A forensic analysis of Google Wallet points to unencrypted data and security vulnerabilities.
A report called "Forensic security analysis of Google Wallet", via Forensics, outlines vulnerabilities found during testing.
Wallet Rolls Out
In May 2011, Google held a press conference to announce the new mobile payment service. At the time, the service was described as "open," with the API made available so others could join in, but the personal data would remain secure on the NFC (Near Field Technology) chip. A PIN number protects the Google Wallet user's details.
Andrew Hoog, Chief Investigative Officer and co-founder of viaForensics, performed the security tests. To exploit the phone, Hoog focused on Man in the Middle (MITM) attacks, forensically analyzing data stored on the device, and examining system logs. The first test, an MITM attack over Wi-Fi, was successfully thwarted by Google Wallet on Hoog's mobile device.
Next Hoog performed three types of forensic acquisitions of his phone: logical acquisition, which does not require root privileges, and file system acquisition and physical acquisition of user data, which do require root privileges. The logical acquisition didn't indicate that Google Wallet exposes any data to content providers, which is how the testers extracted the logical data, but Hoog says further testing is needed. The other forensics tests were able to extract some user data, including the address of the transaction, which card was used, current balance, statement balance, payment due date, Gmail account used for the Wallet, the card expiration date and the card holder's name.
Finally, Hoog reset his Google Wallet app to check the system logs. He explains:
As expected, the provision data was no longer accessible by the app and I had to re-add my credit cards to use Google Wallet again. However, in a rather common misconception made by developers, simply deleting data from a database (or usually even a file) does not really delete the data. As such, after I ran the Reset Google Wallet function and then examined the databases, I could still recover all of the card, payment and user information I detailed above. This is certainly an area where Google needs to improve their functionality. If, for example, you were going to sell your phone after using Google Wallet, I would suggest you do a complete reset of the device as you cannot rely of the reset function inside Google Wallet to sufficiently remove the data."
The problems Hoog pointed out with recoverable data after a Google Wallet reset and with a recoverable image of the credit card that exposed the cardholder's name, card expiration date and last four digits have since been fixed by Google. Hoog admits that his testing was high level and more comprehensive analysis is necessary to determine whether there are additional vulnerabilities.