HCE Secure Element in the Cloud is pie in the sky

Stefan Heaton’s blog piece “The reason Mobile myki isn’t available on iPhone… yet” is all the proof you need that Google inspired endless nonsense and confusion with Android Pay Host Card Emulation (HCE). This was shortly after the NFC “secure element” wars were over, with the mobile carrier locked SIM card secure element losing out to the embedded secure element (eSE) on smartphone NFC chip. Google’s network connection dependent HCE secure element in the cloud strategy for Android seemed like it would solve everything and free NFC from the evil clutches of mobile carrier SIM lock-in contracts and the cost of eSE hardware. Except that it didn’t. It’s eSE or nothing now.

So why is Heaton spouting HCE support nonsense for MIFARE myki on Apple Pay when Android myki doesn’t even use HCE? He incompetently confuses HCE as a hardware secure element when HCE actually means a virtual secure element hosted in the cloud or in an app. People who should know better have been sowing confusion ever since.

myki is MIFARE which has never used HCE. HCE is an EMV payment solution for credit cards on Android devices without a hardware secure element. Ditto for FeliCa, which Google Pay users outside Japan assumed would work for Suica until they found out HCE-F is fakeware that nobody uses, not even Google, and lost their minds. As FeliCa Dude pointed out, “HCE-F is not useful for card emulation…because the API has been needlessly crippled.” Good luck with that.

What nobody has said, and I think it’s worth pointing out, is that the Android Pay to Google Pay shift was also a break with HCE and Google pretending to provide a ‘free’ secure element strategy for all Android licensees (ahem, see Google’s “Android Ready SE” alliance).

Google is now focused on Pixel hardware and their own Google Pay eSE strategy, all other Android licensees and manufacturers be dammed to find their own solutions for MIFARE, FeliCa, Calypso and so on. I guarantee you that, in time, Google will be doing most, if not all, of the same security hoops that Apple does for Google Pay on the Google Pixel platform.

So yes, Apple does limit NFC Secure Element (in Apple Silicon) access with PassKit NFC certificates. But Apple Pay MIFARE is real MIFARE used around the world, and Apple Pay FeliCa is real FeliCa. Public Transport Victoria (PTV) can apply for a myki card PassKit NFC certificate just like any developer. And for goodness sake Stefan, stop writing sentences that confuse Express Mode payment cards (EMV credit/debit cards) with regular Express Mode transit cards (FeliCa, MIFARE, PBOC). Suica is not a credit card and emulating EMV at a transit gate doesn’t automatically make a credit card into an Apple Pay Suica transit card, not by a long shot. If your aim is promoting open loop over closed loop, that’s one thing. Either way, your LinkedIn blog post is not doing your LinkedIn resume any favor.

Related: How much does Smart Navigo HCE suck?