Security of Google Wallet

22 09 2011

Just this past Monday, Google released its newest app: Google Wallet.  Google Wallet (GW) is a virtual wallet application for certain android based phones.  GW can store your Citi MasterCard information and wirelessly transmit that information when you wish to make a payment.  The technology that it uses to work is called near field communication, and is identically to the tap-and-go cards that you may see around.  This app currently works only with the Nexus S 4G on the Sprint network, however, Google is planning on bringing this to other phones.2

In theory this product sounds like a great idea.  Let’s say you go into the grocery store, pick up a few things and head to the register, to pay all you do is launch the app on your phone (which is probably already in your hand) and tap the phone to the tap-and-pay system.  There isn’t a reason to search through your pockets or purse looking for cash or cards, and who doesn’t leave the your home without your cell phone.

This all sounds great, but is it secure?  Your phone will be holding and sending all of your credit card information.  So the two biggest places for vulnerability in this system is in the storing of the data, and then in the transmitting of the data.  In order for the phone to protect the data while in storage Google has come up with a special chip to hold the information, they call it the Secure Element.  This chip uses an asymmetric key encryption to read and write to the data stored within.  Neither the OS or any applicant can access this chip.  It is completely separate and secure from the rest of the software.

The only time that information is able to be accessed from this chip is when it comes in range of the near field communication device.  Not only does it have to be in close proximity to the device, the screen on the phone must be active, and a four digit pin must be entered.2  This authentication system helps prevent hackers from just bumping into your phone to collect the data.

There are some other additional features that Google has implemented.  The pin that is required to send the information has to be reasonably strong.  The top ten codes such as 1234, 1111, 0000 are not allowed.  Not only does this help prevent people from guessing, but you only have 5 attempts to enter the pin before you are locked out.3

Google has definitely worked hard to make this system secure as possible.  They have defiantly done some of the correct things, like separating the chip from the OS and no allowing the android device to have a key.  However, once the credit card information is set it seems like it is very difficult to change.  Also, the authentication to make a payment sound fairly secure, but in the wild there are other holes that might not have been thought of.  With this new technology there are bound to be positives and negatives, as well as loop holes the designers haven’t thought of.  The only way to find out more information is put it in the wild and see how it fairs.


  1. Bradley, Tony. “Google Wallet Security Has a Weakness | PCWorld.” Reviews and News on Tech Products, Software and Downloads | PCWorld. Web. 21 Sept. 2011. <;.
  2. “Google Wallet – How It Works – Security.” Google. Web. 21 Sept. 2011. <;.
  3. Yin, Sara. “Google Wallet: Security Experts Raise Concerns Over PIN Numbers | News & Opinion |” Technology Product Reviews, News, Prices & Downloads | | PC Magazine. Web. 21 Sept. 2011. <,2817,2393246,00.asp&gt;.