Hackers Mug Google's Wallet App on Rooted Android Devices

Submitted by Kenneth Kwok on

From DailyTech: Near field communications (NFC) technology has been around overseas for over half a decade now, but it's finally jumping from the Asian market to the United States. The technology allows you to wave your smartphone over readers to pay for anything from gas to groceries.

One of the key players in this emerging market is Google Inc. (GOOG). Of the major phone OS platform makers, Google has pushed the hardest to deeply integrate NFC. In May 2011 it announced a new payment app/service called "Google Wallet", which it launched in Nov. 2011.

Now a zero-day vulnerability -- discovered by Josh Rubin, et al. (presumably no relation to Android chief Andy Rubin) of the hacker site zvelo -- is raising concerns that it may be easy to digitally "mug" some Google Wallet users. The issue, it turns out, is that Google's open source of the Wallet app reveals the crux of its security -- a SHA-256 hex-encoded 4-digit pin. SHA-256 is typically pretty good encryption, but when you're dealing with a four character numeric sequence, it's almost as crackable by brute force attack as traditional MD5 passwords.

Google has responded, saying it is working to plug the hole. The company emphasizes that (for now) only rooted phone users are at risk. It states, "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

On normal phones the files involved are protected both by the sandboxing (requiring permissions to access the file system) and by visibility restrictions. Much like Carrier IQ's files, a normal file browser app cannot "see" the encrypted file on an unrooted device -- it's hidden.

That said, there are many rooted devices in the wild, including those owned by many developers. Zvelo says that rooted users can protect themselves somewhat by avoiding apps with suspicious permissions, enabling lock-screen protection, keeping their installed Android version up-to-date, and turning on full-disk encryption.

View: Article @ Source Site

Connect with us

Know us more

© Since 2005 APH Networks Inc. All trademarks mentioned are the property of their respective owners.