Second Google Wallet security vulnerability confirmed, affects all users

Discussion in 'other security issues & news' started by ronjor, Feb 9, 2012.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    http://www.theverge.com/2012/2/9/27...-security-vulnerability-confirmed-affects-all
     
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Thanks, Ron :thumb:

    More

    Demo of the PIN issues here
     
    Last edited: Feb 9, 2012
  3. BrandiCandi

    BrandiCandi Guest

    :thumb:
     
  4. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://www.wired.com/gadgetlab/2012/02/google-wallet-hack/
     
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  6. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Google Wallet restores prepaid cards, patches re-provisioning security hole
    More
     
  7. BrandiCandi

    BrandiCandi Guest

    Thanks for the post! I think theverge.com updated that story after you posted it.

     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If I were using Google Wallet I would definitely root and set up SELinux.

    I don't know why they think rooting is unsafe. If malware wants root access it has to ask me for it via SU. If malware is going to root my phone it won't matter anyways. Having root means I can remove attack surface manually (I used to make custom ROMs and they would be very stripped down) and it means I can control things at a much lower level. I can also update unofficially, which is nice.

    Because of rooting my phone I didn't have to worry about that one HTC Sense information leak that was discovered - I'd removed Sense a while ago.
     
  9. BrandiCandi

    BrandiCandi Guest

    Well I'm forced to ask a stupid question. I know a normal non-rooted phone user has no root privileges. When you root an Android, are you then running as root? Or do you become a user with rights to elevate to root temporarily with a password?
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    All I could offer is what I found on Wikipedia
     
  11. BrandiCandi

    BrandiCandi Guest

    Thanks siljaline. I suppose rooting a phone is something disallowed by the forum policy. To be clear, I'm not interested in discussing HOW it's done, I'm interested to know what the security ramifications are if it IS done. I assume that is a discussion allowed, mods please correct me if I'm wrong.

    This is all the info I could glean from wikipedia:
    So that makes it sound like if someone were to root a phone, they would be running as root. They would then have to install the superuser app which would be a more limited user with rights to temporarily elevate.

    My whole point is this: it's dangerous to run anything exposed to the internet as root because by definition everything is allowed to run. But if you're a limited user that can temporarily elevate with a password, then your security is much higher. Whichever one you are when you run a rooted phone informs your security risks. Can anyone shed light on this?

    That being said, the quote from theverge.com in my last post indicates that there is a security risk for Google Wallet even to phones not rooted.
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    @BrandiCandi I have read your additional queries and am researching them - more as I know more.

    Thanks.
     
  13. BrandiCandi

    BrandiCandi Guest

    Thanks siljaline! I'll post back if I find anything as well.
     
  14. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    In the interest of everyone knowing these emerging technologies and threats to them: Rooting - a beginers guide for Android based devices.
     
    Last edited: Feb 19, 2012
  15. x942

    x942 Guest

    When rooted on android you have the same controls as a "sudoer" on a normal linux box. You choose what can elevate and what can not (this is done via the GUI app called SuperUser). People often confuse this with jail-breaking an iPhone (where all apps are elevated to root by default).

    So as long as you don't give permissions to random apps you are fine, also stick with the market for apps not third parties (with the sole exception of XDA-Developers).
     
  16. BrandiCandi

    BrandiCandi Guest

    Thanks siljaline & x942- that answers my question!
     
  17. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    Just FYI. Portrait of Superuser. I crammed a bunch of details onto the settings screen shot.
    Superuser.png

    When an application requests superuser permission when it runs for the first time, new entry is created. When an application runs, a tiny notification is displayed about such-and-such requested superuser permission, so that's how it gets watched.

    Can it be hacked? Can anything not be hacked? :)
     
  18. BrandiCandi

    BrandiCandi Guest

    Very interesting- thanks.

    What I take away from that is it's basically up to each individual how the superuser gets access on their rooted phone.
     
  19. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
Loading...
Thread Status:
Not open for further replies.