ViaForensics conducted a recent study on Google Wallet, discovering that while the electronic payment system does store credit card numbers securely, it can also leave personal information easily accessible. Using a rooted Nexus S 4G, the firm found that the application writes unencrypted database files that contain payment transaction histories. Details about the credit cards used are also present, including account balances, credit limits, expiration dates, and the last four digits of the card numbers themselves. "Many consumers would not find it acceptable if people knew their credit card balance or limits," the company stated in its report. "Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high."
Two additional vulnerabilities were discovered — images with partial credit card information were present in the file system, and removing a card from Google Wallet wouldn't delete its transaction history — but both issues were resolved with software updates. While the vulnerabilities may sound worrisome, it should be noted that they pertain only to rooted devices, where a user has full access to a phone's underlying files. Google defended its implementation, saying in a statement that the report "focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers ... Android actively protects against malicious programs that attempt to gain root access without the user's knowledge." While that's accurate, it's obviously quite easy for a stolen phone to be rooted and harvested for information. Still, with Google Wallet's rollout proceeding at a snail's pace — the Nexus S 4G is still the only phone to officially support the feature — Mountain View will have plenty of time to address ViaForensics' concerns.