Google Wallet Stores Too Much Unencrypted Data, Researchers Say

A recent forensic analysis performed by researchers from ViaForensics showed that while Google’s Wallet application can be highly useful for smartphone owners, doing a good job protecting their assets, there are some issues that may be considered security risks.

During the experiment, which was performed on a rooted device, three methods of breaking the Wallet’s security were attempted: man-in-the-middle (MitM) attacks, forensic analysis on the data stored on a device and the examination of system logs.

The first conclusions were that MitM attacks are no match for the application since both during account setup and during credit card add the attempts of the experts failed.

In the second phase, the forensic analysis, things became more interesting and the app’s cache directory revealed pictures of some credit cards, the most significant information that could be seen being the card’s expiration date.

Fortunately, even before the paper was finished, Google issued an update that resolved this issue.

The SQL databases revealed the most information on the device’s owner, including credit card balance, limits, expiration date, cardholder name, transaction dates and locations. Since all the data was left unencrypted, some may consider this as being a serious privacy risk.

Another security bug that was quickly patched up by Google refers to the fact that the delete transaction or reset functions didn’t actually delete de data, the researchers proving that it could have been easily recovered.

Since this was no secret experiment made with the purpose of harming the giant’s reputation, the experts from ViaForensics disclosed all their findings and they’re currently collaborating on fixing the rest of the issues.

“The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android operating system and Google Wallet,” Google spokesperson Nathan Tyler told AmericanBanker.

“This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including the credit card and card verification value numbers. Android actively protects against malicious programs that attempt to gain root access without users' knowledge.”

Finally, the researchers conclude that while Google Wallet does a decent job in protecting credit card numbers, there are still a few issues that need to be handled, especially if we consider the fact that much more detailed analysis can be done.