Google Play Store PINs Not Quite Secure
Here at XDA, we try to keep you appraised of the most recent workarounds and hacks. In most cases, it’s something like unlocking a bootloader that should never have been locked. However, in other cases, it’s an issue we share to help you protect yourself.
XDA Recognized Themer zanderman112 has written about an issue that could compromise your security on the Google Play Store. As zanderman112 explains:
On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
This is a good idea, as we don’t want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.
All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.
That’s quite the security hole. Thankfully, the issue has already been reported directly to Google. Some are even offering up suggestions on how to fix the problem, like storing the PIN online along with your payment info. For now though, it is not a good idea to depend on using the Play Store PIN to keep your info safe. You should likely look into other ways of securing your device until a fix has been made such as a device-unlock PIN (with ADB disabled when not in use).
For additional information and discussion, you can go to the discussion thread.