Ian Stacy · Feb 9, 2012 at 04:00 pm

Google Wallet PIN Vulnerability Discovered

Google Wallet is all over the headlines lately, first with its release on the Verizon network with the Galaxy Nexus and then with its release on the AT&T network with the Samsung Galaxy S II. Sprint and T-Mobile users have even been able to sideload the Google Wallet app on their respective variants of the Nexus S.

The app itself relies on the devices NFC chip to communicate with non-contact payment stations, like Mastercard’s PayPass. Google Wallet stores your credit card information allowing you to make in-store purchases with a swipe of your phone. Since the information on the chip can be accessed without direct contact several security measures were put in place to protect users.  A four digit PIN is required to make purchases with the app, adding an additional layer of security. XDA Member and zvelo employee miasma  discovered a flaw in the PIN system, allowing  retrieval of credit card information. viaForensics, a company specializing in proactive forensic security (software hacking with the goal of reporting flaws and protecting users), also helped to demonstrate the exploit, proving that the process could be repeated on other devices.

Multiple problem areas were identified but the biggest was in the encryption of the PIN. Using SHA256 hex encoding, the PIN is secured in the app data. Knowing the PIN is 4 digits, viaForensics’ calculations show a brute-force would take, at-most, calculating 10,000 SHA256 hashes. This takes little effort and both miasma and Google have been able to compromise the PIN security in private tests.

Rooted users take note; the security flaw can only be exploited on phones with root privileges. Google has acknowledged the flaw and they are working on a fix. In order to preform this attack a hacker would have to have physical access to your phone, so until a fix is published users can assure their safety by keeping their device within reach. As always, for the security of your phone, stay up to date with the latest software. Don’t forget to keep your phone secure with a lockscreen pattern, PIN or password (or face unlock if your device supports it).

To see the exploit in action, check out the video here. The original thread announcing the vulnerabilities can be found here. Google is working with the banks and card companies involved to make Google Wallet more secure and to patch this security flaw, so hopefully we’ll see some updates soon. Until then, keep those NFC enabled phones within reach at all times!


_________
Want something on the XDA Portal? Send us a tip!

Ian Stacy

Ian Stacy is an editor on XDA-Developers, the largest community for Android users. View Ian Stacy's posts and articles here.
Mario Tomás Serrafero · May 26, 2015 at 05:42 pm · 2 comments

Nexus & Cookies: A More Focused Direction?

It is that time of the year again, and we are approaching the day where Android fans all over the world gather to watch the livestream of Google’s I/O conference. Among the expected announcements lay wearables, Android Auto, hints at VR and  the Internet of Things and, of course, a new version of Android. An early glimpse of a supposed “Android M” was caught on the official website before being nuked out of existence, and thus the speculation began.  ...

XDA NEWS
Faiz Malkani · May 26, 2015 at 03:32 pm · 3 comments

LG G4 US Carrier Release Dates

The LG G4 was announced on April 29th with its Snapdragon 808 SoC, a welcomed change from its higher-end cousin, the overheating 810. Packing 3GB of RAM, 32GB of storage, a 3000mAh battery, and an impressive 16MP camera, the G4 is widely considered to be one of the best flagships of 2015. After almost a month of release speculation, the major US carriers have finally released some information regarding the device's availability, and here's what we know so far:  ...

XDA NEWS
Faiz Malkani · May 26, 2015 at 02:59 pm · 2 comments

Microsoft Reaches Pre-Install Agreement With New OEMs

As of late, Microsoft has been making a subtle but widespread play into the Android ecosystem, with small apps like Bing Torque being the foreshadowing of the larger ones to come, and as it stands, Skype and the three popular office apps - Powerpoint, Excel and Word - are thriving on the Play Store following their public release earlier this year, prior to which the Office suite remained in beta. Having its top apps on Android was just a stepping stone...

XDA NEWS
Share This