Rooting Android phone bypasses Google Wallet security; just one of many remaining flaws

Fixing flaw that let hackers delete and replace PIN hardly reduces security risks at all

By  

Google has made another round of changes in Google Wallet in an effort to plug the security holes in the Wallet software itself, though insecurities in Android still leave a lot of information exposed.

Google put Wallet through one set of security fixes after security analysis firm viaForensics privately shipped it a report showing a series of vulnerabilities caused by the inconsistencies in the way Android handles and stores data.

While some sensitive credit card and other payment information is stored as encrypted records in a secure SQLite database, the cardholder's name, email, last four digits of the account number and other data are recorded in logs, unencrypted data stores and other insecure spots that are typical storage areas for Android applications.

The biggest issue is what happened when someone other than the owner of a Google Wallet-equipped phone cleared the login data from the Google Wallet app: the previous user's login could be deleted without harming the credit-card data stored in the app.

So anyone finding or stealing a Wallet-equipped phone had only to clear the previous user's login data, plug in his or her own login and password and Wallet was ready to let a stranger spend its owner's money freely.

Google temporarily shut down the app's ability to record and use prepaid cards to avoid that risk.

Google has now re-released Wallet with the cleared-data-login flaw removed. It has not addressed the other issues viaForensics called out, however.

It has also not addressed how to secure financial data on a phone that has been rooted to give the owner more than titular control over the operating system and the apps or functions preconfigured to match the needs of the carrier rather than the user.

Rooting an Android phone bypasses the security built into Google Wallet, a gaffe Google hasn't discussed much or fixed at all.

For the time being, given the myriad ways Android supplies for avoiding the security of any native app, especially Google Wallet, it's probably better to use a safer method of no-contact payments than the NFC-enabled Google Wallet.

Standing back from the counter at a store and throwing cash at the clerk seems as if it would be a little more controlled, as would the "make it rain" technique made popular in music-video scenes shot inside strip clubs.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness