Google’s mobile payment application, Google Wallet, has been found to store users’ personal information unencrypted on devices, according to new research from US-based analysts viaForensics.
The digital forensics company said that Google Wallet only encrypts a user’s credit card number itself – leaving data including the cardholder’s name, transaction dates, the last four digits of credit card numbers, email address and account balances unprotected by encryption.
“While Google Wallet does a decent job securing your full credit card numbers… the amount of data that Google Wallet stores unencrypted on the device is significant. Many consumers would not find it acceptable if people knew their credit balance or limits,” a report said.
Google Wallet is a mobile payment system developed by Google that allows users of its Android operating system to store details of credit cards, loyalty cards and gift cards on a mobile phone. It uses ‘near field communication’ (NFC) enabling its users to make payments by tapping the phone on a checkout terminal equipped with the technology.
The application launched in the US in September this year and currently only supports a limited range of payment options including the CitiBank Mastercard. It could be available in the UK in time for the Olympics in 2012, according to some reports.
But Google has hit back, claiming said that viaForensics’ study “does not refute the effectiveness” of the security built into both its Android operating system and Google Wallet. “The secure element still protects the payment instruments, including credit card and CVV (3-digit) numbers. Android actively protects against malicious programs that attempt to gain root access without the user’s knowledge. Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices,” it said.
