After all the lengths Google went to assure us of Google Wallet's security, it turns out the mobile payments system stores a lot of unencrypted information on your smart phone's database. In fact, the app stores "pretty much everything except the first 12 digits of your credit card," according to tests. And even deleting transactions and resetting Google Wallet doesn't erase the cardholders name, card expiration date, last four card digits, or e-mail account on your phone, meaning anyone who found a lost phone and had the wherewithal to dig through its data could uncover a lot of the users personal information. "If, for example, you were going to sell your phone after using Google Wallet, I would suggest you do a complete reset of the device as you cannot rely on the reset function inside Google Wallet to sufficiently remove the data," writes ViaForensics.
Google Wallet uses NFC technology to ensure the safety of credit cards and financial information. That's not the problem with Google Wallet. Instead it's the way Google Wallet uses NFC, storing a lot of unprotected data on SQL databases. Therefore, if the phone got into the wrong hands, the new owner could access a lot of personal information off of those databases. "For example, if I know your name, when you've used your card recently, last 4 digits and expiration date, I'm pretty confident I could use the information to my advantage," writes ViaForensics. "When you add data that is generally available online (such as someone's address), an attacker is well armed for a successful social engineer attack."
But, the research isn't exactly analogous to someone finding or thieving a Google Wallet enabled phone. The researcher did all of this on a rooted phone, meaning the analyst had privileged control of the device that most thieves would not have, argues Google. "Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices," a Google spokesperson told CNET. And even with the rooted access, Google protected the most important aspect of the system: the credit card and CVV numbers.
Knowing the importance of Information security to consumers when dealing with credit card information, Google planned for the security backlash, emphasizing the built-in protections of its product when it first came out. For example, the NFC chip, the technology that make these digital payments possible, doesn't work when the screen is disabled, meaning no pocket buying or digital thievery when the phone sits unused in a purse. Google also requires a PIN to gain access to the information and authorize payments in the first place. Ad to protect against other malicious apps, Google employs "secure element," storing the encrypted data on a chip on the phone. It's like a separate computer on your phone, explains Google.
Think of the Secure Element as a separate computer, capable of running programs and storing data. The Secure Element is separate from your Android phone's memory. The chip is designed to only allow trusted programs on the Secure Element itself to access the payment credentials stored therein.
But, for those already spooked about putting credit card info onto a phone, ViaForensics doesn't find this to be enough. "In this case, the amount of unencrypted data store by Google Wallet surpasses what we believe most consumers find acceptable," writes the analyst.
This article is from the archive of our partner The Wire.