Google (NASDAQ:GOOG) faced new security concerns less than a week after the company announced the deployment of a cloud-based virus scanner, called Bouncer, for the Android Market, Google’s store for Android-compatible smartphone applications.
Questions were raised about Bouncer’s limitations, particularly in the context of Android applications, which are based on open-source code, but those questions were overshadowed by emerging security concerns about Google Wallet, the smartphone-based payment system that relies on near field communication (NFC) technology to send payment authorization to an NFC chip in a store checkout.
Bouncer scans applications in Android Market using a decently rigorous set of protocols that include testing each app on the company’s cloud server to see how it will act on a phone. The launch of Bouncer, which the company actually activated about six months ago, indicated Google was starting to take Android Market security seriously, although it isn’t clear what percentage of malicious applications the scanner will catch.
Concerns about applications such as Google Wallet, though, stem in part from the fact that there are numerous unofficial marketplaces where Bouncer isn’t acting as a filter. Security specialist Bitdefender estimates that a mere 0.5% of malicious applications inhabit Android Market, and so Android phones’ ability to download applications from outside sources can introduce security problems to Android devices, including, for example, a malicious application that could read a user’s data and potentially gain access to secure information.
With Google Wallet, users who have a Citi Mastercard account can use their smartphones to wirelessly transfer payment to a retailer. The system also allowed shoppers to use a non-Citi card to load money into a prepaid account, although that service has been temporarily suspended by Google until it addresses Wallet security flaws identified last week. The service doesn’t store the credit card information to the device but does store the prepaid card information, even after a user uninstalls Wallet from that phone.
Zvelo, a security research firm, discovered a Wallet flaw last week that could allow hackers to access a Wallet user’s personal identification number, or PIN, even if the personal information had been cleared from the device. The hack applies only to phones that are rooted, or modified to give an advanced user access to administrative controls. Rooting is an inherently risky process and Google had already cautioned against installing Wallet on rooted phones.
Then, a blogger identified only as The Smartphone Champ figured out how to hack Wallet on non-rooted phones. This method doesn’t even require hacking skills. A thief only needs to access the phone’s application settings and reset to the default settings, clearing the existing PIN, and forcing Wallet to request a new one when the service is launched. The deposited prepaid funds are then free for the hacker to spend.
Osama Bedier, Vice President of Google Wallet and Payments, announced the suspension of the prepaid service in a blog on the company site.
It’s an embarrassment for the company, and more than little worrying, that such an easy hack was found for a relatively new service, although newness of the service, of course, also means that the company has time to tighten Wallet before it reaches a wider audience. Nexus S 4G, offered by Sprint, is currently the only phone that Wallet will work on, limiting early adopters. The list of stores that can accept the payments is growing but still consists of a rather small grouping, including Walgreen (NYSE:WAG), Home Depot (NYSE:HD), and Macy’s (NYSE:M).
Google is a large corporation with numerous products, and security issues obviously are going to be inevitable. Bouncer seems a case of “too little too late,” but it at least should give Android Market customers a bit more confidence in the security of its apps. And the quick actions on Google Wallet also suggest the company will succeed in the NFC mobile payment arena once the kinks are worked out.