ViaForensics finds Google Wallet security vulnerability with a rooted Android phone

ViaForensics finds Google Wallet security vulnerability with a rooted Android NFC phone, Google plugs it tight within hours

It was bound to happen that someone would find a vulnerability in an NFC mobile wallet, however, as exploits go the Google Wallet faired pretty well. ViaForensics took a rooted Android phone that we can only assume was a Nexus S and was able to gain access to database tables which revealed some arguably sensitive data. They found that databases weren’t properly flushed after cards were deleted from the Google Wallet.

We do want to commend ViaForensics for taking the time to go through Google Wallet and pull out potential vulnerabilities though. It’s through their efforts that all of our Google Wallets are a little more secure today. The issues the firm found were as follows:

1. Data was stored in various SQLite databases that included credit card balances, card limits, expiration dates, locations and transaction dates. The firm also suggested they found more but we are assuming it wasn’t pertinent enough to mention.
2. The name on the card, the expiration date and the last 4 digits and email account were all recoverable.
3. When Google Wallet was reset the data minus the whole credit card number and CVV was still recoverable.
4. Google Wallet analytics that stored information about transactions was scattered in various databases.
5. The Google Wallet app stored a recoverable image of a user’s credit card that showed the last four digits of the card number, the expiration date and name on the card.

ViaForensics found that an NFC smartphone that hadn’t been rooted was secure

Without root access the ViaForensics report concluded that Google Wallet is safe although they did add that they still had more tests to run. They even let us know what those test were and they included:

1. Test NFC tap events with a USB NFC reader
2. Inspect/decompile the Google Wallet APK
3. Determine how gift card activity is stored
4. Attempt a relay attack
5. Proxy the network traffic to determine data protocols
6. Attempt to access the Secure Element data

I think it’s safe to assume there are people over at Mountain View going through that list and attempting each item on that check list right now. However, even with root access ViaForensics was unable to get into the Secure Element and states that “from a tech standpoint, it’s very exciting to see Google Wallet in production. However, it has consistently been ViaForensics’ position that the largest security risk from apps using NFC do not stem from the core NFC technology but instead the apps that use the technology.”

Never a truer word has been spoken. Every month or so we get a security update for our Mac or PC, and we probably have credit card details on those also. Software always has been and always will be the weak link for security of data. We have noticed multiple updates on our Google Wallet apps since we activated them a few months ago so we assume that these updates are in part due to plugging security holes that the team has found. In actuality we confirmed this was the case with Google.

Obviously, the security of any NFC mobile wallet is going to make big news. However, it is worth remembering that if someone gets hold of your current card here in the States they already have everything they need to make purchases. Google Wallet, even under the circumstances laid out in the ViaForensics report, is more secure than any other form of payment around today. For a thief to be lucky and get hold of your phone, which is generally within 5 feet of most consumers, they would have to ensure it was rooted, or root it themselves. Even then, based on the findings of the ViaForensics report, they could not make a purchase. Obviously nobody wants the data that was found in the database tables to become public knowledge, and yes it should be secured better. With Google Wallet, only if the phone was rooted could ViaForensics get hold of some sensitive data that wasn’t even enough to make a purchase.

The Google Wallet PIN number remained secure, although the firm did say they didn’t try to brute force it. Every single member of the NFC Rumors team has a Google Wallet installed on our phones and none of us would stop using the service based on this report. Our Nexus S 4G’s are not rooted, and even if they were we all agreed we felt safer with Google Wallet than with our normal everyday credit cards.

Google’s response to the ViaForensics findings with the Google Wallet

We naturally hit up Google for their perspective on the report. A spokesperson from Google told NFC Rumors that ”The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers. Android actively protects against malicious programs that attempt to gain root access without the user’s knowledge. Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices.”

The way we see this report is that it only further builds the case for biometric security on NFC smartphones. With a sensor from a firm like AuthenTec, a thief couldn’t even access the home screen let alone root the device and gain access to databases. The secure element remained secure and ViaForensics attempted a Man in the Middle attack over WiFi and the Google Wallet successfully defended itself. At the end of the day, if something is man made it can be man broken. The point of security is to make the process of hacking any piece of technology sufficiently difficult so that it isn’t worth attempting.

Google has already taken care of some of the issues that were reported and will no doubt beef up security further, so for now there is no reason to distrust Google Wallet, fear NFC or any other NFC mobile wallet for that matter. You can bet it isn’t only Google Wallet getting secured up after the ViaForensics report, because you can bet all industry stakeholders with wallets are plugging those same holes as you read this.

In fact, Google also let us know that they are looking at different ways to store data that wouldn’t expose data in the same circumstances under which the ViaForensics tests was conducted under – a rooted NFC smartphone. We wouldn’t go as far to say this has been a storm in a teacup, but the secure element stood up to the test and no transactions could be conducted from the data that was exposed. Because Google Wallet is the first NFC mobile wallet in the market, it will be the first to have these issues highlighted, however, we see it as a learning curve that has sustained no casualties to date.