You’ve probably already seen the recently exposed vulnerability in the Google Wallet app which potential thieves to steal your PIN code if you’re running a rooted version of Android. The crack can be applied even after a PIN or password is changed, but again, only on rooted devices. After The Next Web posted the story from the original source, Google itself responded – though there isn’t much information on an actual resolution. Essentially, Google reminds users that a stock phone cannot be affected in this manner, and recommends that root users refrain from downloading Google Wallet at all.
Here’s the full text of their reply:
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.
That’s a disappointing answer, but not an unexpected one. When you unlock or root a device, you’re always running at least some kind of risk, to your hardware, your software, and even your personal data. The possibility that 1) your rooted phone would get stolen by 2) someone with the technical knowledge to pull a similar hack off and 3) the knowledge that both your banking information is on the phone and that it’s possible to retrieve it is remote to say the least. Considering the low saturation of NFC payment systems, especially in the US, it would seem that root users just need to do without for now.
This isn’t the first time that Google has essentially ignored the considerable percentage of Android users who root: there’s still no way to legally watch movies or TV shows downloaded from the Android Market on a rooted device. While this is thought to be a measure insisted upon by the various entertainment studios, that doesn’t make the refusal of service any less annoying. Even so, it’s not Google’s responsibility to cover every contingency of every Android modification: If you modify the software on your phone or tablet, you’re responsible for any change in functionality or security. That seems like a reasonable position, if at times frustrating one.
NFC payments will be going mainstream before we know it. There was an article in the Salt Lake Tribune today stating that Isis will soon be starting its trail here and in Austin, Texas with carriers and credit card companies offering merchants incentives to install NFC compatible machines in their businesses. Theyare also asking for individuals to start paying with their mobile phones or these smart cards. After the trail run its likely that it would open up to other markets. I don’t think there’s a way they can exclude google wallet from being used with these.
I’m sorry but I think Google’s response is exactly what it should be. The moment you root your phone, you’re on your own. Your warranty is voided, and so is the consumer protection you would expect from using a stock device with the software it comes with as default. I don’t think Google should be responsible for rooted devices. There are far too many ROMS and kernels to support. NFC payment is a new technology, already as secure as other forms of payment. You root it, you risk it.
If someone were to steal my phone, they can just root it themselves… Right?
If someone were to steal my phone, they can just root it themselves… Right?