“Significant” amount of unencrypted data sets with Android phones in a risky position, the researchers say.
The most awaited mobile payment application from Google for the calculations in the local shops keep certain sensitive information about users in plain text, such as user names, dates of transactions, e-mail addresses, as well as balance in the account of buyers, according to a study published today.
Researchers from the viaForensics tested the safety of Google Wallet – a system that allows consumers to perform transactions on credit cards, buy gift certificates and cards use a loyal membership in the stores from their phones – hacked into Android smartphones, and found that the application passes sensitive information unencrypted. Although Google Wallet hides a full credit card account number, last four digits are stored in text format in a local database application – SQLite.
The good news, according to viaForensics, is that the application is successfully opposed to attacks such as “man in the middle”, and is protected by PIN-code when dealing with cards.
But SQLite database application-resident phones Android, contain information about the balance of the credit card limit, expiration date, name of owner, date and place of transaction – that information, according to viaForensics, can be used, for example, social engineering against the actual the account holder.
“They underestimated the importance of data loss would not be happy consumers,” – says Andrew Hug, IT-Director viaForensics. “I am not satisfied that someone would know my credit limit, or to know when I transfer the money … If you know this information, you can effectively carry out social engineering attack that will allow [the attacker] to access the account” .
Meanwhile, a Google spokesman said that the report is based on research viaForensics only Android smartphones with root access. Report praises the multi-layered security system in the operating system and application, said the representative. “The study does not refute the effectiveness viaForensics multiple levels of security built into the operating system, Android, and Google Wallet”, – the representative said. “But even in this case the elements of the security continue to protect money orders, including credit card number and CVV”.
“Android is actively protected from malicious programs that try to access the system administrator without the user knowing.”
But Andrew Hug, IT-Director viaForensics, in response said that the refusal to recognize shortcomings in security Wallet just because they were identified on the case study of unlocked phones, this is a controversial decision. About 10-15% of smartphone users get root on the device, he says, his company had to obtain such access on the phone during their studies to get through to the information in the directory of the application data. Plus, there are plenty of malicious programs that can get root remotely, he said.
“If you think about how many people have already administrative access and the fact that for each successive release iOS and Android people quickly found access to a root-and that there are exploits that can do it remotely over the network .. . we believe that this is a real danger of losing unprotected data “- he said.
The bottom line is that Google should either encrypt all sensitive cardholder data, or do not keep them all in one place locally, he advised.
“We praise Google for what they have set PIN-code on the application,” – said Hug. “But if you want to keep [vulnerable] the information or store it in clear text.”
Meanwhile, Google fixed a few other disadvantages to which they pointed viaForensics: data after the transaction or restart Wallet can be restored, and it is possible to restore the image with information about the name of the cardholder, expiration date and last four digits of account number. Both of these problems have been fixed in version Wallet 1.0-R33v6.
“With that amount of data that can be read, and given the fact that this is a paid application, Google should translate to a higher level of security of the purse” – he concluded.