With great freedom comes greater chances of having your cash stolen
By Brad Reed on Thu, 02/09/12 - 11:46am.
So website categorization company zvelo caused a wee bit of a stir today when it exposed a potential security vulnerability in Google's near field communications (NFC)-enabled Google Wallet mobile payment platform. You can see a video of their efforts below:
To sum up: zvelo created an applciation that's capable of retrieving your Google Wallet PIN from your device, meaning that if someone were to steal your phone and use the application, they could use Google Wallet to go on a spending spree at your expense. But as zvelo notes in their own analysis, the app will only work if you have rooted your phone, which basically means you've mucked around with it and have torn down the barriers intended to put firewalls up between Google Wallet and the rest of the device. Quoth zvelo:
[T]he only solace is that this attack requires “root” privileges to succeed. Android has been designed such that each app runs in a “sandbox” and one app cannot access the data of another app due to the constraints imposed by kernel segregation of the “user ids” under which each app runs. In order for another app to access the data in the Google Wallet database, the device would already have to be “rooted” or it would have to exploit another vulnerability in Android, or the Linux subsystem, to read the files. This makes a remote attack very unlikely. However, a thief with this knowledge and physical access to the device could easily gain access to the PIN.
You do have to wonder how many people who pick pockets for a living are well-versed in the ins and outs of rooting smartphones, but I digress.
At any rate, Google has put out a response to the zvelo study that basically tells users they should be slapped upside the head if they root their phone with Google Wallet installed:
To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone. - Google
So there you have it, Android fans: If you don't want your Google Wallet account to get robbed blind, keep your device's security settings as they are. As Spider Man might say, "With great freedom comes greater risk of having your Google Wallet hacked." Or something to that extent.