A new report by Zvelo, a malware detection firm, is causing some concern around the net after researchers found a vulnerability in Google Wallet that could allow for clever thieves to crack the 4-digit pin used to secure the app. Needless to say, websites all around the world and the 4 o’clock news will most likely run with this story, crediting Android’s rise of malware applications and lack of security as the cause of this exploit.
Demonstrated in a proof-of-concept app, Zvelo shows how easy it would be to gain access to someone’s Google Wallet application but here’s the thing, it’s really not that easy. A few, very important criteria must first be met.
- You’ll have to already be using Google Wallet on an NFC capable device.
- Your device must be rooted
- Your device must have NO password locking your phone
- You’ll need to lose your phone (duh)
- You’ll need to have NO security apps on your device that can remote wipe
- The person who finds your phone will need to know of this Google Wallet vulnerability and how exploit it
As you can see, there are numerous ways to actually prevent someone from gaining unauthorized access to your Google Wallet application starting with simple screen lock password. In the event that you do lose your rooted phone and the device is recovered by someone who knows of this exploit — it’s basically no different than if you lost your George Costanza wallet with physical credit cards tucked inside.
Oh — and if you are using Google Wallet, now might be a good time to download an app that can remote wipe your device in the event that you lose your phone.
Market Link for Remote Wipe Apps
Of course, a device might not even need to be physically obtained in order to crack Google Wallet. A malicious app could, in theory, install something similar to the proof-of-concept app so stay away from warez sites and always be careful what you download in the Market.
I’m curious. Has this news made any Google Wallet users wary of using the app? Anyone going to uninstall it immediately? Or does life move on as usual?
I’ve had a lock screen on my phone since day one. Even if you don’t have it as an immediate one it is a good idea. This is along the same lines as having your laptop stolen with no password on it.
Computers have working password protection from local attacks?
would a consumer still have protection from their bank? i would think so…….
I mean, technically, it’s just a virtual credit card so I would think the same protection applies… Have to look at the fine print though
I wonder if this situation, where a person pays for something with your Google wallet (with the stolen PIN) falls under the same protection as when someone steals your wallet, and swipes your card…. i’m gonna have to contact my bank, and make sure…..
I can already here Verizon saying “I told you so!”
lol..
can you hear them too?
I hear them now.
7. Find an actual place to use Google wallet.
Lmfao!!!!!
i tried to use at 7/11 and failed 4 times and still dont know how to use it… i rather swipe my credit card than unlock, open app, enter pin, and than tap.
Best buy, McDonalds, some starbucks…
Its in a lot of places and its always worked for me. All you have to do is have your screen on – no need to open the app. Then all you need to do is hold the phone over the receiver long enough for the beep. One thing that I’ve found that you need to do is make sure that there are no “pop ups” open on your home screen… like Any.Do missed call BS window – that will keep Wallet from activating. Once it beeps it will ask for your PIN. Enter your PIN then hold the phone back to the receiver. and presto. The cashier will look at you as if you just performed sorcery.
So far I’ve used it about 2 dozen times and its always worked no matter what.
that’s what i did. i turned on the screen and tap, but nothing happen. there were no opened apps or anything on my default home screen.
Any place that accepts MasterCard PayPass
http://www.mastercard.us/cardholder-services/paypass-locator.html
People blow everything out of proportion.
naw its just these blogs needing somethin to write about
Fortunately, Google Wallet can be patched to fix this exploit. My leather wallet on the other hand…
I would think having a rooted phone would expose you to this type of security issue in a lot of apps. I’m not sure Google Wallet is any different other than it does involve money transactions. If you are worried about security of the data on your phone, you aren’t going to have it rooted.
I hate Google Wallet. This is going to be the excuse carriers/manufacturers use to keep you from rooting.
Fact is that if you don’t root, there is no decent way to backup the software and data on your phone. Why Google doesn’t address this is beyond me. There should be an acronis true image equivalent for cell phones. They’re becoming like computers.
Ermmm…. Did you know what is a Nandroid backup?
Actually they have addressed it in ICS:
http://forum.xda-developers.com/showthread.php?t=1420351
Wow, that’s great. Thank you.
When they let you do this over wifi and/or to the sd card, I’ll be satisfied though. I never hook my device up to my computer and it seems onerous to do so each night. It should just be automatic.
Getting tired of these stupid ass fear propagandas seriously what are the chances this is really gonna happen.
Stupid. The Google Wallet app doesn’t even need your PIN to complete a payment, you just need the screen to be active. What difference does it make if someone knows your PIN?
ive just been having trouble with google wallet. it seems hit or miss if it will work. i get the error, terminal detected information may have not been sent or something like that about half the time.
I guess most, if not all, application vulnerabilities require these criteria:
You have to use the device with the vulnerability, have no password protecting the device, have it in someone else’s hand, and no applications with remote wipe.
The person with the device has to know about the vulnerability, naturally.
So except # 2 (Rooted device), any other vulnerability is “just as hard” (or “just as dangerous”) as this one.
The required root does make this one a bit less dangerous to most people. The rest is just fluff.
Another reason to not root… finding more and more every day.
I was commenting on that in response to “Your device must have NO password locking your phone.” If my laptop were stolen right now, whoever did it has 1 minute to to keep the laptop open and going before it locks and a password is required to get into it. Which would be equivalent to getting into my phone to use Google Wallet.
Easy ways of mitigation:
1. actually lock your phone.
2. Don’t have more than $20 in your google wallet account to begin with.
BTW I want to see this work WITHOUT google wallet being unlocked.
I see this more as a way to recover my pw if my dumbass somehow forgets it. I’venever lost my phone before……..
People steal your shit when you lose your shit?
No shit, really?….o_O?
Morale of the story?
Stop losing your shit.
As for number 6
“6 The person who finds your phone will need to know of this Google Wallet vulnerability and how exploit it”
Well, they do now don’t they?
rooting your phone just seems to have more negatives than positives
this is stupid. it’s like saying if you lost your credit card, the person who finds it “might” use it.