Feb 8th, 2012

A new report by Zvelo, a malware detection firm, is causing some concern around the net after researchers found a vulnerability in Google Wallet that could allow for clever thieves to crack the 4-digit pin used to secure the app. Needless to say, websites all around the world and the 4 o’clock news will most likely run with this story, crediting Android’s rise of malware applications and lack of security as the cause of this exploit.

Demonstrated in a proof-of-concept app, Zvelo shows how easy it would be to gain access to someone’s Google Wallet application but here’s the thing, it’s really not that easy. A few, very important criteria must first be met.

  1. You’ll have to already be using Google Wallet on an NFC capable device.
  2. Your device must be rooted
  3. Your device must have NO password locking your phone
  4. You’ll need to lose your phone (duh)
  5. You’ll need to have NO security apps on your device that can remote wipe
  6. The person who finds your phone will need to know of this Google Wallet vulnerability and how exploit it

As you can see, there are numerous ways to actually prevent someone from gaining unauthorized access to your Google Wallet application starting with simple screen lock password. In the event that you do lose your rooted phone and the device is recovered by someone who knows of this exploit — it’s basically no different than if you lost your George Costanza wallet with physical credit cards tucked inside.

Oh — and if you are using Google Wallet, now might be a good time to download an app that can remote wipe your device in the event that you lose your phone.

Market Link for Remote Wipe Apps

Of course, a device might not even need to be physically obtained in order to crack Google Wallet. A malicious app could, in theory, install something similar to the proof-of-concept app so stay away from warez sites and always be careful what you download in the Market.

I’m curious. Has this news made any Google Wallet users wary of using the app? Anyone going to uninstall it immediately? Or does life move on as usual?