What you need to know
- Recent findings have unveiled a loophole in Android, particularly with Google Wallet.
- Cards linked to the wallet risk exposing themselves if NFC and App pinning features are enabled.
- Google is said to be aware of the issue, and the recent September 2023 security patch for Android devices might have fixed it.
- The Pixel phones, however, are yet to receive the security patch.
Android screen pinning, aka app pinning functionality, is a nifty feature that lets users pin specific apps (via apps overview) on their screens. However, a recent security vulnerability has revealed that this feature can put your credit/debit cards at risk if linked to your Google Wallet.
A recent Github finding (via 9to5Google) has revealed a possible way to get your card details linked to Google Wallet through a general-purpose NFC reader (Flipper Zero, in this case). The finding suggests this is due to a logic error in the code when the device resides in lock screen mode — with app pinning enabled — and the NFC turned on. The risk is significant as user interaction isn’t necessary for this exploitation.
The Github member used a Google Pixel 7 Pro with App Pinning enabled and “Ask for Pin before unpinning” turned on. At least one card has to be linked to Google Wallet. Additionally, NFC has to be enabled with the “Required device unlock for NFC” option allowed.
In this state, the phone is vulnerable as pointing a POS (Flipper Zero in this case) at the back of the Pixel 7 Pro could read the card’s data (including card number expiry date) that was registered in Google Wallet.
Image 1 of 2
This makes it possible for anyone with an NFC reader, like