App is vulernable to quick brute-force attacks on rooted phones

Near field communications (NFC) technology has been around overseas for over half a decade now, but it's finally jumping from the Asian market to the United States.  The technology allows you to wave your smartphone over readers to pay for anything from gas to groceries.

One of the key players in this emerging market is Google Inc. (GOOG).  Of the major phone OS platform makers, Google has pushed the hardest to deeply integrate NFC.  In May 2011 it announced a new payment app/service called "Google Wallet", which it launched in Nov. 2011.

Now a zero-day vulnerability -- discovered by Josh Rubin, et al. (presumably no relation to Android chief Andy Rubin) of the hacker site zvelo -- is raising concerns that it may be easy to digitally "mug" some Google Wallet users.  The issue, it turns out, is that Google's open source of the Wallet app reveals the crux of its security -- a SHA-256 hex-encoded 4-digit pin.  SHA-256 is typically pretty good encryption, but when you're dealing with a four character numeric sequence, it's almost as crackable by brute force attack as traditional MD5 passwords.

Mr. Rubin calls the task "trivial".

Google has responded, saying it is working to plug the hole.  The company emphasizes that (for now) only rooted phone users are at risk.  It states, "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

On normal phones the files involved are protected both by the sandboxing (requiring permissions to access the file system) and by visibility restrictions.  Much like Carrier IQ's files, a normal file browser app cannot "see" the encrypted file on an unrooted device -- it's hidden.

That said, there are many rooted devices in the wild, including those owned by many developers.  Zvelo says that rooted users can protect themselves somewhat by avoiding apps with suspicious permissions, enabling lock-screen protection, keeping their installed Android version up-to-date, and turning on full-disk encryption.

Google is working on an update, but is reportedly slowed by having to broker changes in its service's security with its partner banks.

Thus far Google Wallet has few users, for lack of compatible devices.  The technology is new to Android 4.0 Ice Cream Sandwich (ICS).  Verizon Wireless -- the joint venture Verizon Communications Inc. (VZ) and Vodafone Group Plc. (LON:VOD) -- who has one of the most popular Android ICS phone, the Galaxy Nexus, has banned Google Wallet.  Reportedly it is plotting its own mobile payment system to compete with Google's.

Source: zvelo

"Young lady, in this house we obey the laws of thermodynamics!" -- Homer Simpson

Latest Headlines
Are You in the Market for Earphones?
March 24, 2017, 7:35 AM
Samsung Galaxy S8, Rumored Launch Date!
March 18, 2017, 6:45 AM
How about Leica Cameras
March 13, 2017, 6:30 AM
A Baseball Cap With Camera
March 3, 2017, 7:00 AM
Nokia 3310 with longer battery life
February 28, 2017, 7:05 AM

Latest Blog Posts
What else to worry about?
Saimin Nidarson - Mar 17, 2017, 6:45 AM
Todays’ Life
Saimin Nidarson - Mar 14, 2017, 7:30 AM
News and Tips
Saimin Nidarson - Mar 13, 2017, 6:30 AM
Some News
Saimin Nidarson - Mar 8, 2017, 7:09 AM
Saimin Nidarson - Mar 7, 2017, 8:45 AM
World news 3-6
Saimin Nidarson - Mar 6, 2017, 5:40 AM
Mixed News
Saimin Nidarson - Mar 4, 2017, 7:40 AM
Mixed News of the Day
Saimin Nidarson - Mar 4, 2017, 6:32 AM
Mixed News of The World:
Saimin Nidarson - Mar 2, 2017, 7:02 AM
World New 3-1
Saimin Nidarson - Mar 1, 2017, 6:30 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki