Second Google Wallet security vulnerability confirmed, affects all users

Thanks, Ron

More

Demo of the PIN issues here

 

http://www.wired.com/gadgetlab/2012/02/google-wallet-hack/

 

From CNET | Google Wallet disables prepaid card use following latest hacks

 

Google Wallet restores prepaid cards, patches re-provisioning security hole

More

 

Thanks for the post! I think theverge.com updated that story after you posted it.

 

If I were using Google Wallet I would definitely root and set up SELinux.

I don't know why they think rooting is unsafe. If malware wants root access it has to ask me for it via SU. If malware is going to root my phone it won't matter anyways. Having root means I can remove attack surface manually (I used to make custom ROMs and they would be very stripped down) and it means I can control things at a much lower level. I can also update unofficially, which is nice.

Because of rooting my phone I didn't have to worry about that one HTC Sense information leak that was discovered - I'd removed Sense a while ago.

 

Well I'm forced to ask a stupid question. I know a normal non-rooted phone user has no root privileges. When you root an Android, are you then running as root? Or do you become a user with rights to elevate to root temporarily with a password?

 

All I could offer is what I found on Wikipedia

 

Thanks siljaline. I suppose rooting a phone is something disallowed by the forum policy. To be clear, I'm not interested in discussing HOW it's done, I'm interested to know what the security ramifications are if it IS done. I assume that is a discussion allowed, mods please correct me if I'm wrong.

This is all the info I could glean from wikipedia:

So that makes it sound like if someone were to root a phone, they would be running as root. They would then have to install the superuser app which would be a more limited user with rights to temporarily elevate.

My whole point is this: it's dangerous to run anything exposed to the internet as root because by definition everything is allowed to run. But if you're a limited user that can temporarily elevate with a password, then your security is much higher. Whichever one you are when you run a rooted phone informs your security risks. Can anyone shed light on this?

That being said, the quote from theverge.com in my last post indicates that there is a security risk for Google Wallet even to phones not rooted.

 

@BrandiCandi I have read your additional queries and am researching them - more as I know more.

Thanks.

 

Thanks siljaline! I'll post back if I find anything as well.

 

In the interest of everyone knowing these emerging technologies and threats to them: Rooting - a beginers guide for Android based devices.

 

When rooted on android you have the same controls as a "sudoer" on a normal linux box. You choose what can elevate and what can not (this is done via the GUI app called SuperUser). People often confuse this with jail-breaking an iPhone (where all apps are elevated to root by default).

So as long as you don't give permissions to random apps you are fine, also stick with the market for apps not third parties (with the sole exception of XDA-Developers).

 

Thanks siljaline & x942- that answers my question!

 

Just FYI. Portrait of Superuser. I crammed a bunch of details onto the settings screen shot.


When an application requests superuser permission when it runs for the first time, new entry is created. When an application runs, a tiny notification is displayed about such-and-such requested superuser permission, so that's how it gets watched.

Can it be hacked? Can anything not be hacked?

 

Very interesting- thanks.

What I take away from that is it's basically up to each individual how the superuser gets access on their rooted phone.

 

Yes, I think so.
There are very few applications which require root access. Apps which must have root access say so on the market's description and often in name. I'd be suspicious of any other.
Here's just one example of a list and advices of those that must have root, or should have root for extra features to work:
http://www.thriveforums.org/forum/toshiba-thrive-development/7184-safe-use-root-apps.html