Yesterday we reported a vulnerability in Google Wallet. If the product is installed on a rooted Android phone, a quick, simple brute force attack can extract the PIN and allow a thief to spend your Google Wallet funds. The simple solution—don't root your phone. Comments around the Web suggested that won't help because the thief could root the phone ex post facto. Fortunately, that's not the case. Unfortunately, today brings more bad news.

Google's Response

A Google spokesperson quickly responded to my post about the PIN vulnerability yesterday, saying "The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN. We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

I double-checked with Google and was told that rooting an Android phone will wipe all data. That statement struck me as odd, because there are a number of well-known ways to root an Android phone without wiping its data. For example, unrevoked.com automatically roots most EVO phones, and the Super One Click utility will root a wide variety of phone types.

I checked back with Google; they remained adamant that rooting a phone wipes its data, period, and asked me to forward any evidence to the contrary. Eventually we sorted out a communication problem. As Russell Holly, ExtremeTech's top Android expert, verified, many Android phones can be rooted without wiping their data, but no device that supports Google Wallet can be treated this way. Rooting a Nexus S 4G will definitely wipe its data.

That being the case, if you refrain from rooting your phone you're protected against the PIN vulnerability. You should still go ahead and take the additional security steps recommended by the researcher who discovered the problem: enable a screen lock, disable USB debugging, enable full disk encryption, and keep your device fully up to date.

A Second, Worse Vulnerability

Google's problems didn't end there, however. A site titled The Smartphone Champ revealed a second flaw, one that works on any phone rooted or not.

Simply put, a thief can gain access to all funds in your Google prepaid card by wiping out Google Wallet's data and launching it again. On launching without any data, Google Wallet invites the thief to connect with a Google account and create a new PIN. But since the prepaid card is linked to the device, not the account, all the thief needs to do is select the default card for instant access to your funds. A video on the Smartphone Champ site walks through the simple steps required.

Google has verified this vulnerability. A spokesman stated, "We strongly encourage anyone who loses or wants to sell or give away their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone." (Actually, no matter what sort of mobile device you use setting some kind of screen lock is a must.)

The Google representative I spoke with this morning confirmed that a fix will be released as soon as possible, probably within a few hours. If you're one of the lucky few whose carrier and hardware support Google Wallet, you'll want to keep your phone extra safe and watch closely for that fix.