This week the Google Wallet team was surprised when two different vulnerabilities were discovered. One hack revealed a user’s PIN number on a rooted phone and the other allowed anyone to reset the PIN and gain access to funds on a Google Wallet prepaid card.

Google quickly responded to the first hack by [...]]]>

This week the Google Wallet team was surprised when two different vulnerabilities were discovered. One hack revealed a user’s PIN number on a rooted phone and the other allowed anyone to reset the PIN and gain access to funds on a Google Wallet prepaid card.

Google quickly responded to the first hack by saying users should not use Google Wallet on a rooted device, and late last night they also responded to the second hack by saying they would temporarily disable provisioning of prepaid cards.

Many Android users are now questioning if Google Wallet is safe enough for mobile phone payments. Google responded, “The simple answer to this question is yes. In fact, Google Wallet offers advantages over the plastic cards and folded wallets in use today.”

I’ve included Google’s full statement they sent me below. It’s nice to see them address the recent issues so quickly, but I’m still wondering what you guys think. Are you comfortable with using your phone for mobile payments?

Over the last few days we've received questions and concerns about issues related to the security of Google Wallet. People are asking if Google Wallet is safe enough for mobile phone payments. The simple answer to this question is yes. In fact, Google Wallet offers advantages over the plastic cards and folded wallets in use today.

First, Google Wallet is protected by a PIN — as well as the phone’s lock screen, if a user sets that option. But sometimes users choose to disable important security mechanisms in order to gain system-level “root” access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device.

Second, we also take concrete actions to help protect our users. For example, to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon.

And just like with any other credit card, you can get support when you need it. We provide toll-free assistance in case you lose your phone or someone manages to make an unauthorized transaction.

Mobile payments are going to become more common in the coming years, and we will learn much more as we continue to develop Google Wallet. In the meantime, you can be confident that the digital wallet you carry provides defenses that plastic and leather simply don’t.Osama Bedier, Vice PresidentGoogle Wallet and Payments

Early this morning security frim  Zvelo revealed a hack for Google Wallet that exposed a user’s PIN. Fortunately this vulnerability only affected rooted phones, as Google was quick to point out to The Next Web. Now a second hack has been posted online that works on non-rooted devices and requires no special hacking skills.

Google Wallet has been hacked! Wallet Cracker, an application developed by Zvelo, is able to use brute-force attacks to reveal the Google Wallet PIN number which keeps the application secure. While this vulnerability is as serious as they come, it only affects Android handsets which have been rooted.

As soon as the vulnerability was [...]]]>

Google Wallet has been hacked! Wallet Cracker, an application developed by Zvelo, is able to use brute-force attacks to reveal the Google Wallet PIN number which keeps the application secure. While this vulnerability is as serious as they come, it only affects Android handsets which have been rooted.

As soon as the vulnerability was discovered, Zvelo released its findings to the Google Wallet team who “agreed to work quickly to resolve it.”  We do not know when Google Wallet will be updated to fix the PIN vulnerability, but we suggest you take some additional precautions to make sure your handset is secure just in case it falls into the wrong hands. Those of us who have been victims of credit card fraud know how quickly things can spiral out of control.

Google issued a response to The Next Web that said they are aware of the issue. We don’t know if Google is working on a fix yet, but suggested that users not install Google Wallet on rooted devices.

The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.

We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.Google

How many of you are currently using Google Wallet on a rooted device?

After much hoopla Google Wallet finally launched on the Nexus S last September, but it was only available on Sprint’s version of the phone and not T-Mobile’s. Then when Verizon announced their Galaxy Nexus, it was soon discovered that they would not support Google Wallet. Verizon claimed that Google Wallet “needs to be [...]]]>

After much hoopla Google Wallet finally launched on the Nexus S last September, but it was only available on Sprint’s version of the phone and not T-Mobile’s. Then when Verizon announced their Galaxy Nexus, it was soon discovered that they would not support Google Wallet. Verizon claimed that Google Wallet “needs to be integrated into a new, secure and proprietary hardware element in our phones” and they were continuing their commercial discussions with Google on the issue.

Thanks to a recent app update, Nexus users on AT&T and Verizon can now install Google Wallet directly from the Android Market. Many users previously obtained a hacked copy or side-loaded it onto their device, but now they can have the comfort of getting the latest official version from Google.

AT&T users with the Nexus S or GSM Galaxy Nexus just need to search for Galaxy Nexus and install it. Those devices are recognized as supported in the Market and it’s a 1-click isntall.

Google Wallet Google Inc. PLAY QR POWERED BY APPAWARE

For Verizon owners of the Galaxy Nexus, the process takes a few extra steps. They need to visit the Android Market website from their browser and then trick their device into installing the official app. It might sound like a little much, but it only takes around one minute to complete.

1. From your phone open the browser and head to http://market.android.com. (Tip:  You may want to clear data and defaults on browser and Market before doing this.)
2. Search for “Google Wallet.” (If your browser prompts you to open the Market, don’t. Just stay in the browser.)
3. When the results come back, tap on the Google Wallet icon.
4. Tap the “Install” button from within the browser and then sign into your Google account. (Again, this is all from the browser, not the Market app.)
5. Once you have signed in, you should be redirected back to the Market page in the browser.
6. Obviously, you will not have the option to install there since the VZW Nexus is not supported.
7. Tap the back button until you are prompted for the Market or Browser again, this time choosing the Market.
8. The Android Market should open to the Google Wallet page with an option to install.

If it doesn’t work right away, just sign out of the Android Market website from your browser and try the steps again. I tried this on my Verizon Galaxy Nexus and it worked on the 2nd try. Previously I had side-loaded an older version of Google Wallet, and the install updated it to the latest version with no problems.

We don’t have a Nexus S or GSM Galaxy Nexus on T-Mobile to test this trick out, but hopefully it works on that device as well. If you happen to have one on hand, let us know if you were able to install Google Wallet from the Market.

At least AT&T is now allowing Google Wallet on some Android phones with NFC, and hopefully Verizon is close to reaching an agreement with Google.

There are two things Android could not live without – development and the Android Market (among other things). There are those few manufacturers that chose not to get approved by Google, and their devices end up being released without the Android Market (or Google Apps, in general). Once developers get in [...]]]>

There are two things Android could not live without – development and the Android Market (among other things). There are those few manufacturers that chose not to get approved by Google, and their devices end up being released without the Android Market (or Google Apps, in general). Once developers get in the game, though, more than one can believe starts becoming possible.

For example, it is now possible to install the Android Market on most of these Google unapproved devices. So far, the Android Market on these builds has only worked via the Market application on the device itself, though.

For Google certified smartphones/tablets, it is possible to install apps directly from the web. Simply head to the Android Market website, select the app, click install, select your device, and boom. Next thing you know, your device already has the app in there. While we can get the Market to work on our non-Google Android devices, installing from the web has been impossible, until recently.

Reports have been attesting to the fact that the Android Market website is now supporting un-certified products that get the Android Market hacked in. Such are mostly tablets, and include the Kindle Fire, the Nook Color, Nook Tablet, older Archos tablets, etc. As you can see in the image to the left, the list of devices displayed includes 3 unofficial devices, even including the HP Touchpad.

This process seems to cause a small (but not massive) issue, though. Reports also claim that when using the Android Market app on one of these devices, there is a problem with the apps that were installed via the website. Apparently, the Android Market app can detect which apps were installed with the app itself, and upon trying to update the ones that were not, the process fails. Nothing that a re-install can’t fix, though.

If you feel like this process would be convenient to one of your hacked devices, go right on and try it out. Don’t forget to sound off in the comments to let us know how this is working for you. We would love to see if many of our readers are able to do this.

As soon as Ice Cream Sandwich is ready to roll out, the Nexus S will undoubtedly be the first device to be updated. (The Galaxy Nexus will be coming out within the next couple weeks, so Android 4.0 should be hitting the Nexus S right around then as well). While two to three weeks doesn’t [...]]]>

As soon as Ice Cream Sandwich is ready to roll out, the Nexus S will undoubtedly be the first device to be updated. (The Galaxy Nexus will be coming out within the next couple weeks, so Android 4.0 should be hitting the Nexus S right around then as well). While two to three weeks doesn’t seem like long to wait, not everyone has that kind of patience. Especially not the Android hacking community.

Available now over in the XDA Developers forums, an Ice Cream Sandwich port has been successfully conjured up for the Samsung Nexus S. There’s no face unlock, some of the icons are missing and there have been some reported issues with data connectivity. But otherwise, things work well. After going through several pages of comments, it doesn’t seem like this port is much of a daily driver. More than anything, it just gives Nexus S owners a look at what’s in store.

For those of you adventurous enough to try this, keep in mind that rooting your device will void your warranty and, though highly unlikely if you follow directions carefully, could brick your device. We take no responsibility for damage to your device caused by the rooting process. To take a look at all the instructions and to download the port, head on over to XDA now.

What do you think? Are you going to wait until ICS is official? Or will you be trying some of the unofficial ports as they come out?

Have you ever held a 10-inch Android tablet and wished for a bigger display? You know, something just a little wider to watch movies on? Android modder Martin Drashkov must have had that dream, because he built an Android device with a 23″ touchscreen.

He calls his creation the MegaPad, and it only cost [...]]]>

Have you ever held a 10-inch Android tablet and wished for a bigger display? You know, something just a little wider to watch movies on? Android modder Martin Drashkov must have had that dream, because he built an Android device with a 23″ touchscreen.

He calls his creation the MegaPad, and it only cost him around $600 to build in his kitchen. Martin thinks the larger display will allow “simultaneous use by two users” and “open up new possibilities that demand different apps.”

Unfortunately the MegaPad is not a portable device, but it does provide a preview of what future Android devices might look like. With new technologies like flexible displays, it might not be long before we see a desktop-sized display that could fit in your pocket.

What kinds of Android apps would you like to see on a touchscreen that big?

The original Motorola Droid had an unlocked bootloader and that device became one of the most popular among the Android open source community, but it comes as [...]]]> Just like the Motorola Milestone, it appears the upcoming Droid X and Droid 2 will have a digitally signed bootloader that will prevent users from flashing custom ROMs.

The original Motorola Droid had an unlocked bootloader and that device became one of the most popular among the Android open source community, but it comes as no surprise that Motorola wants to lock their devices down.

Motorola explained their position in a blog post during the Milestone controversy:

“Securing the software on our handsets, thereby preventing a non-Motorola ROM image from being loaded, has been our common practice for many years. This practice is driven by a number of different business factors. When we do deviate from our normal practice, such as we did with the DROID, there is a specific business reason for doing so. We understand this can result in some confusion, and apologize for any frustration.”Lori FraleighMotodev

I have little doubt that hackers will gain root access to the Droid X and come up with all kinds of cool tweaks, but the encrypted bootloader will be a major hurdle to overcome on the path to custom ROMs. If you like to hack your Android phone and mod it ’til it won’t boot anymore, you might be better off going with HTC or even Samsung at this point.