Analyzing the Security of Cloud-Based Payment Apps on Android
白皮书
Since Google enabled host card emulation (HCE) based solutions in the end of 2014, many banks have adopted this technology for cloud-based payments. HCE is an evolution of smart card payment technology as standardized by EMVCo. An HCE app on the mobile phone uses the near field communication (NFC) interface to emulate a payment card and utilizes the existing EMV payment network. Being a full software-based solution, it is possible to run HCE on any phone having an NFC interface, typically most Android phones.
Since the hardware security of the host CPU inside the smartphone is much weaker than that of a smart card, an HCE app running in the phone must provide additional security. HCE partially relies on protocol features enabled by the always-on network connection. An additional level of security is needed and can be achieved by hardening the app.
In this paper, we study the use of security features at a large scale, by analyzing all HCE apps in the Google Play Store. Although we refrain from a security evaluation of individual app strengths, we can judge the overall state and priority of HCE security given by the payment industry.