The Green Sheet Online Edition
January 09, 2012 • Issue 12:01:01
Forensics expert, Google differ on Wallet security
A forensics exam of Google Inc.'s Google Wallet by the digital forensics and security firm viaForensics LLC revealed a number of apparent holes in the mobile wallet's ability to protect the personal information it stores. However, the ease with which these holes can be exploited to steal data remains at issue between the two companies.
"We've agreed to disagree," both the researcher, viaForensics Chief Investigative Officer Andrew Hoog, and a Google representative who asked to remain on background separately told The Green Sheet.
The forensics report
Hoog reported in a blog released Dec. 12, 2011, "While Google Wallet does a decent job securing your full credit card numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card).
Many consumers would not find it acceptable if people knew their credit card balance or limits. Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high."
He additionally wrote, "Privacy conscious consumers understand that analyzing nearly everything you use Google Wallet for is basically the price you pay for the service. From a tech standpoint, it's very exciting to see Google Wallet in production. However, it has consistently been viaForensics' position that the largest security risk from apps using NFC does not stem from the core NFC technology but instead the apps that use the technology."
Hoog told The Green Sheet he applauds Google for its open system. He said the company studied his findings and even corrected a problem he found - deleted data that could be recovered. "In the long term, open systems tend to be more secure" because people are able to find problems and point them out to the software firm, he noted.
"Google had an appropriate reaction to our findings," Hoog added. "They looked at each case and responded. They worked with us and made changes. They did not address all the items we found." He noted his analysis encompassed "only 10 percent of the tool kit we would use if we are really analyzing an application," and it is possible there are problems with the wallet viaForensics did not find.
Hoog suggested Google can do two things to fix the problems he addressed. The first is not to store data on the phone. "It doesn't do any good to store data if you can [otherwise] fetch data like payment history over a network and display it," he said. "There's no need to store the data, and I believe Google agrees with us."
He also pointed to problems with applications such as email that include sensitive data that needs to be stored on the mobile device. "If you are storing sensitive data you need to protect that data," he said. "We strongly urged them to encrypt this data."
Hoog said smart devices running the Google Wallet app hypothetically could board malware that would give intruders access to the root data analysis program and, from there, to the operating system. In theory, the intruder launching a successful attack of this type would have unfettered access to the information on the device. For this reason, he believes manufacturers need to make it more difficult to pull data off devices.
The official Google response to the viaForensics finding reads, "The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case the secure element still protects the payment instruments, including credit card and CVV numbers.
"Android actively protects against malicious programs that attempt to gain root access without the user's knowledge. Based on this report's findings we have made a change to the app to prevent deleted data from being recovered on rooted devices."
A Google representative, speaking on background, pointed out there are no known exploits that get root access to a device. Google maintains that even if root access is somehow obtained, credit card information is still protected.
The company also pointed out that encryption is of no value when root access to a phone is gained. "Our Wallet is more secure than your wallet," the Google employee said. "If someone steals your wallet they have your credit card information."
Hoog's position is slightly different. "We believe wholeheartedly it is possible to secure mobile apps," he said. "It takes effort, diligence and auditing, but it can be done."
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.