The past few days there has been a lot of press around the fact that the Google Wallet Pin was cracked on rooted android phones. Lots of people including computer programmers and technologists (who should frankly know better) have reacted to this by posting messages/comments equivalent to: “rooting is bad”, “rooting causes security holes” etc etc etc… Guess they have forgotten the simple rule of computer security: “physical access is total access”, basically it means that if I have physical access to a device I can get full access to it eventually.
This fact was demonstrated it quite nicely by the news that you don’t really need to root your phone to get your pin hacked, all you need to do is reset the application data.
The problem in both cases is caused by the fact that the Google Wallet’s pin is stored locally on the phone itself instead of online so if you can get access to it you can bruteforce it or if you clear the app data it removes the pin and lets you choose another.
One way of fixing the second issue would be to force the phone to link to the internet after the local cache is cleared to sync the pin with the online secure server instead of just letting a user choose a new one. The fix for the first case is a lot harder because you can’t have a wallet that requires the phone to be connected to the web everytime you use it, and if you store it locally then you are just asking for trouble.
Another way would be for the receiving side to validate the pin sort of line how we do it for credit cards but that doesn’t seem too feasible either. Or we could salt the pin with the user’s account info/do a dual encryption, first one requires the pin to unlock the second one requires the account password.
Now if I can come up with such solutions then I am sure the people at Google and the various banks working on this issue will come up with other more secure options. Its not the end of the world. yet. This is a new technology and like all new tech it has its teething issues and I am looking forward to the final fixed product.