According to recent research conducted by security firm ViaForensics that tested the security of Google Wallet, that allows users to pay for transactions in physical stores by swiping their phones in front of NFC-enabled readers like those compatible with MasterCard’s PayPass service, suggests that the application does not thoroughly protect users’ personal data, storing it in an unencrypted format. While Google Wallet hides the full credit card account number, the last four digits reside in plain text in the app’s local SQLite database.
Image Credit: (Google)
First reported by CNET over the weekend, the newly discovered study created a storm of controversy that smartphones using the Google Wallet Near Field Communication payment system keeps unencrypted data out, many firms have expressed concerns that the lack of encryption leaves the data open to cyber-criminals. Google Wallet is currently only officially available on the Nexus S and Nexus S 4G.
Data that is accumulated on the device in various SQLite databases in unencrypted form also includes name on the card, the last four digits of the credit card, card limit, expiration date, transaction dates, and locations, ViaForensics said in a report titled “Forensic security analysis of Google Wallet.”
“While Google Wallet does a decent job securing your full credit card numbers, the amount of data that Google Wallet stores unencrypted on the device is significant,” states ViaForensics’ report. “Many consumers would not find it acceptable if people knew their credit card balance or limits.”
Image Credit: (ViaForensics)
ViaForensics went on to reveal its own concerns that would-be hackers could use the unencrypted information to launch a phishing scam targeting Google Wallet users.
“They miscalculated the value of data that consumers are not comfortable with [being exposed],” said Andrew Hoog, chief investigative officer for ViaForensics. “I’m not secure with someone knowing my credit limit or when my payments are due … If you had that type of information, you could effectively do a social-engineering attack that could get [an attacker] access to an account.”
Despite the study, Google has reassured users that the service is still safe and only affects rooted devices. The good news according to the research firm is that the app does ward-off man-in-the-middle attacks, and is protected by a PIN to conduct transactions with the cards. “The ViaForensics study does not disregard the effectiveness of the multiple layers of security built into the Android OS and Google Wallet,” Google said to CNET.
“The ViaForensics report emphasizes on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers,” a Google spokesman said in a statement. The report also applauds the layered security built into the OS and app, the spokesperson said. Android actively safeguards against malicious programs that attempt to gain root access without the user’s knowledge. Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices.
Charlie Miller, a chief research consultant at Accuvant, commended Google Wallet for collecting the credit number and other data on the secure element but said it is not impossible to imagine how someone could get root access to a phone and thus see the other data that is exposed. The owner of a phone could drop it and a stranger could pick it up and root it, or the owner could unwittingly download an app that has an exploit in it that can get root privileges, he said. “But generally an app would not be able to access that data,” Miller added.
Finally, the report concludes that further, more comprehensive security analysis of the software is warranted. While the author expresses excitement about the potential of NFC technology, he also says that “the amount of unencrypted data store[d] by Google Wallet surpasses what we believe most consumers find acceptable.”
The research firm revealed its findings to Google on November 30. Google went on to claim that it was aware of the security glitch and it had already “addressed” it in a software update.