Hold the phone! Google Wallet appears to have a security leak.
Google's contactless mobile-payment application has failed an important security test, primarily for storing too much of consumers' personal data on the phone.
The app does not store the customer's entire credit card number, but it does store the user's name, credit card balance, limits, expiration and transaction dates, and locations on the phone itself in the application's databases directory. Crooks also could recover the last four digits of the user's card number and email address from lost or stolen phones.
In reacting to the security test conducted by Chicago-based viaForensics, Google points out that the sensitive information is retrievable only from a phone whose operating system has been broken into so system files may be accessed.
"The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android operating system and Google Wallet," says spokesperson Nathan Tyler. "This report focuses on data accessed on a rooted phone. But even in this case, the secure element still protects the payment instruments, including the credit card and card verification value numbers. Android actively protects against malicious programs that attempt to gain root access without users' knowledge."
However, malicious software, such as Droid Dream, have been known to enable attackers to break through Android security and gain root access to the phone. Once such a break-in occurs, the customer information stored on the phone would be sufficient to launch a social engineering attack, according to Andrew Hoog, viaForensics chief investigative officer.
"You could send someone a message containing information about their transactions and balance and say you need to confirm their card number," Hoog explains. "The fact that the sender knew you had conducted a transaction that afternoon would convince most people that it was legitimate."
Having this information available on the consumer's device does provide convenience, Hoog acknowledges. For instance, once the consumer chooses a credit card to use in the Google Wallet, the app displays the card balance and next payment due.
"As a consumer, when that popped up, I thought, that's great, because I can never remember what my balance is and when the payment is due and here it is," Hoog says. "I really liked that feature. The problem is they shouldn't store it unencrypted."
Google should either encrypt the information or not store it in the device, he says.
Google Analytics also tracks activity stored in the phone log, which also could give a cybercriminal insight into the customer's purchasing and account behavior.
Google's is not the only mobile-payment software to fail viaForensics' tests. Square Inc.’s Square mobile-payment app also did. But although the Square app stores less personal information than Google's does, the Google Wallet is more secure than Square, Hoog says.
"Square has some pretty big issues that we don't look at in the appWatchdog [the company's security testing service]," he says. AppWatchdog only looks at what information is securely stored and transmitted.
"Square has unencrypted readers, and that's a really big deal. Contrast that with what Google Wallet did, which was they invested in Near Field Communication and a secure element,” Hoog says. “They put a lot of engineering into controlling access to that data. Square has been going out and capturing market share, so they built cheap, unencrypted credit card readers that they could send out to the masses."
Google does many things right security-wise with its wallet, including requiring a four-digit PIN. This makes it more secure than a card magnetic stripe, which any criminal could steal and use to create counterfeit cards. Anyone who steals an Android phone loaded with the Google Wallet app would have to correctly guess the owner's PIN to buy something with it.
"Google, to their credit, said I can't give access to your wallet, I'm going to force you to put in a PIN,” Hoog says. “The critical thing you need to implement with encryption is a password that is not stored in the device but in another system, such as the end user's brain. That's that random, unknown piece of information that unlocks it for you."
The Google Wallet thwarted a man-in-the-middle attack viaForensics attempted. In a man-in-the-middle attack, a cybercriminal intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one so the two original parties still appear to be communicating with each other. During this test, the path from which the request was made was rejected and provisioning failed.
Google uses a chip hardwired into the phone, called a secure element, to receive cardholder credentials and account information provisioned by First Data Corp. and MasterCard Worldwide’s PayPass technology. Although this is generally considered the most secure way to handle contactless payment information, the secure element has been an issue for Verizon.
The telco last week asked Google not to include the Google Wallet app on the Google/Samsung Galaxy Nexus phone, which was expected to ship in early December but has been delayed (Google has already fixed two issues Hoog discovered in earlier tests. In the first version of Google Wallet, the app displayed a picture of a credit card with the user's information on it. That feature was removed from the app. Earlier versions also did not properly delete data when the user reset the Wallet app; Google engineers addressed this too.
Overall, the Google Wallet is "probably on par" with comparable mobile-payment apps, Hoog says. "With the amount of data they store about the card and transactions, we couldn't give them a pass," he says.
Mobile-payment providers tend to be more concerned with features and deadlines than with the implications stored on devices, Hoog says. Google also may feel the security and controls built into the Android are sufficient to protect consumers’ information.
But mobile malware is growing, Hoog says. There have been up to 40 instances of malware discovered targeting Android devices (on which the Google Wallet runs).
"Some of them have the ability to escalate privileges and get root access to the system,” Hoog says. “Malware is the storm that's on the horizon."
What do you think about this? Send us your feedback.
