Even after rewrites, Google Wallet retains gaping security holes, mainly due to Android

Google Wallet got patches for some security holes, but still leaves too much data exposed

In December Stanford Law Professor Barbara van Schewick filed a formal complaint with the FCC asking it to investigate whether Verizon’s decision to exclude the Google Wallet from its menu of mobile services violated net neutrality rules by favoring one vendor’s product over another.

Some Verizon users may feel lucky to have been excluded following the revelation of a major security flaw in Google Wallet security.

The problem isn't in the near-field-communications (NFC) radio network that makes it possible for Google Wallet users to use smartphones like contactless credit- or debit cards.

The problem is in the way Google Wallet itself is configured and the inherent weaknesses of Android, which was designed to be as open as possible to new functions and applications and, as a result, is just as open to exploits, hacks and simple eavesdropping that would make secure smartphone banking impossible.

NFC is a variant of the RFID radio-frequency networking protocol that allows smart-chipped credit cards, passports, cargo-tracking systems and other location-dependent applications to wirelessly identify specific items using the signal from tiny, relatively inexpensive chips.

Using NFC, Google Wallet turns smartphones into transponders that can securely link with and exchange payment data with NFC-enabled payment-processing systems.

The idea is to eliminate the need to carry a wallet full of plastic by connecting smartphones directly to secure payment-processing systems so consumers can use their smartphones as the hardware token that allows them to authenticate themselves when making purchases at retail stores, vending machines and almost anywhere else.

NFC is popular in northern Europe, where it has been built into cell phones for years, but has not built the vendor support or consumer confidence that would allow it to be successful in the United States.

Google Wallet is available only on the Samsung Galaxy Nexus on Sprint’s network.

Google Wallet might have changed that by putting NFC payment potential in the pockets of millions of Android users in the U.S.

Unfortunately for NFC advocates and Google, only the most obvious portions of the data Google Wallet collects is kept secure, according to mobile-security analysis vendor viaForensics.

viaForensics analyzed the security of GoogleWallet in mid-December and supplied its results to Google privately. The addendum to the report, which came out this week, examines the patched version of that security – and still finds it lacking.

Big holes in Google Wallet

Rather than storing all the data in a single, highly secured database, Google Wallet stores credit card balances, limits, expiration dates, credit-card numbers and other data in separate places, some of which are well secured, some of which are entirely exposed, according to the viaForensics report.

Data about credit-card accounts are stored in SQLite databases under light encryption, but the card holder’s name, expiration date, last four digits of the account and email account of the owner are all recoverable, according to viaForensics reports.

Google Analytics, which are built into many Google software products, track what Google Wallet is doing just as they track other applications – in a way that might allow hackers to intercept it by eavesdropping on Google Analytics’ phone calls home, or by reading logs and databases Analytics store on the phone.

Two other major flaws have been fixed in the most recent version, including a weakness that allows critical data to be recovered even after it has been deleted. Google Wallet also created an image of each credit card entered in its database, which was also recoverable. Neither of those flaws continues to be an issue, the report found.

The biggest problem with Google Wallet is that it’s difficult or impossible to know where all the data about credit cards and bank accounts is stored, which applications can access it, how it is all secured and when it has been deleted securely enough that it can’t be recovered. 

Most of the data within Google Wallet itself "is not insecurely stored," in viaForensics' deadpan description. Requiring a PIN to access credit cards adds another layer of security.

However, "the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card). Many consumers would not find it acceptable if people knew their credit card balance or limits. Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineer attack." – via Forensics, Forensic security analysis of Google Wallet, published Dec. 12, 2011, updated Feb. 8, 2012.

Google Wallet is the first credible mass-market attempt at NFC-based smartphone payment processing programs in the U.S., and won't be the last.

It won't be the first successful version with the weaknesses viaForensics listed, however.

The big question about security isn't about Google Wallet, though. Insecure applications can be effectively locked down in future versions if the vendor is motivated.

Android itself is so opaque in the ways and places it stores data on its users, so insecure and uncommunicative about the access both software vendors and carriers have to that data and so lacking in basic security consumers can apply themselves to feel confident about their own data that I doubt it can be a credible platform for mobile payments.

The easiest way to do it would be to create an encrypted, secured area within the phone that doesn’t feed data to apps, carriers or anyone else without the owner's permission.

So far, even Google Wallet doesn’t appear to be moving toward even that level of aftermarket, kludgy approach to making an open device secure enough to be trusted with more than Facebook logins and Angry Birds scores.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies