App is vulernable to quick brute-force attacks on rooted phones

Near field communications (NFC) technology has been around overseas for over half a decade now, but it's finally jumping from the Asian market to the United States.  The technology allows you to wave your smartphone over readers to pay for anything from gas to groceries.

One of the key players in this emerging market is Google Inc. (GOOG).  Of the major phone OS platform makers, Google has pushed the hardest to deeply integrate NFC.  In May 2011 it announced a new payment app/service called "Google Wallet", which it launched in Nov. 2011.

Now a zero-day vulnerability -- discovered by Josh Rubin, et al. (presumably no relation to Android chief Andy Rubin) of the hacker site zvelo -- is raising concerns that it may be easy to digitally "mug" some Google Wallet users.  The issue, it turns out, is that Google's open source of the Wallet app reveals the crux of its security -- a SHA-256 hex-encoded 4-digit pin.  SHA-256 is typically pretty good encryption, but when you're dealing with a four character numeric sequence, it's almost as crackable by brute force attack as traditional MD5 passwords.

Mr. Rubin calls the task "trivial".

Google has responded, saying it is working to plug the hole.  The company emphasizes that (for now) only rooted phone users are at risk.  It states, "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

On normal phones the files involved are protected both by the sandboxing (requiring permissions to access the file system) and by visibility restrictions.  Much like Carrier IQ's files, a normal file browser app cannot "see" the encrypted file on an unrooted device -- it's hidden.

That said, there are many rooted devices in the wild, including those owned by many developers.  Zvelo says that rooted users can protect themselves somewhat by avoiding apps with suspicious permissions, enabling lock-screen protection, keeping their installed Android version up-to-date, and turning on full-disk encryption.

Google is working on an update, but is reportedly slowed by having to broker changes in its service's security with its partner banks.

Thus far Google Wallet has few users, for lack of compatible devices.  The technology is new to Android 4.0 Ice Cream Sandwich (ICS).  Verizon Wireless -- the joint venture Verizon Communications Inc. (VZ) and Vodafone Group Plc. (LON:VOD) -- who has one of the most popular Android ICS phone, the Galaxy Nexus, has banned Google Wallet.  Reportedly it is plotting its own mobile payment system to compete with Google's.

Source: zvelo

"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine." -- Bill Gates

Most Popular Articles

Copyright 2018 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki