viaForensics analyzed the security of GoogleWallet in mid-December and supplied its results to Google privately. The addendum to the report, which came out this week, examines the patched version of that security – and still finds it lacking.
Big holes in Google Wallet
Rather than storing all the data in a single, highly secured database, Google Wallet stores credit card balances, limits, expiration dates, credit-card numbers and other data in separate places, some of which are well secured, some of which are entirely exposed, according to the viaForensics report.
Data about credit-card accounts are stored in SQLite databases under light encryption, but the card holder’s name, expiration date, last four digits of the account and email account of the owner are all recoverable, according to viaForensics reports.
Google Analytics, which are built into many Google software products, track what Google Wallet is doing just as they track other applications – in a way that might allow hackers to intercept it by eavesdropping on Google Analytics’ phone calls home, or by reading logs and databases Analytics store on the phone.
Two other major flaws have been fixed in the most recent version, including a weakness that allows critical data to be recovered even after it has been deleted. Google Wallet also created an image of each credit card entered in its database, which was also recoverable. Neither of those flaws continues to be an issue, the report found.
The biggest problem with Google Wallet is that it’s difficult or impossible to know where all the data about credit cards and bank accounts is stored, which applications can access it, how it is all secured and when it has been deleted securely enough that it can’t be recovered.
Most of the data within Google Wallet itself "is not insecurely stored," in viaForensics' deadpan description. Requiring a PIN to access credit cards adds another layer of security.