Proof-of-concept video shows a very specific Android credit card vulnerability

Sep 13, 2023


  • Android’s App pinning feature has a potential flaw that could expose credit card information in a highly-specific scenario.
  • For this flaw to be exploited, a user would need to enable a particular combination of settings and have an app pinned and then closed on their device, then an attacker would need physical access.
  • Google has classified this issue as high severity and has included a patch in the September 2023 security update for Android, but users can disable the settings if they are unable to update their devices.

The digital age has ushered in unprecedented convenience, transforming the way we transact, communicate, and even work. At the heart of this transformation are smartphones, the quintessential devices where we store a trove of sensitive information. Yet, with this convenience comes the ever-pressing issue of security.

Recently, concerns have surfaced about Android’s App pinning feature due to a potential flaw that might reveal credit card information under specific settings. Before reacting, it’s essential to delve into the details of this issue and the steps taken to address it.

App pinning, which isn’t automatically turned on for Android devices, lets users lock an app on the display and prevent access to other apps. The concern arises when users enable feature and turn on the “Ask for PIN before unpinning” option under Settings → Security & privacy → More security settings → App pinning, then also enable “Require device unlock for NFC” under Settings → Connected devices → Connection preferences → NFC concurrently. If all of these criteria are met and a user’s Google Wallet contains a credit/debit card set for NFC in-store transactions, this configuration can become a gateway for unintended exposure.

As reported by 9to5Google, once these settings are aligned, an individual armed with a suitable NFC reader tool could trigger a locked Android device to reveal full credit card details with just a tap. To put concerned users at ease, it’s essential to note that this loophole doesn’t enable unauthorized payments. Its risk lies in the exposure of credit card details, as demonstrated in a proof-of-concept video.

For this loophole to be effective, an app should have been pinned and then closed. The vulnerability remains active only until the user unlocks and locks the device again. Given the string of very specific requirements, the chances of users encountering this issue are relatively slim. Nonetheless, the potential for exposing sensitive information cannot be dismissed.

Aware of the severity of this issue, Google has already sprung into action. The tech giant has classified the problem as “high” in severity, with a remedial patch included in the September 2023 security update for Android versions 11 through 13. For those using devices that no longer receive security updates or are operating on older Android versions, there’s a straightforward solution: simply disable any or all of the above-mentioned settings.

While it’s heartening to see that Android’s September 2023 security patch is available for manufacturers, with brands like Samsung already rolling it out to numerous devices, Google Pixel users anticipated this fix with a September release of Android 14. However, the expected update is facing an unforeseen delay, and Google has yet to issue September’s security to Android 13 users.

As digital technology advances, security hurdles are bound to appear. Yet, by staying updated and acting on expert advice, users can mitigate many of these concerns. This situation underscores the importance of proactive steps, collective alertness, and timely company action in upholding user safety.