HCE Secure Element in the Cloud is pie in the sky

Stefan Heaton’s blog piece “The reason Mobile myki isn’t available on iPhone… yet” is all the proof you need that Google inspired endless nonsense and confusion with Android Pay Host Card Emulation. This was shortly after the NFC “secure element” wars were over, with Secure Element on SIM cards losing out to eSE (embedded Secure Element) on smartphone chips. Google’s HCE secure element in the cloud approach for Android (and Android only) seemed like it would solve everything, except that it didn’t. It’s eSE or nothing now.

So why is Heaton spouting Google HCE support on Apple Pay nonsense? He confuses HCE to mean a hardware secure element when it actually means an Android Pay HCE virtual secure element hosted in the cloud or by an app. People who should know better have been sowing confusion ever since. Myki is MIFARE which has never been compatible with HCE. Neither is FeliCa, which Google Pay users outside Japan assumed would work for Suica until they found out HCE-F is fakeware that nobody uses, not even Google, and lost their shit. As FeliCa Dude pointed out, “HCE-F is not useful for emulating existing FeliCa cards because the API has been needlessly crippled.

What nobody has said, and I think it’s worth pointing out, is that the Android Pay to Google Pay shift was also a break with HCE and Google providing, or pretending to provide, a secure element strategy for all Android licensees. Instead, Google is focused on Pixel and their own eSE, all other Android licensees and manufacturers be dammed and left to find their own solution. I guarantee you that, in time, Google will be doing most, if not all, of the same security hoops that Apple does now, for Google Pay card emulation (not host card emulation) for Google Pixel platform eSE access.

So yes, Apple does limit NFC Secure Element (implemented in the A and S Series) access with PassKit NFC certificates. But Apple Pay MIFARE is real MIFARE, and Apple Pay FeliCa is real FeliCa. Public Transport Victoria (PTV) can apply for a myki card PassKit NFC certificate just like any developer. And for goodness sake Stefan, stop writing sentences that confuse Express Transit payment cards (EMV credit/debit cards) with regular Express Transit cards (FeliCa, MIFARE, PBOC). Suica is not a credit card and emulating EMV at a transit gate doesn’t automatically make a credit card into a Apple Pay Suica transit card, not by a long shot. If your aim is promoting open loop over closed loop, that’s one thing. Either way, your LinkedIn blog post is not doing your LinkedIn resume any favor.