Google Wallet stores unencrypted data on a rooted device, according to research firm ViaForensics. They ran a test on Google Wallet’s security, noting it properly stores passwords, but fails to encrypt the entire credit card number, balance, card limit, transaction dates, locations and even your card’s expiration date. That puts you at risk for credit card fraud, should a malicious attack access this information. It’s a major concern for Google Wallet’s service, as it’s among the first to truly leverage NFC technology on Android.

“The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers,” a Google spokesman was quoted in a CNET article. “Android actively protects against malicious programs that attempt to gain root access without the user’s knowledge. Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices.”

It’s important to note that at least one security issue has been addressed by an update since Google was alerted to ViaForensics’ findings.