Oh boy. After taking considerable heat from the privacy and security community over cracks in Google Wallet, the company updated the NFC payment app to close a security loophole. That apparently didn’t do anything to close the vulnerability for rooted devices, discovered in February. Instead of address the problem for rooted phones, Google seems to be sticking by its recommendation the rooted users not install Google Wallet. In a fit of expediency, they’re making sure that root users know their position: Google Wallet now displays an “unsupported device” warning message when run on a rooted phone.

Tap the link in the warning message, and you get a brief explanation of the root vulnerability and Google’s strong admonition that you avoid using the app on your phone. It’s pretty good advice, too: given a set of admittedly unlikely circumstances, it’s possible that a thief could gain access to all of the funds stored in your Google Wallet account. Granted, said thief would have to know that you had the app, understand the nature of rooted Android and then find and execute the exploit, but hey – better safe than sorry.

Some may take exception with Google’s approach, insisting that they have a responsibility to support all Android users. We respectfully disagree. When you root your Android phone or tablet, you’re taking control of the software away from Google, the manufacturer and the carrier – at that point, you take the responsibility as well. Though Android doesn’t come with any explicit or implicit warranty, and neither does Google Wallet, you can consider yourself warned at this point. If you don’t feel safe using Google Wallet, pull out your real one and pay the old-fashioned way.

[via Droid-Life]

5 COMMENTS

  1. Google needs to fix its security holes.  Not just say to rooted users, use at your own risk.

    Eventually someone is going to figure out how to exploit this security hole on non-rooted phones as well.

    Half of Nexus community is rooted phones.  Google needs to do a better job.

    • you should really go and read up on how google wallet works. by rooting your phone you are (potentially) undoing all the security that the operating system has built in. The secure element on your phone provides a trusted execution environment when making transactions, BUT there has to be some communication down from applications to this device to pass user authorization (e.g. pins). This is restricted firstly by an APK gaining the appropriate permission, AND by a ‘whitelist’ file of applications that are allowed to acquire this permission. On a rooted phone, a nefarious APK could come and change this whitelist file and so start to do evil things.

      Google’s main line of defence and what it should be (and is) working on, therefore, should be stopping the kind of loopholes that give applications Root without the user’s knowledge. Obviously most people who root use something like superuser, which allows people to grant/deny access to root. BUT google has no control over this, hence the warning in the wallet application.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.