# Google Wallet and security (rethink root?)



## Veridor (Jun 10, 2011)

Recently I've seen much discussion about the security model of Android and root, especially when t comes to something like the recent Google Wallet vulnerability. Also, as everyone has probably heard, CM9 apparently is going to have root as optional in the future.

What are your thoughts on this? I have a hard time giving up root because of apps like Titanium Backup and Cerberus (yes, I know, the latter doesn't NEED root, but it does give added functionality), but I also want to keep my information secure. On the other hand, custom ROMs rock! I know having an unlocked bootloader and root are not necessarily mutually exclusive, but you do need the former for custom ROMs, right?

So with that in mind, if I can flash unsigned packages in recovery (i.e., an unlocked bootloader), then if someone had access to my phone, they could still flash a root package even if I wasn't rooted at the time. Even running stock recovery isn't sufficient, as you can just use fastboot to push a new recovery image.

What I'm getting at is, do you think non-rooted gives that much more security if you're running a custom ROM + unlocked bootloader? I say no, but wanted to pick some others' brains on this as I was listening to Phil Nickinson from Android Central on this week's "All About Android" podcast on TWiT, and he was discussing whether root is really needed in light of the GWallet fiasco.


----------



## Jubakuba (Sep 8, 2011)

Well...
The average person finds a phone.
Picks it up.
OMG LULZ FREE PHONEZ!
DOEZ IT CAN HAZ NUDE PITURZ?

I HIGHLY doubt anyone would even know it's rooted.
Let alone attempt to exploit Google Wallet.
OMG FREE 7-11 COFFAAEEE!

If *I **were* a thief...however, I'd imagine I'd pick it up.
Omg. No SU access.
Boot into fastboot. Pull gallery files. (Assuming the noob locked it via pin or something) And lul at any win pictures.
Either that or flash my own rom and enjoy a new phone.
Nothing I have ANY worry about, to be honest.

And +1 for cerberus.
If my phone is gone...I'll remote lock that fucker.
And then take as many pictures/videos/gps locations as I can.
Obviously: end up finding phone.

Edit:
Never thought about it...
But I guess the FIRST thing would be to boot into recovery and wipe system and data. Thus no remote tracking. Even if the phone didn't boot in that state.
So...there goes any potential threat.


----------



## ERIFNOMI (Jun 30, 2011)

Solution: make sure you can remote wipe your phone. All these serious problems seem to involve someone physically having access to your phone. I'd notice my phone was lost very quickly, and a quick wipe would fix that.


----------



## Mustang302LX (Jun 28, 2011)

The most common thing if you lost your phone or had it stolen is going to be someone keeps it for themselves as stated or it will hit eBay/Craigslist for a quick buck.


----------



## suburban78 (Dec 11, 2011)

I add funds to wallet with a walmart pre-paid card and never more then $40 at a time so if it did get exploited, I wouldn't care. It would be different if you linked a CiTi bank card to it with access to lots of money! Even then, one quick call to the bank and problem solved.


----------



## ERIFNOMI (Jun 30, 2011)

suburban78 said:


> I add funds to wallet with a walmart pre-paid card and never more then $40 at a time so if it did get exploited, I wouldn't care. It would be different if you linked a CiTi bank card to it with access to lots of money! Even then, one quick call to the bank and problem solved.


Banks usually cover theft. I imagine it would be the same for Google wallet considering they're official partners.


----------



## iPois0n (Jan 12, 2012)

Someone needs to make a remote self destruct app. That way if you lose your phone you can remotely self destruct by frying the cores or flash drive. That would be saweet!

Sent from my Galaxy Nexus using Tapatalk


----------



## DHO (Nov 6, 2011)

iPois0n said:


> Someone needs to make a remote self destruct app. That way if you lose your phone you can remotely self destruct by frying the cores or flash drive. That would be saweet!
> 
> Sent from my Galaxy Nexus using Tapatalk


Seekdroid/Cerberus is pretty close. Nuke system/SD/brick it. GPS to find it


----------



## ERIFNOMI (Jun 30, 2011)

DHO said:


> Seekdroid/Cerberus is pretty close. Nuke system/SD/brick it. GPS to find it


Just to let you guys know, Android doesn't let apps turn GPS on anymore. It'd be nice if some ROM devs added it back in, or a way to white list apps that we want to be able to control GPS (tasker, seekdroid, prey, etc) so at times like this we can activate GPS but not have to keep it on all the time when we're not using it.


----------



## Jubakuba (Sep 8, 2011)

ERIFNOMI said:


> Just to let you guys know, Android doesn't let apps turn GPS on anymore. It'd be nice if some ROM devs added it back in, or a way to white list apps that we want to be able to control GPS (tasker, seekdroid, prey, etc) so at times like this we can activate GPS but not have to keep it on all the time when we're not using it.


Install it as a system app, budday.

Edit:
Noticed you mentioned Seek Droid.
I can't comment on if it's been updated recently (doubt it) but I couldn't get seek droid to turn GPS on.
Cerberus works flawlessly as a system app.


----------



## ERIFNOMI (Jun 30, 2011)

Jubakuba said:


> Install it as a system app, budday.
> 
> Edit:
> Noticed you mentioned Seek Droid.
> ...


It would still be a nice feature. I don't use seekdroid but I know a lot of people do. If it's possible to allow it to turn GPS on, I with use it as I got it when it was the free app of the day. But there are other apps that would be nice like tasker, then I could effectively allow whatever apps I want to turn GPS on.


----------



## Veridor (Jun 10, 2011)

Thanks to all for the feedback so far. You seem to underscore my point that having root or not isn't the issue it's being made out to be. You still have to authorize the app request for root privileges via Superuser.

As anyone in IT will tell you, if you lose physical security, you've lost the security battle already.

Re: Cerberus, it can't do remote wipe without root privileges, if I'm not mistaken.


----------



## Veridor (Jun 10, 2011)

suburban78 said:


> Banks usually cover theft. I imagine it would be the same for Google wallet considering they're official partners.


True, but having to deal with the hassle of a drained bank account is no fun, even if you get your money back. For convenience,I'd just use Paypal to reload the Google prepaid card to limit direct exposure of a debit/credit card.

Sent from my Galaxy Nexus using RootzWiki


----------

