Some Google Wallet users have been tapping at the tills only to find that they aren't able to pay because of a security issue. This is happening despite those users saying that they haven't rooted their device or even tampered with the bootloader.

google-wallet-security-pop-up
u/Norci / Imgur

A number of complainants across Reddit have had the above prompt appear on their unmodified Google Pixel and Samsung Galaxy devices. Supposed quick fixes like clearing out the Play Store app's cache don't seemed to have helped anyone out. Users who clear out their Google Wallet card registry could find themselves unable to sign them back on.

There is one credible but vague theory that could explain this, but in order to explain that, we need to explain what's going on with the error message.

Previously, when using Google Pay for mobile payments, a device would perform a check using the SafetyNet Attestation API to make sure it wasn't compromised in ways that would make transmitting sensitive charge card information especially risky — this primarily means making sure the bootloader's locked, but for modders on custom ROMs, they'd have to figure out ways to patch certain other bits and pieces to make sure the phone passes this check. If the device passes the check, the payment attempt goes through. If it fails, the above prompt is generated.

Google, however, has made plans to deprecate the SafetyNet Attestation API by 2024 in favor of switching in a new API called Play Integrity. But while the timeline has been cast far out for third-party developers to learn and comply with new rules, the company seems only too eager to move ahead on its own apps. Esper Technical Editor Mishaal Rahman has tracked patch project comment threads which have signaled that Google Wallet — the rebadged old Google Pay app with the core tap-to-pay functionality, not the new Flutter-based GPay app focused on rewards — is one of the apps that has switched over from SafetyNet to Play Integrity as its payment-time security check (a caveat here: one of our colleagues reports his Galaxy S22 Ultra using the old Google Pay app is also affected).

SafetyNet and Play Integrity maintain key roles in providing just-in-time security checks for numerous other processes.

Of note here is RSA Security's SecurID Authenticator app which faced a problem with its v4.1.5 release last week. In a community forum bulletin, RSA notes that it had migrated away from SafetyNet to Play Integrity for its checks and received a handful of reports from users saying that their devices were incorrectly detecting a "rooted/jailbroken" state, preventing them from using the app. RSA said it would work with Google to resolve the problem before it issued a v4.1.6 release on Friday — that update went public yesterday.

It's been speculated that this matter could be related to the Google Wallet failed checks, though it's not exactly clear what factors are causing Play Integrity to raise its flags in error. We've reached out to Google for comment.

Thanks: Armando