Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,731,852 Members 40,367 Now Online
XDA Developers Android and Mobile Development Forum

Significant security flaw in Google wallet

Tip us?
 
Royal2000H
Old
#21  
Royal2000H's Avatar
Senior Member
Thanks Meter 26
Posts: 199
Join Date: Apr 2010
Simple fix (force a Google authentication before setting new pin)... but it's low risk too.

Far likelier for someone to steal a credit/debit card, find a wallet, or copy the card's number and security code than for someone to find your phone, KNOW about this wallet data clearing and then use the phone as a card.
 
ohnuhuh
Old
(Last edited by ohnuhuh; 28th December 2011 at 12:04 AM.)
#22  
ohnuhuh's Avatar
Member
Thanks Meter 7
Posts: 68
Join Date: Feb 2008

 
DONATE TO ME
Quote:
Originally Posted by bp328i View Post
If you lose your phone just log into your Gmail and change the password. Problem solved.
According to the post by someone on the first page this wouldn't help at all, would it? According to that post, the money is tied to the phone itself not the Gmail account. So they could just log in with their own account and still access the money on the phone. Although I've read about people getting replacement phones and transferring their money over.. So I don't really know how all that works for sure.
Verizon
HTC One - BoneStock
Galaxy Nexus - AOKP
Droid Incredible - Stock Plus
 
Genious
Old
#23  
Genious's Avatar
Member
Thanks Meter 1
Posts: 90
Join Date: Jun 2010
Location: D.C
It's really not htat big a deal, you can't load and credit/debit card but the citi one, and if they clear data that card is gone. If someone swipes your phone, my like your wallet you cancel/change your info and take the loss on any cash you might have had in the wallet, I don't see this being a big difference from loosing whatever cash was loaded on the pre-paid card. This is NOT something I would call a serious security flaw, a nuisance maybe. Save all serious security flaw business for when someone makes an app that will let then drain your pre-paid or any other card by bumping there phone against yours, really putting that NFC to good use.
HTC Thunderbolt: WIP
 
MoeDaddy
Old
#24  
Member
Thanks Meter 7
Posts: 79
Join Date: Oct 2009
I don't find this as a big deal myself either, if you have your phone locked they have to get by that first and it is no worse than loosing your wallet not to mention most people wouldn't even know that you can do that if they found your phone...

That said all wallet needs to do is have you set up a pin when you first set up a wallet account and that pin stays with you, it is bound to your gmail, that way they would still need to know your pin when they reset the app. Personally that is how they should do it anyway but it is still relatively new so give it time.
 
sm_x
Old
(Last edited by sm_x; 28th December 2011 at 08:05 AM.)
#25  
Senior Member
Thanks Meter 15
Posts: 112
Join Date: Nov 2009
I think this might have something to do with the app being installed as a user app vs system app. System apps require higher privileges to modify I think. Plus, and I think this is important, if a "tech-savvy thief" get's physical access to your unprotected phone, wallet would be one of your many problems.

I don't know about you but my gmail is my life. If such a thief can access it, it would grand him/her enough access to reset my bank password, car insurance info, my valuable digital data, access to my email list (phishing attacks on people who trust emails that come from me), reset my facebook password, twitter, etc....

also there are many other equally important applications that you might install on your phone that rely on only the phone's security to protect your voluble data. I am sure you can think of more than one.

You also have no idea what a true hacker can do to a piece of technology, such as your phone, if they have unrestricted access to it. for example A hacker might be able to root your phone, dig into the system files for some saved unhashed password, deleted (but not overwritten) data, etc. I saw an article a while back about a few hackers in some university that can pull a password for an encrypted harddrive by reading it off the memory after they freeze it with liquid nitrogen (but I doubt you have anything on your worth that much trouble )

so in short, PUT A PASSCODE ON YOUR PHONE, if you really want to protect the data that is contained within it. The only other choice you have is to keep sensitive data out of your phone.
 
bp328i
Old
#26  
bp328i's Avatar
Senior Member
Thanks Meter 463
Posts: 817
Join Date: May 2010
Quote:
Originally Posted by ohnuhuh View Post
According to the post by someone on the first page this wouldn't help at all, would it? According to that post, the money is tied to the phone itself not the Gmail account. So they could just log in with their own account and still access the money on the phone. Although I've read about people getting replacement phones and transferring their money over.. So I don't really know how all that works for sure.
Yes it would help (and stop the use of Google Wallet) because when loging into Google Wallet you have to select the gmail account (which the main gmail account on your phone is listed first) then you get an allow permissions accept page.

If you change your Gmail password then nothing on the phone that is based off your Gmail account works anymore. (I tried before posting) The Google Wallet/Money is based off your Gmail account, but the OP is basing the flaw off the owner of the phone not changing their password after the phone has been lost/stolen. It's great that this was pointed out but not a huge deal.

I have two Galaxy Nexii and have tried and Google Wallet will load my pre-paid card money on either phone as long as I put MY Gmail info in.
 
irgnutz
Old
#27  
Junior Member
Thanks Meter 0
Posts: 3
Join Date: Feb 2010
You could always use a program like UAG to PW protect that app if you dont want to PW protect your whole phone.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes