Google Wallet

Following the news yesterday that Google Wallet's PIN security has been cracked (for rooted users, on unsecured devices), Google has issued an official statement to clarify a few details, including who's vulnerable, and what users should do to protect themselves.  In a statement given to TheNextWeb, Google confirmed what our own Jerry Hildenbrand said in his write-up yesterday -- only rooted users are potentially vulnerable.

"The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.

We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

So again, only rooted users are at risk, and the recommendation to avoid Google Wallet use on a device with root is a sensible one. For the minority of Wallet users who are rooted, we're sure a fix will come in the days and weeks ahead. And if you're running a nice, clean stock device without any hackery of your own, you've got nothing to worry about.

Of course, news of this vulnerability will likely cause some damage to Google Wallet's reputation, at a time when Google's working hard to increase uptake of its payment method. If and when mainstream news outlets pick up this story, it'll be interesting to see whether they, like Zvelo's original press release, neglect to mention the crucial detail that a pre-rooted device is required.

Source: TheNextWeb

 
There are 35 comments

zer0vette says:

eh, i'm willing to take the chance. It's the same as losing my real wallet.

Unibrow says:

This doesn't really sound like great advice, couldn't someone that gains access to your device just root it themselves? If they are sophisticated enough to hack and brute force your phone certainly they'd be more than able to root your device themselves. Seems like the best thing to do is have a pin to access the phone.

manoller says:

Rooting the phone requires that you un-lock the boot loader. Android requires a compete factory reset to un-lock the boot loader..... All the research I've indicates that there is no other way around it.

kennonk says:

Unless you buy a good phone like the Galaxy S, S2, Nexus or most other Samsung Android phones that do not have locked bootloaders out of the box.

alangerow says:

No, they come with a locked bootloader, it's just REALLY easy to unlock. Like by booting into Fastboot:
adb reboot bootloader
And then:
fastboot oem unlock

That's how you unlock the bootloader for a Samsung Galaxy Nexus. So, it comes locked, it's just trivial to unlock. But still completely wipes the phone in the process.

jm9843 says:

Every Android device ships with a locked bootloader. What differentiates them is:

Factory unlockable = Awesome (Nexus One, Nexus S, Galaxy Nexus, Xoom)
Supported unlock with tool = Great (http://www.htcdev.com/bootloader/, http://unlockbootloader.sonyericsson.com/)
Not supported unlock w/ unencrypted bootloader = Okay. (HTC Evo)
Not supported unlock w/ encrypted bootloader = Sucks. (Motorola Droid X)

itch808 says:

EVERY phone has a locked bootloader. I have a Gnex, it's just incredibly easy to unlock without any sort of "hack" to find. Still, unlocking ANY bootloader completely wipes a phone and therefore Gwallet too.

Google's response is legitimate.

movielover76 says:

That is a nexus device, using a manufacturer unlock, do you know how many samsung and htc phones can be rooted by running a small script app made by a dev, my first samsung phone only required that I put a small file on the sdcard and reboot, all data stays intact, I rooted my t-bolt the old fashion way, but the new revolutionary root doesn't wipe data.

Also rooting a phone != unlocking the bootloader, you can root a phone and still have a locked bootloader, you just can't flash any roms other than stock in that case.

animejay says:

My Vibrant didn't have a locked bootloader. Before I knew about locked bootloaders, i had rooted and installed a ROM on it.

cyanogen-man says:

SIM LOCK PEOPLE BRUTE FORCING IT REQUIRES TOO MANY TRIES SIM LOCKS WILL FRY THE PHONE RATHER PAY 120 FOR AN INSSURANCE CLAIM THEN TO HAVE MY WHOLE PAY CHECK GONE BC I GET OAID ON A DEBIT CARD AND I WOULD BE SCREWED OH IM WORRY SOMEONE STOLE MY PHONE HACKED MY GOOGLE ACCOUNT AND TOOK ALL MY MONEY WHAT YOUR TAKING MY INSURRANCE AND MY TRUCK??? NOOOOOOOOOOOOOOOOOOOOOOOOOO

Unibrow says:

simple solution, don't leave your house. Problem fixed.

graffixnyc says:

Do you want to try that again?? In English this time maybe?

Oh my goodness, someone turned his caps lock key on and then stole it so it couldn't be reversed. Help this person!

mclifford82 says:

Another vulnerability of installing Google Wallet on rooted phones is that it permanently turns on capslock mode. Be warned.

vicw926a4 says:

And don't ever hand over your credit card to a hotel clerk or waitperson if you want zero exposure.

Dan29466 says:

Take personal responsibility for your actions.

If you make the decision to put financial data on your phone, then pretend that you're an adult and take basic steps to protect that information.
- turn on the lock screen
- turn off USB debugging
- use disk encryption

It's not that tough.

The only funds I have on wallet is the Google wallet $10 they have us. I won't put any personal account money on it.

Am I in risk?

cowbutt says:

Sounds like BS to me. What's to stop a bit of malware packaging the zergRush ( http://forum.xda-developers.com/showthread.php?t=1296916 ) or mempodroid ( https://github.com/saurik/mempodroid ) exploits to root the user's phone before they attempt to steal details from Google Wallet (cf. the DroidDream malware using the rageagainstthecage exploit to gain root before delivering its payload)?

OK, maybe Google's bouncer might find such malware if it was on the Google Market, but it wouldn't if it were to download it from a third party site.

coraphise says:

That goes back to being responsible; if you're installing apps off a third-party site, who's choice is that exactly?

And if you're doing that, why aren't you running scanners to make sure the app is safe before you put it on your rooted phone with Google Wallet?

Viper says:

This whole thing is ridiculous anyway. Even if you have Google Wallet installed on a rooted phone, it is STILL safer than carrying a credit card in your wallet. Everyone is so dang reactionary when it comes to this crap. And besides, if you are rooted then you are probably savvy enough to install an app that will allow you to remotely wipe the phone. If people want to put their financial info on their phone then it is their responsibility to protect it. End of story.

Dirrk says:

As I said yesterday, use two step verification with your gmail account and if you ever loose your phone revoke your phones access. This takes all of 5 seconds.

alangerow says:

And handing complete strangers a piece of plastic with all my reusable credit card information embossed on it in plain text (with a required display version of my signature) is MORE secure?!

animejay says:

The only time in recent years I've had an issue was after I went to a zoo and had to give someone my CC. While trying to keep my son from running around, they stole my number and used it.

JEvoUser says:

What's to stop someone from stealing your phone from rooting it than grabbing the pin afterwards. Just a random thought, still there is no 100% safe anything in this world so I don't see this as a big deal. Since it is just as easy to loose wallet not like poeple check I'D anyways :-)

Kevin949 says:

Add someone said earlier, to root a phone it requires a phone wipe, so there is no getting anything if you're not already rooted with the app in use.

JEvoUser says:

That's funny because I rooted my EVO via unrevocked and didn't loose any data. I think it depends on the phone and the method.

aleis says:

Remote locate..lock WIPE!
and its free. stop being like that.
this is going to be the case with any mobile wallet. yet it is STILL more safe than a credit card.

frogskins says:

If someone takes my phone, they can have the $1.52 I have on my Google pre-paid card.

JeffDenver says:

Why would non-rooted make a difference? Couldnt someone who stole your phone just root it themselves and then hack the PIN anyway?

As others have pointed out, you have to unlock your bootloader before you can root your phone. Unlocking the bootloader wipes the information that was previously on your phone.

mikebutler83 says:

It would be cool to use Face Unlock instead of a Pin

cowbutt says:

It depends on the handset as to whether rooting requires a wipe first, or unlocking the bootloader, especially if the malware doesn't plan on *keeping* root after it's stolen your details. Certainly I've been able to root my HTC Hero running 2.1 (Using Universal Androot), and my Samsung Galaxy S II running 2.3.5 (using zergRush) *without* having to wipe them, or replace the kernel with an insecure kernel. mempodroid will similarly root ICS for now, and I'm sure new kernel exploits will be found in future Android kernels.

It would still be simpler to just knock the guy out and take his actual wallet than trying to brute-force your way into Google Wallet.

However, that is pretty half-assed response on Google's part. "Just don't root your device" sounds almost as bad as Jerry's "just buy a Nexus" during the whole Carrier IQ fiasco.

XXXdc5 says:

Thank you internet for letting me know that if my phone gets hacked...I could lose personaly information.....-______________________-

OMFGGG NO S***!!!

alemiser says:

Found an article that says no rooting is necessary.
http://www.helloandroid.com/content/google-wallets-pin-verification-crac...