The security firm tested the application on a rooted handset - a mobile phone with a modified operating system in order to change the (privacy) settings - and it discovered that sensitive data is stored in SQLite databases, a serverless engine which stores data unencrypted. This includes credit card balances, limits, expiration dates, names, locations and transaction dates.
Google responded by releasing a statement: 'This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers.'
VF agreed Google does a 'decent job' by securely storing full credit card numbers and that a PIN is needed to authorise payments. However, VF's Report came only days after Verizon, the largest telecom provider in the US, demanded on 7 December that Google disables its Mobile Wallet application in the forthcoming edition of the latest Galaxy Nexus smartphone. Verizon cited 'security concerns' as the main reason.
Published previously in E-Finance & Payments Law & Policy, December issue. CPP. Copyrights apply. Picture: infotech.bplaced.net