in new files if you changed it.

EDIT: Also finally I need update google_play_services.jar lib included in my project. After update this notification alert has hidden. I was using an older google play service lib. Now I am using rev 28 version.

The fix will be in your Java. Search your codebase for an Intent with the action "com.android.vending.billing.InAppBillingService.BIND", either passed into the constructor or set via Intent.setAction(). Before calling bindService() with that intent, you must explicitly set the package via Intent.setPackage().

Here is Google's sample code as reference: https://github.com/googlesamples/android-play-billing/blob/master/TrivialDrive/app/src/main/java/com/example/android/trivialdrivesample/util/IabHelper.java#L296

There are three points to solve this problem.

1. Find com.android.vending.billing.InAppBillingService.BIND in your codes. Let every Intent to this call the method Intent.setPackage(“com.android.vending”).
2. Update SDK of IabHelper.
3. Update the Google Play Service library project. Make sure that these things are done correctly. Every point undone leads to this problem. If the problem still exists, maybe there is something wrong with other jars in your project.

I received the same warning. I was already setting the package when binding the InAppBillingService but I found that I was checking if the InAppBillingService exists like this:

boolean inAppBillingAvailable = !getPackageManager().queryIntentServices(new Intent("com.android.vending.billing.InAppBillingService.BIND"), 0).isEmpty();

Make sure you are also setting the package here:

boolean inAppBillingAvailable = !getPackageManager().queryIntentServices(new Intent("com.android.vending.billing.InAppBillingService.BIND").setPackage("com.android.vending"), 0).isEmpty();

I finally managed to solve this. First I had updated IabHelper, but that did not help. I then noticed that a dependency compile 'com.google.android.gms:play-services:6.1.71' in build.gradle. I changed this to com.google.android.gms:play-services:9.4.0. This was causing many compilation errors. But, then instead of using 9.4.0 version of play-services, I used individual google services of version 9.4.0. In my case it is only com.google.android.gms:play-services-auth:9.4.0 and com.google.android.gms:play-services-drive:9.4.0. This gives only a few compilation errors which I fixed in the code. This then I pushed on google play as alpha, waited 2 days. The warning alert did not popup for the build I uploaded.

Thank you.

Edit: I do not think we need to change IabHelper.java as long as it is setting setPackage("com.android.vending"). I reverted IabHelper.java, and uploaded a build only with 9.4.0 version of play-services-drive and play-services-auth changes. It did not throw warning.

Did not test this solution but you might still try it: replace serviceIntent.setPackage("com.android.vending"); with serviceIntent.setPackage("com.android.vending.billing.InAppBillingService.BIND"); in https://github.com/googlesamples/android-play-billing/blob/master/TrivialDrive/app/src/main/java/com/example/android/trivialdrivesample/util/IabHelper.java#L297 or anywhere you have setPackage thing. Cheers.

UPDATE: Just update Google Play Services lib, worked for me. Cheers.

I had this issue and couldn't afford updating our old pipeline based in eclipse. So I basically decompiled google play service's library, patched the vulnerabilities in eb.java and dx.java, recompiled those two files and put them into the original JAR file. This is explained in my blog.

All the answers are correct. What I did was updates google play services and IAB helper and instead of using IAB helper I sed the method described in google in App purchases tutorial and it fixed the notifications.