Google Wallet reveals unencrypted data in rooted devices

Google Wallet leaves sensitive credit card data unencrypted when used in a rooted device, defined as any Android device running a custom version of the OS, according to research firm ViaForensics. This data includes the name on the card, the last four digits of the card number, the card limit, expiration date, transaction dates and locations. However, the full credit card number is not visible. ViaForensics also says that the app creates a recoverable image of an associated credit card, which could be used for a “social engineering” attack. Some of these details are still recoverable even after the Google Wallet account has been reset.

Although the test was performed on a rooted phone, rendering it applicable to only some Android devices, a stolen phone running a default version of the OS can still be rooted, giving access to the encrypted information. “Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high,” says the firm. “For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineer attack.”

While Google says that the study does not “refute” how effective its in-built security is, it has nonetheless altered the Google Wallet app to fix the hole. “Android actively protects against malicious programs that attempt to gain root access without the user’s knowledge,” says the firm. “Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices.”

Related reading

Leave a comment