DecryptedTech

Saturday28 January 2023

Another Flaw Found in Google Wallet... Back in 2011


Reading time is around minutes.

News_manstealingdataOk this one goes in the books for being really foolish of Google. Remember how we told you that cutting corners in the coding of Google Wallet allowed a crafty hacker to read the binary data and get your PIN? Well today there is even worse news about the mobile payment application. The new flaw is almost a basic flaw in the OS as well as an application flaw. What’s worse is that this is so simple it does not even count as a hack… and you do not have to have a rooted phone to pull this off.

Inside every Android phone is the ability to reset or clear all application data. This is nice as it can remove some hanging items or even clear out corrupted information (I have had to do this for the Market more than once). Well if you do this on Google Wallet is clears the PIN, but not the pre-paid card associated with the application.

The problem is that while the PIN is stored in a SLQite3 data base inside the Wallet application the card information is stored in encrypted format inside the phones CE. This means that when you clear the application, you are only clearing the SQLite3 Database and not the CE. This is a HUGE (pronounce that monumental) error on Google’s part and is something that should have been caught before the application was launched. Our guess is that because any added credit card information is cleared that was good enough for Google.

Google has responded with a phone number to call 855-492-5538 if your phone is lost or stolen, or you plan on giving to someone else. This seems to indicate that even a factory wipe of the phone might not clear the data in the CE on the phone (which is again why we feel this is both an OS and an Application flaw). When you call Google will disable the prepaid card data associated with the Phone which will prevent its use. There is no word on if someone can setup a new card for use on the phone or if the CE is now permanently associated with that original account. If the latter is the case there is some serious rework that needs to be done on this application and the hardware used before this one is ready for the market. It also raises serious concern about any added credit card data; is this stored in the SQLite3 database and if it is how easy it would be for anyone stealing or finding a phone to get at that data.

The sad part about all of this is that this flaw was actually originally posted in December (on the 26th) on the XDA developers forum and here we are over a month later and all Google has is a phone number. Google does recommend that you use a passcode to unlock your phone to help slow down or prevent casual use of Google Wallet in the event of a lost or stolen phone.

Discuss this in our Forum

Last modified on Friday, 10 February 2012 08:15

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.