Last week Google said it had fixed the latest security flaw in Google Wallet, whereby a determined thief could root your non-rooted device ex post facto and retrieve your Google Wallet prepaid card. That was partly true. From what we can tell the technical issue still remains, even if Google Wallet itself is safer.
To recap the Google Wallet brouhaha this month, first researcher Joshua Rubin from zvelo revealed a quick, simple brute force technique to extract the Google Wallet PIN from a rooted phone. That actually requires some skillz, but the next day The Smartphone Champ revealed that even in a non-rooted Nexus smartphone with Google Wallet, a thief can steal your Google Wallet prepaid card by simply wiping Google Wallet settings and attaching the app to a new Google account. Finally, Rubin reported how a thief can root your non-rooted phone ex post facto and steal your Google Wallet funds. This works because some root privileges do not remove all the data on your Android device, and Google prepaid cards are stored in the device, not in one’s Google Wallet account.
Google responded to Rubin’s discovery by suspending new prepaid cards on Sunday. It began re-issuing Google Wallet prepaid cards on Tuesday, claiming it had fixed the problem. But as a spokesman told my colleague Neil Rubenking, Google’s “fix” was to require users to contact Google Support to re-activate a Google Wallet account. So yes, the technical issue still remains.
Rubin, who discovered the latest hack and told us how one might get past the lock screen to perform the root exploit, offered four easy ways to tighten the security settings on your Android device. Not only do we urge anyone using Google Wallet to do this, but any Android user concerned about securing the data on his device should make sure the following Settings are turned on:
1. Enable Lock Screens: Under SettingsSecurity. Enable Face Unlock, Pattern, PIN, and Password to increase physical security to the device. Slide doesn’t do much.
2. Disable USB Debugging: Under SettingsUSB debugging. When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.
3. Enable Full Disk Encryption: Under SettingsSecurity. This will prevent even USB Debugging from bypassing the lock screen.
4. Maintain Device Up-To-Date: Ensure the device is current with the latest official software. Unfortunately, users are largely at the behest of their carrier and cell phone manufacturer for this, but when you are finally prompted to upgrade your operating system, do so. Using only official software and keeping devices up-to-date is the best way to minimize vulnerabilities and increase security overall.
Bonus: Stick to official app stores. This is far less likely, but an attacker can also discover your PIN lock (which is necessary for him to root your phone) if you accidentally install a malicious app that records your personal data, including PIN. Most malicious apps are distributed through shady Chinese/Russian app stores; to be on the safe side stick to the Android Market, GetJar, and the Amazon App Store.
And always read through app permissions, as malicious apps typically make unusual requests. Most mobile security apps, like McAfee Mobile,Lookout Mobile, and F-Secure Mobile Security, come with an app auditing feature to help you keep tabs on permission requests.