Rooting Android phone bypasses Google Wallet security; just one of many remaining flaws
Fixing flaw that let hackers delete and replace PIN hardly reduces security risks at all
Google has made another round of changes in Google Wallet in an effort to plug the security holes in the Wallet software itself, though insecurities in Android still leave a lot of information exposed.
Google put Wallet through one set of security fixes after security analysis firm viaForensics privately shipped it a report showing a series of vulnerabilities caused by the inconsistencies in the way Android handles and stores data.
While some sensitive credit card and other payment information is stored as encrypted records in a secure SQLite database, the cardholder's name, email, last four digits of the account number and other data are recorded in logs, unencrypted data stores and other insecure spots that are typical storage areas for Android applications.
The biggest issue is what happened when someone other than the owner of a Google Wallet-equipped phone cleared the login data from the Google Wallet app: the previous user's login could be deleted without harming the credit-card data stored in the app.
So anyone finding or stealing a Wallet-equipped phone had only to clear the previous user's login data, plug in his or her own login and password and Wallet was ready to let a stranger spend its owner's money freely.
Google temporarily shut down the app's ability to record and use prepaid cards to avoid that risk.
Google has now re-released Wallet with the cleared-data-login flaw removed. It has not addressed the other issues viaForensics called out, however.
It has also not addressed how to secure financial data on a phone that has been rooted to give the owner more than titular control over the operating system and the apps or functions preconfigured to match the needs of the carrier rather than the user.
Rooting an Android phone bypasses the security built into Google Wallet, a gaffe Google hasn't discussed much or fixed at all.
For the time being, given the myriad ways Android supplies for avoiding the security of any native app, especially Google Wallet, it's probably better to use a safer method of no-contact payments than the NFC-enabled Google Wallet.
Standing back from the counter at a store and throwing cash at the clerk seems as if it would be a little more controlled, as would the "make it rain" technique made popular in music-video scenes shot inside strip clubs.
If you prefer not to fling your finite wealth either at a direct target or into the environment at random, it's probably better to stick to checks, debit cards, encrypted Internet connections, barter, freecycling, PayPal, Bitcoin or any of the other incredibly limited ways that currently exist to pass money from one person or organization to another.
Google Wallet just isn't ready yet. I hope the economy can survive the lack of an Android-enabled NFC-based random cash-for-hackers distribution device. Not using it will certainly benefit all our individual microeconomies than trying to get Wallet to work securely, at least right now.