If you missed the story from yesterday about a security vulnerability in Google Wallet for rooted users, please check it out here. For those that are up to speed, we wanted to make sure you saw Google’s statement to The Next Web which acknowledges that this issue exists on rooted phones, only. Not to downplay yesterday’s report, but again, this really only applies to those that root their phone, leave it unprotected up front at the lock screen, and then lose it or have it stolen. The chances of all three of those things happening are pretty slim, let alone expecting the person that steals it to know about zVelo’s secret PIN-collecting app. Just sayin’.
Here is the full statement:
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.
Issue addressed. Although, we aren’t seeing any mention of a fix as was suggested by zVelo yesterday.
In related news, another story has popped up today which suggests that Google Wallet is vulnerable even if you aren’t rooted. In a way, this report is correct. If you have Wallet installed, you can open its application settings page and “Clear data” on it. The next time you open it, you will be asked to set up the app again including a new PIN. If they then select a Google Prepaid card, it will add the card that was previously associated with the Gmail account selected and the device’s ID. So in theory, someone could steal your phone, clear data on the app, re-launch it and access the funds you have added to a Google Prepaid Card. Sounds bad, right?
For the third time, this only affects those that have had their phone stolen or lost and have then chosen to leave their phone without protection up front. But, we should also point out that clearing data on the app won’t allow the thief to access any of your credit cards that have been previously added. If data is cleared on the app, all credit cards need to be set back up as you did from the beginning. So the only thing vulnerable here is Google Prepaid funds that are attached to your Google account.
And remember, that each time you set up Wallet and add a prepaid card, an email is sent to your Gmail account. So if you lose your phone and see a new Wallet email, you would want to call and have the service shut down on your phone so that your funds are preserved. Most of you would probably do this anyway if your phone was jacked.
I know it sounds like I am downplaying both issues, but they really aren’t all that scary and are issues that would arise if any phone was stolen, let alone one that has access to Google Wallet. They make great headlines though.