So there’s some considerable hubbub surrounding Google Wallet at the moment, after an independent security researcher was able to create a rooted app that bypasses the PIN lock in the software. You can see Google’s official response just a few stories down. But now another party, the self-styled Smartphone Champ, has discovered another way to get into a private Google Wallet account, no root required. Technically this is more of a lopphole than a crack, if only because it uses Android’s default setting to achieve access.
The gist is that all you need to do to wipe the security PIN is to delete the app’s stored data via the Settings menu, essentially resetting it to the state it was in when you downloaded it from the Android Market. This is a common Android function and is even recommended sometimes when an app is misbehaving. Wipe the data, re-launch the app, and you (or anyone who has your phone) can access Wallet, associate it with your Google account (without entering a password) and set up a new PIN. Then they can spend the money at any online or retail store that accepts Google Wallet – all without root.
Watch as Hashim demonstrates:
This is a much bigger problem than the previous leak, because anyone with physical access to your phone has the ability to do this quickly and easily. The problem lies with Google Wallet’s authentication system: though funds are added into your account and virtually “kept” by Google, the authentication is linked to a single device, not your account. Compare this with any banking app, which keeps your account password connected to your username. Odds are overwhelming that Google will address this loophole very soon. In the meantime, the best way to stay protected while using Google Wallet is to set up a PIN or lock pattern on your device itself – without the PIN or pattern, a thief would have to completely wipe your phone to access any apps or data.[via 9to5Google, via AndroidandMe]