The amount of unencrypted data stored by the Google Wallet app "surpasses what we believe most consumers find acceptable," says digital forensics specialist viaForensics in a report on the security of the search giant's NFC wallet — but no access to the secure element was gained.
Digital forensics firm viaForensics has released the findings from its first analysis of the security of Google Wallet and found that a "significant" amount of data is stored unencrypted within Google Wallet.
Google, however, has pointed out that viaForensics used a rooted Android NFC phone for its tests and that no data stored within the phone's secure element was revealed. The company has, however, made a change to the Google Wallet app as a result of viaForensics' investigation.
Andrew Hoog, viaForensics' chief investigative officer, has posted a detailed report on the findings of the company's research into Google Wallet security on the viaForensics blog. There, he concludes that:
While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card).
Many consumers would not find it acceptable if people knew their credit card balance or limits. Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you've used your card recently, last 4 digits and expiration date, I'm pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone's address), an attacker is well armed for a successful social engineer attack.
And this testing was really only very high level. Far more sophisticated and comprehensive security analysis is needed to determine if other vulnerabilities are present. In addition, privacy conscious consumers so understand that analyzing nearly everything you use Google Wallet for is basically the price you pay for the service.
For a tech standpoint, it's very exciting to see Google Wallet in production. However, it has consistently been viaForensics' position that the largest security risk from apps using NFC do not stem from the core NFC technology but instead the apps that use the technology. In this case, the amount of unencrypted data store by Google Wallet surpasses what we believe most consumers find acceptable.
Google has issued a statement regarding the results of the viaForensics research. This points out that the data collected was from a rooted phone and makes it clear that no access to data stored on the secure element was acquired:
"The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers.
Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices."