Google Security Engineer Explains Issues With Root and Android Pay in the XDA Forums
A forum member that has been confirmed as working as a Security Engineer for Google out of Mountain View, has joined XDA in order to discuss the issues with Android Pay on rooted devices, why it will not work and has confirmed that Google are listening to your feedback. Regarding root access and Android Pay he has said this:
” Android users who root their devices are among our most ardent fans and when this group speaks, we listen. A few of us around Google have been listening to threads like this one and we know that you’re disappointed in us. I’m a security engineer who works on Android Pay and so this thread struck me particularly hard. I wanted to reach out to you all and tell you that we hear you.
Google is absolutely committed to keeping Android open and that means encouraging developer builds. While the platform can and should continue to thrive as a developer-friendly environment, there are a handful of applications (that are not part of the platform) where we have to ensure that the security model of Android is intact.
That “ensuring” is done by Android Pay and even third-party applications through the SafetyNet API. As you all might imagine, when payment credentials and–by proxy–real money are involved, security people like me get extra nervous. I and my counterparts in the payments industry took a long, hard look at how to make sure that Android Pay is running on a device that has a well documented set of API’s and a well understood security model.
We concluded that the only way to do this for Android Pay was to ensure that the Android device passes the compatibility test suite–which includes checks for the security model. The earlier Google Wallet tap-and-pay service was structured differently and gave Wallet the ability to independently evaluate the risk of every transaction before payment authorization. In contrast, in Android Pay, we work with payment networks and banks to tokenize your actual card information and only pass this token info to the merchant. The merchant then clears these transactions like traditional card purchases. I know that many of you are experts and power users but it is important to note that we don’t really have a good way to articulate the security nuances of a particular developer device to the entire payments ecosystem or to determine whether you personally might have taken particular countermeasures against attacks–indeed many would not have. “ – jasondclinton_google
Replying to the possibility that this meant that support for rooted device may one day come, Jason stated “I don’t know of any way to currently or in the near future make an assertion that a particular app’s data store is secure on a non-CTS compatible device. As such, for now, the answer is “no”” and replying to one user’s statement that if he had to choose between root and Android Pay, they would choose root, Jason gave his sympathies and claimed that he wished it were possible to achieve root functionality without actually rooting. He has also taken feedback regarding placing a warning in the play store stating that the app will not work on rooted devices.
Unfortunately, it has been confirmed that any non-official build will fail to pass SafetyNet due to the system image not being expected. He continued by stating that. “One way of thinking about this is that the signature can be used as a proxy for previous CTS passing status. (If we were to scan every file and phone device enumerated by the kernel to infer what environment we are running on, we’d bog down your device for tens of minutes.) So, we start with the CTS status inferred by a production image signature and then go about looking for things that don’t look right. This community has identified quite a few of the things that we are looking at, already: presence, of ‘su’, for example.” – jasondclinton_google
He will continue to monitor related threads regarding Android Pay on XDA, however, cannot promise to reply to all comments, but will certainly be listening. To keep up to date with his comments in the thread, check here. However it’s a step in the right direction, now that we know they are listening and taking constructive feedback in, we will hopefully see more discussion between Google’s staff and forum members.