In September Google released their new Google Wallet, an Android app designed to take advantage of the near-field communication technology that is present in an increasing number of Android-based smartphones. The app stores usernames, passwords, and credit card data in order to allow users to pay for transactions in physical stores by swiping their phones in front of NFC-enabled readers like those compatible with MasterCard’s PayPass service.
Last week, however, reports surfaced that Verizon would not be allowing Google Wallet on the Google Nexus phones it sells. The announcement created a storm of controversy, which Verizon tried to quell by releasing a vaguely worded statement citing nebulous security concerns. Speculation at the time was that Verizon was blocking the app in order to buy time for ISIS, an NFC payment system being launched as a joint venture of Verizon, AT&T, and T-Mobile. It remains unclear whether AT&T and T-Mobile, which are also due to get the Google Nexus, will allow the app on their devices.
Now, however, it looks as though the security concerns cited by Verizon - whether they are the company’s real reason for blocking Google Wallet or not - may have some validity. Digital forensics and security company ViaForensics released the results of a study yesterday into the security of Google Wallet. The company conducted a detailed analysis of the data stored and sent by the app. The analysis found several grave security concerns in terms of the information the app stores. Although the app does encrypt credit card numbers, it stores a surprising amount of data in unsecured format. Credit card balances, expiration dates, credit limits, transaction history (including location) and more. It also stores the cardholder’s name, email address, and the last four digits of the card number. It also publishes a considerable amount of data to Google Analytics, in a way that the study found could be intercepted.
The study concludes that Google Wallet does a fair job of keeping certain information secure - namely, credit card numbers. All the other data stored by the app, however, “pretty much everything except the first 12 digits of your credit card,” is stored unencrypted on the phone. The amount of data that is kept unencrypted is enough that “an attacker is well armed for a social engineering attack.”
The report concludes that further, more in-depth security analysis of the software is warranted. While the author expresses excitement about the potential of NFC technology, he also says that “the amount of unencrypted data store[d] by Google Wallet surpasses what we believe most consumers find acceptable.”