Google's contactless mobile payment application, Google Wallet, has long been thought by experts to be secure due to its use of a hard-to-break secure hardware element for handling cardholder credentials and account information. But the fledgling app has failed a security test conducted by viaForensics, primarily for storing too much of consumers' personal data on the phone. While the app doesn't store the customer's entire credit card number, it does store the user's name, credit card balance, limits, expiration date, and transaction dates and locations on the phone itself (in the application's databases directory). The last four digits of the user's card number and email address are also recoverable from the phone.
Google's response to this test points out that this sensitive information can only be retrieved from a rooted phone, in other words, one whose operating system has been broken into so that system files can be accessed. "The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android operating system and Google Wallet," says spokesperson Nathan Tyler. "This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including the credit card and card verification value numbers. Android actively protects against malicious programs that attempt to gain root access without users' knowledge."
However, there have been instances of malware, such as Droid Dream, that have let attackers break through Android security and gain root access to the phone.
Once such a break-in occurs, the customer information stored on the phone would be sufficient to launch a social engineering attack, according to Andrew Hoog, chief investigative officer at viaForensics. "You could send someone a message containing information about their transactions and balance and say you need to confirm their card number," Hoog explains. "The fact that the sender knew you had conducted a transaction that afternoon would convince most people that it was legitimate."
Having this information available on the consumer's device does provide convenience, Hoog acknowledges. For instance, once the consumer chooses a credit card to use in the Google Wallet, the app displays the card balance and next payment due. "As a consumer, when that popped up, I thought, that's great, because I can never remember what my balance is and when the payment is due and here it is," Hoog says. "I really liked that feature. The problem is they shouldn't store it unencrypted." Google should either encrypt the information or not store it in the device.
A further security issue is that Google Analytics tracks activity that is stored in the phone log, which again could give a cybercriminal insight into the customer's purchasing and account behavior.
Google's is not the only mobile payment software to fail viaForensics' tests — Square and others also have. But although the Square app stores less personal information than Google's does, the Google Wallet is more secure than Square, Hoog says. "Square has some pretty big issues that we don't look at in the appWatchdog [the company's security testing service]," he says. appWatchdog only looks at what information is securely stored and transmitted. "Square has unencrypted readers and that's a really big deal. Contrast that with what Google Wallet did, which was they invested in near-field communication and a secure element, they put a lot of engineering into controlling access to that data. Square has been going out and capturing market share, so they built cheap, unencrypted credit card readers that they could send out to the masses."
Google does do many things right security-wise with its Wallet app, including requiring a four-digit PIN. This makes it more secure than a magnetic stripe credit card, which any criminal could steal and use. Anyone who stole an Android phone loaded with the Google Wallet app would have to correctly guess the owner's PIN to buy something with it. "Google, to their credit, said I can't give access to your wallet, I'm going to force you to put in a PIN. The critical thing you need to implement encryption is a password that's not stored in the device but in another system, such as the end user's brain. That's that random, unknown piece of information that unlocks it for you."
The Google Wallet thwarted a man-in-the-middle attack viaForensics attempted. In a man-in-the-middle attack, a cybercriminal intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other. During this test, the path from which the request was made was rejected and provisioning failed.
Google uses a chip hardwired into the phone, called a secure element, to receive cardholder credentials and account information provisioned by First Data and MasterCard PayPass. Although this is generally considered the most secure way to handle contactless payment information, the secure element has been an issue for Verizon, which last week asked Google not to include the Google Wallet app on the Google/Samsung Galaxy Nexus phone, which was expected to ship in early December but has been delayed. Verizon is working with other telecom providers on a competing contactless mobile payment scheme called Isis, for which Gemalto was selected today as a technology provider.
Google has already fixed two issues Hoog discovered in earlier tests. In the first version of Google Wallet, the app displayed a picture of a credit card with the user's information on it. That feature has been removed from the app. Earlier versions also did not properly delete data when the user reset the Wallet app; this too has been addressed by Google engineers.
Overall, the Google Wallet is "probably on par" with comparable mobile payment apps, Hoog says.
"With the amount of data they store about the card and transactions, we couldn't give them a pass," he says.
Mobile payment providers tend to be more concerned with features and deadlines than with the implications of storing data on the devices, Hoog says. Google also may feel the security and controls built into the Android operating system are sufficient to protect people's information.
But mobile malware is growing, Hoog says. There have been about 30 or 40 instances of malware discovered targeting Android devices. "Some of them have the ability to escalate privileges and get root access to the system," he says. "If I were a criminal who was trying to make money off of malware and I had an exploit that would work on Android, I would say I have access to this device, what information do I want to pull out? I know on the device where to go to find out the user's information, and I can just pull that information and upload it to a server. Malware is the storm that's on the horizon."