What you need to know
- Recent findings have unveiled a loophole in Android, particularly with Google Wallet.
- Cards linked to the wallet risk exposing themselves if NFC and App pinning features are enabled.
- Google is said to be aware of the issue, and the recent September 2023 security patch for Android devices might have fixed it.
- The Pixel phones, however, are yet to receive the security patch.
Android screen pinning, aka app pinning functionality, is a nifty feature that lets users pin specific apps (via apps overview) on their screens. However, a recent security vulnerability has revealed that this feature can put your credit/debit cards at risk if linked to your Google Wallet.
A recentĀ Github findingĀ (viaĀ 9to5Google) has revealed a possible way to get your card details linked to Google Wallet through a general-purpose NFC reader (Flipper Zero, in this case). The finding suggests this is due to a logic error in the code when the device resides in lock screen mode ā with app pinning enabled ā and the NFC turned on. The risk is significant as user interaction isn’t necessary for this exploitation.
The Github member used aĀ Google Pixel 7 ProĀ withĀ App PinningĀ enabled and “Ask for Pin before unpinning” turned on. At least one card has to be linked to Google Wallet. Additionally, NFC has to be enabled with the “Required device unlock for NFC” option allowed.