Summary of Google Wallet Security Findings

Excerpt from viaForensics blog:

December 12th, 2011 by ahoog

(Related: Gemalto Selected by ISIS to Deploy Mobile Payment and NFC Services in the U.S.)

So, in summary, here are the items of note from my high level analysis. Bear in mind this is nowhere near the level of testing an app like this deserves but since this is done on our own time, it’s all I could manage thus far. Anyway, here goes:

• A fair amount of data is stored in various SQLite databases including credit card balance, limits, expiration date, name on card, transaction dates and locations and more.

• The name on the card, the expiration date, last 4 card digits and email account are all recoverable

• [Fixed in Version 1.1-R41v8] When transactions are deleted or Google Wallet is reset, the data is still recoverable.

• The Google Analytic tracking provides insights into the Google Wallet activity. While I know Google tracks what I do, it’s a little frustrating to find it scattered everywhere and perhaps in a way that can be intercepted on the wire (non-SSL GET request) or on the phone (logs, databases, etc.)

• [Fixed in Version 1.0-R33v6] The application created a recoverable image of my credit card which gave away a little more info than needed (name, expiration date and last 4 digits). While this is not enough to use a card, it’s likely enough to launch a social engineering attack.

While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card). Many consumers would not find it acceptable if people knew their credit card balance or limits. Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineer attack.

And this testing was really only very high level. Far more sophisticated and comprehensive security analysis is needed to determine if other vulnerabilities are present. In addition, privacy conscious consumers so understand that analyzing nearly everything you use Google Wallet for is basically the price you pay for the service. For a tech standpoint, it’s very exciting to see Google Wallet in production. However, it has consistently been viaForensics’ position that the largest security risk from apps using NFC do not stem from the core NFC technology but instead the apps that use the technology. In this case, the amount of unencrypted data store by Google Wallet surpasses what we believe most consumers find acceptable. 

Download the Full Report

About viaForensics

viaForensics is an innovative digital forensics and security firm providing services to corporations, law firms and law enforcement/government agencies. We have published several books on mobile forensics and security and have 2 patents pending.

If you found our high level security analysis of Google Wallet interesting, you might find these related services and studies equally interesting:

  1. appSecure, viaForensics’ mobile app security service
  2. appWatchdog, our free mobile security and privacy service
  3. Mobile App Security Study, a free report on 100 popular mobile apps
  4. Mobile Security Risk Study, an 85 page paid report focusing on iPhone and Android in the Enterprise

Post your comment

Comments

  • There are many additional security layers available today, and they will ever increase with time, no doubt. But, they add a burden to the user, and so some associations/issuers just accept the fraudulent loss, on their end, with a few basis points, unless they are an aggregator with far more exposure, in order to keep the client and maintain revenue rather than lose them to another association/issuer.

    Biometric has many challenges, of course, ranging from many people without fingerprints (brick-layers, carpenters, etc.), to those that will not submit to an iris or macula scan. Parametric has similar challenges due to being forced to memorize an issued PIN, or selecting a complex protocol PIN. Bad guys will always find a way...

    I believe that the future will be fragmented with many payment options, a "life-style choice", from GrandMa and international travelers using their plastic card and ubiquitous magnetic stripe useable anywhere in the world, to niche players in eWallets and NFC, Optical, or others. I don't see any one technology dominating payments simply because there are too many vested interests in the financial transaction network, and too many user-preferred behaviors.

    Posted by Kerry, 26/12/2011 6:05pm (5 months ago)

  • Hi Michel, thanks for your sharing. Would you be so extra-kind to send us some documentation about Onlymee solution? Who is behind it and who´s pushing it, afraid I never heard of it before. Regards

    Posted by Juan Carlos, 14/12/2011 10:11am (5 months ago)

  • Thank you for sharing.
    Google Wallet is unsecure by nature. Only biometric solutions like Onlymee® can provide a secure authentication. Have a look at what they do:
    Onlymee Interactive has developed biometric authentication middleware solution called Onlymee®, based on the “ICD” patent, granted in Europe, South Africa, India and pending in the US.
    The Onlymee® application transforms secured transactions processes, with a unique mobile device that identify a person, not a device, unlike solutions which uses PIN code technologies (smart cards, RFID, NFC...).
    With Onlymee® the future needs of a secure and mobile digital economy are addressed with an integrated solution embedded into any personal mobile device, smartphones or tablet. For the B2B market, the Onlymee® solution is available to support software vendors, large retailers or banks, middleware integrators and telephone operators.
    However, the ultimate goal of Onlymee Interactive is to transform the B2C market with security software that is designed for the digital age of the mobile consumer, who demands absolute security and ease of use from any mobile device. Imagine a solution where the login/password is replaced by secure digital identity! Onlymee® delivers on this promise with solutions based on a SaaS model in the Cloud to address the truly global mobile consumer.

    Posted by Michel, 14/12/2011 10:10am (5 months ago)

  • Good preliminary review. The only good news is that the first 12 digits of the account number are not stored. I didn't see if they are used by the phone. If so, it could be an opening for a malware attack if it can get privileges needed to cross App boundaries.

    thanks for the post.

    Posted by Tom, 14/12/2011 10:10am (5 months ago)

  • Talk about opening a can of worms...

    Posted by Jeff, 14/12/2011 10:09am (5 months ago)

  • thanks for sharing the article. Would you have by chance any article that describes the architectural design of Google Wallet? Regards.

    Posted by Juan Carlos, 14/12/2011 10:09am (5 months ago)

  • That was a very interesting report.

    Posted by Richard, 14/12/2011 10:08am (5 months ago)

RSS feed for comments on this page | RSS feed for all comments

More Features

Data Center
data center2
Event Calendar
EventCalendarIcon
Country Profiles
country profiles2
Featured eBook
PYMNTSeBookAd2
Company News Center
company news center2
Media Center
media center2
Lydian Journal
lydian2
ROAM Data Newsroom
ROAMDataLogo3
MasterCard Newsroom
MasterCardLogo1Icon
Discover Newsroom
DiscoverNewNR
TSYS Newsroom
TSYSIcon
TSYS Newsroom
Follow PYMNTS.com