So say your precious Galaxy Nexus get's stolen. And the person that finds it decides to go ahead and download some apps from the Play Store. Now you're Credit Card information is right there available to them because you're most likely already signed into your Google account. Well now Google has implemented this security feature into the Play Store to help prevent this. If you go into the Play Store's settings you can set up a PIN that prevents changes to your account, including purchases. But there's a bit of a flaw with this. As the PIN is stored locally on your device. Looks like Google pulled a big oops on that one.
Luckily, XDA Recognized Themer zanderman112 has written about the issue over on XDA's forums so we can all be made aware of this issue. As the themer says:
On the Play Store app, you can choose to add a pin number, and make this pin be required to make purchases.
This is a good idea, as we don't want anyone charging our credit cards or carrier bills if our device gets lost/stolen.
However, there is a flaw in this. The aforementioned pin number is stored locally on the device, whilst the credit card info is connected to your google account, and obviously your carrier billing options are stored online.
All someone has to do to be able to make purchases on a supposed secure play store is go to Settings>Applications>All>Google Play Store and click clear data. No more pin.
That is quite a security hole, don't you think? It makes that USSD exploit found recently look minor. At least the issue has been reported to Google, and we hope to see a Play Store update coming in the next few days that fixes this problem for us.
For additional information and to discuss the issue, check out the original thread over on XDA for the complete details. Also you should think about putting a passcode or PIN on your phone when you unlock it. That should add an extra layer of security to your device and give you more piece of mind.