A strange and very specific flaw with Android’s ‘App Pinning’ tool could allow someone to gain access to full credit card details stored on a device.
Android’s App Pinning tool, which lets users lock an app on their phone’s screen unless a PIN is entered, is at the heart of the flaw. When the feature is turned on, it also enables an option that requires device unlock for NFC. That, combined with the user having a credit or debit card set up for in-store NFC payments with Google Wallet, creates a loophole that could potentially expose the card information.
With the above conditions met, someone with an NFC reader tool, such as the Flipper Zero, can trigger a locked Android phone to share full credit card details via NFC with just a tap. The loophole doesn’t allow for payments to be made, however.
Google has already acknowledged the issue and included a fix with the September 2023 security patch for Android versions 11 through 13. Unfortunately, people with devices on older versions of Android or devices that no longer get security updates may remain exposed to the flaw.
It’s worth noting, however, that there are several moving pieces to the security issue and people can take steps to mitigate their risk. First, disabling the Screen Pinning feature should provide ample protection. Screen Pinning is turned off by default on Android, so if you’ve never turned it on, you’re likely already safe.
Screen Pinning can be disabled by going to Settings > Security & privacy > More security & privacy > App pinning. (Note that the exact location may differ depending on manufacturer customizations or Android version. You can also use the Settings app search function to find it.)