Google Wallet stores too much unencrypted data in a rooted device--report

Google Wallet does a good job of storing passwords but doesn't encrypt the entire credit card number, balance, and other information, a research firm said today after testing the application on a rooted device.

Data that is stored on the device in various SQLite databases in unencrypted form also includes name on the card, the last four digits of the credit card, card limit, expiration date, transaction dates, and locations, ViaForensics said in a report titled "Forensic security analysis of Google Wallet."

In addition, the application created a recoverable image of a credit card that could provide fodder for a social engineering attack, according to the report, which was a high-level analysis of Google Wallet--"the first real payment system leveraging NFC [near field communication] on Android."

"While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card)," the report said. "Many consumers would not find it acceptable if people knew their credit card balance or limits."

The report continued: "Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you've used your card recently, last 4 digits and expiration date, I'm pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone's address), an attacker is well armed for a successful social engineer attack."

The report also noted that the name on the card, expiration date, last four card digits, and e-mail account are recoverable when the transactions are deleted or Google Wallet is reset. "This is certainly an area where Google needs to improve their functionality," the report said. "If, for example, you were going to sell your phone after using Google Wallet, I would suggest you do a complete reset of the device as you cannot rely on the reset function inside Google Wallet to sufficiently remove the data."

ViaForensics found that Google Wallet successfully protected against a Man-in-the-Middle attack over Wi-Fi that was attempted at account registration and when adding a new credit card.

It's important to note that the testing was done on a rooted phone, which means the researcher had root or privileged control of the device. Even with that access, the credit card number was not accessible because it is stored in a secure element in the NXP chip.

"The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers," a Google spokesman said in a statement. "Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices."

Charlie Miller, a principal research consultant at Accuvant, praised Google Wallet for storing the credit number and other data on the secure element but said it's not impossible to imagine how someone could get root access to a phone and thus see the other data that is exposed. The owner of a phone could drop it and a stranger could pick it up and root it, or the owner could unwittingly download an app that has an exploit in it that can get root privileges, he said. "But normally an app wouldn't be able to access that data," Miller added.

The research firm disclosed its findings to Google on November 30. At least one security issue uncovered was addressed by an update, the company said.

Google Wallet, which was unveiled in May, is offered on Android-based Nexus S devices, which have an NFC chip inside. The chip allows small amounts of data to be sent over very short distances between the device and an NFC reader at the check-out stand. Google Wallet lets people pay for items and do other transactions through their phone, such as redeem coupons and earn rewards points.

Updated 5:07 p.m. PT with comment from Charlie Miller.