Google Wallet, the company’s much-hyped mobile payments app, stores user information unencrypted, according to security firm viaForensics.
Google Wallet uses Near Field Communications (NFC) to enable users to pay for items via their phone. It was reported this week that the app will go live in the UK in time for the London 2012 Olympic Games.
However, analysis carried out by viaForensics has revealed that beyond a user’s full credit card number, pretty much everything is stored unencrypted.
The company’s analysis described the amount of unencrypted data as "significant". This means that the cardholder’s name, credit card balance, limits, expiration date, transaction dates and locations are unencrypted, potential exposing the user to fraud.
The report notes: "Many consumers would not find it acceptable if people knew their credit card balance or limits. Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage."
"When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineer attack," it added.
The report admits that its analysis is far from comprehensive and that more research is needed. However, it does suggest that the security risks from Google Wallet may put some consumers off.
"This testing was really only very high level. Far more sophisticated and comprehensive security analysis is needed to determine if other vulnerabilities are present. For a tech standpoint, it’s very exciting to see Google Wallet in production," the report states.
"However, it has consistently been viaForensics’ position that the largest security risk from apps using NFC do not stem from the core NFC technology but instead the apps that use the technology," viaForensics continued. "In this case, the amount of unencrypted data store by Google Wallet surpasses what we believe most consumers find acceptable."
UPDATE: Google has responded to the report’s findings: "The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers," the company told CBR in a statement.
"Android actively protects against malicious programs that attempt to gain root access without the user’s knowledge. Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices, " the statement added.
