Using Google Wallet for shopping is incredibly convenient. Just enter your PIN, wave the phone at the reader, and your transaction is complete. If your phone got stolen, a thief would still need the PIN to make purchases, and Google Wallet locks up tight after five bad PIN guesses. However, a newly discovered vulnerability lets that thief extract the Google Wallet PIN from a rooted phone without making any bad guesses. An engineer at Web categorization provider zvelo made the discovery and reported it on the company's blog, after notifying Google.

Mining for Data

Last year security firm ViaForensics reported that Android apps for Foursquare, Netflix, LinkedIn, and others don't adequately protect the user's stored personal information. More recently ViaForensics researchers released a report on Google Wallet security. The report concluded that while full credit card numbers are well-secured, other easily extracted private information could be used for a social engineering attack.

Joshua Rubin, a researcher at zvelo, found the report interesting and dug more deeply into the data stored by Google Wallet. In the course of his investigation, he discovered a way to crack the PIN.

Hashing Things Out

The Google Wallet PIN isn't stored in plain text; that would be plain stupid. As in many security situations, Google Wallet uses a hash of the PIN instead. Hashing, sometimes called one-way encryption, involves boiling down a document, password, or other sensitive data into a special code. There's no way to get back to the original from the code, and the hashing algorithm is designed to minimize the possibility that different originals could hash to the same code.

To check whether you've entered the right password, an app simply applies the hashing algorithm to what you typed. If it matches the stored code, you got it right. The same technique can be used to verify that a document or other file hasn't been modified.

What Rubin realized is that hashing isn't effective when the number of possible originals is small. There are only 10,000 possible values for a PIN consisting of four numeric digits. He quickly whipped up a Google Wallet Cracker program that would check all 10,000 against the stored hash, revealing the correct PIN.

Protect Yourself

You might think that Google could solve this problem by moving the PIN hash inside what's called the Secure Element (SE). However, doing so could run up against a problem of legality and ownership. According to Rubin, "The fear is that Google might no longer be responsible for the security of the PIN, but rather the banks themselves." While we wait for them to work out a solution, there are a number of things you can do to prevent a thief from cracking your Google Wallet PIN.

First and foremost, don't root your phone. Doing so pokes holes in the device's existing security. Yes, there are apps that don't work on an un-rooted phone. Just say no to those apps.

Rubin recommends that you enable a lock screen option, disable USB debugging, enable full disk encryption, and keep your Android device fully up to date. These are all good steps to take for Android security, whether or not you use Google Wallet. Check Rubin's full post for full details as well as a video showing how easy it is to crack the PIN on a rooted phone.