Following the news yesterday that Google Wallet's PIN security has been cracked (for rooted users, on unsecured devices), Google has issued an official statement to clarify a few details, including who's vulnerable, and what users should do to protect themselves. In a statement given to TheNextWeb, Google confirmed what our own Jerry Hildenbrand said in his write-up yesterday -- only rooted users are potentially vulnerable.
"The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."
So again, only rooted users are at risk, and the recommendation to avoid Google Wallet use on a device with root is a sensible one. For the minority of Wallet users who are rooted, we're sure a fix will come in the days and weeks ahead. And if you're running a nice, clean stock device without any hackery of your own, you've got nothing to worry about.
Of course, news of this vulnerability will likely cause some damage to Google Wallet's reputation, at a time when Google's working hard to increase uptake of its payment method. If and when mainstream news outlets pick up this story, it'll be interesting to see whether they, like Zvelo's original press release, neglect to mention the crucial detail that a pre-rooted device is required.