We store a lot of sensitive information on our smartphones, which is why security is key. A loophole in Android, though, has allowed access to credit card details with the right NFC hardware, but Google is actively delivering a fix.
As detailed on GitHub, a security issue that’s been given the marker CVE-2023-35671 affects Android devices and allows access to full credit card details through NFC devices like the popular Flipper Zero tool.
The issue, which affects all Android devices running Android 5.0 and higher, is a loophole that relates back to Android’s “Screen Pinning” tool, which allows users to lock an app on screen until a PIN is entered. When Screen Pinning is enabled, the “Ask for PIN before unpinning” option is turned on, and “Require device unlock for NFC” is turned on, this loophole can expose your credit card information. This requires Google Wallet to be housing a credit/debit card that’s set up for in-store NFC payments.
Under these conditions, someone with an appropriate NFC reader tool can trigger a locked Android phone to divulge full credit card details with a tap. The loophole doesn’t allow payments to be made, but exposes the full credit card details as shown in the proof-of-concept video below.
Given the very specific circumstances in which this happens, it’s very unlikely anyone has run into trouble with it, but it’s a very concerning loophole nonetheless. Thankfully, Google is already well-aware of the problem, and has marked the issue as “high” in severity. A fix is included with the September 2023 security patch for Android versions 11 through 13.
If you’re on a device that is no longer receiving security patches or stuck on an older version of Android, preventing the issue is as simple as disabling the Screen Pinning feature in your device’s Settings menu.
Notably, Screen Pinning is not enabled by default.
The Septemeber 2023 security patch is currently available to all Android makers, with Samsung having rolled out the update to many devices. Google Pixel devices were expected to get the patch with Android 14, but that’s been unexpectedly delayed.