News by Dan Seifert on Tuesday December 13, 2011.
|Sponsored links, if any, appear in green.|
A new study by security firm ViaForensics claims that Google Wallet leaves a large amount of sensitive data unencrypted on a user's smartphone, and all it takes is root level access on the device to get to the data.
The study showed that Google Wallet does a good job of encrypting a user's passwords, but that the financial data that is part of a Google Wallet transaction, such as the last four digits of the credit card number, card expiration date, name on the card, credit limit, and transaction records, is all stored in unencrypted databases. All that a nefarious user has to do is root the phone to get access to the various pieces of financial data. Apparently, most of the data that is stored is still accessible even if the Google Wallet app has been reset or deleted.
"While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card)," said ViaForensics. "Many consumers would not find it acceptable if people knew their credit card balance or limits."
The unencrypted data offers the last four digits of a user's credit card, and when combined with the expiration date and recent transactions, it is easy to see how an attacker could use this information to their advantage. Fortunately, the CVV number and full credit card number is stored in an encrypted area of the smartphone's NFC chip, and is not accessible even when rooted.
Still, this kind of privacy leak is likely to be disconcerting to users. Should they lose their smartphone that they have been using Google Wallet with, it could fall into the wrong hands, and with a little bit of effort and a Google search, an attacker could create a big headache for the user.
Google has responded to the report, saying: "The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers. Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices."
ViaForensics submitted its report on November 30 and did say that a recent software update has addressed some of the security concerns that were brought to light, but not all of them. Currently, the only phone on the market with official Google Wallet support is the Google Nexus S 4G for Sprint, though users have successfully gotten the system to work on the Google Galaxy Nexus, which has a similar NFC chip built in. [via CNET]
Dan is MobileBurn.com's Editor-in-Chief. Based in Poughkeepsie in New York, Dan can be found on Twitter as @DCSeifert.