Apple Platform Security May 2022: Tap to Pay on iPhone, Express Mode scare mongers and other fun

Ahh springtime, flowers and the annual Apple Platform Security (APS) update. This year’s version has many Apple Pay housekeeping changes. Previous versions put everything Apple Pay in a single section. In keeping with Apple spinning out iOS 15 Wallet app as a separate identity, Wallet has its own separate section now, covering all the things Jennifer Bailey unveiled at WWDC21: hotel-home-office keys and ID in Wallet. The Apple Pay section adds a new category for Tap to Pay on iPhone with some interesting bits.

The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with to the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.

The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was within 60 seconds of the card read on the device.

What’s interesting to me is that Tap to Pay on iPhone servers are providing a seamless payment reader experience in the same way that Apple Pay servers provide a seamless pay experience. It just works, from setup to use, the same tight integration allows payment service providers to focus on POS app development and forget about the hardware because Apple Pay takes care of everything. As Junya Suzuki tweeted recently, a lot of payment reader hardware is suddenly junk compared to what iPhone is providing with tight mobile integration and Tap to Pay servers on the backend. Now with Tap to Pay apps on the horizon, good thing that iOS 15 Wallet expanded the secure element max to 16 ain’t it?

Speaking of Wallet, this separate section covers all things “access credential” related (hotel-corporate-home-car-student ID) with App Clips suggested for provisioning multifamily home keys. Transit now includes eMoney cards (or is it e-Money, Apple seems confused about it just like Express Mode vs Express Transit) and IDs in Wallet is covered in detail. There is also an intriguing iOS 15.4 Wallet security tweak:

In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID, or passcode authentication is required before pass specific information including hotel booking details are displayed in Apple Wallet.

It sounds almost exactly what we already do with regular Apple Pay cards. Perhaps keys and passes only show a generic icon and checkmark with Express Mode with the double-click + authentication required for show details…it’s not very clear.

Speaking of Express Mode, ‘security experts’ are still scare mongering the masses with the tired old Russian security expert/Apple Pay VISA Express Transit exploit story that made the rounds last November, regurgitated by Forbes in the over the top scary sounding, and sloppily written (this is Forbes after all), “How hackers can drain your bank account with Apple and Samsung tap and pay apps“.

The whole security expert thing reminds me of what my uncle the doctor (who ran a medical research lab at Columbia University) used to say about his disdain for pharmaceutical companies, “They don’t want to cure you, they just want to keep ‘treating’ you with their medicines.” Human nature never changes. The gist is that EMV Express Transit Mode will always be a thorn in Apple Pay’s side because the security is up to the card companies.

The document is worth your time is you have any interest in Apple Pay and Wallet.

WWDC22 Wish List

It is hard to be enthusiastic about this year’s WWDC when Apple’s entire integrated software/hardware business model is coming under attack. With so much distraction these days there’s not much of a wish list, just a few observations for Apple Pay, Apple Maps and Text Layout.

Apple Pay
First up of course, is Apple Pay. After Jennifer Bailey’s WWDC21 appearance where she announced home keys, hotel keys, office keys and ID for iOS 15 Wallet, and the separate Tap to Pay on iPhone PR announcement release in January, I don’t think Jennifer will be in the WWDC22 keynote. She’s not going to appear just to explain that Apple Pay is not a monopoly, that’s Tim’s job with CEO level pay grade, it’s unlikely she’s doing to appear to just recap details of what’s already been announced.

Bailey’s job is to announce new features, and I don’t think that after the big iOS 15 rollout of new Wallet features and Tap to Pay on iPhone there’s nothing really new. And it’s not her job to announce new frameworks, that’s what the sessions are for. Things that I have been wishing for these past few years such include easier, more open NFC Pass certification process and/or new frameworks for developers to access the secure element for payments or use Tap to Pay on iPhone. There needs to a clearer path for developers who want to use the secure element for payments (Wallet) or iPhone as payment terminal (Tap to Pay on iPhone).

Apple needs to open up the NFC/Secure Element Pass certification process and clarify the process

The only possible ‘new’ Apple Pay Wallet feature I can think of is the long in the works Code Payments. It has been lurking in the iOS shadows since iOS 13, so long that Apple legal inserted official mention in a recent Apple Pay & Privacy web page update: “When you make a payment using a QR code pass in Wallet, your device will present a unique code and share that code with the pass provider to prevent fraud.” If Apple Pay delivers native device generated QR code payments without a network connection, just like all Apple Pay cards to date, it would be quite a coup but by itself, but probably not worth a Jennifer Bailey appearance. Other future goodies like passport in Wallet or ID in Wallet for other countires are too far out to mention, at least in the iOS 16 time frame.


Apple Maps
The only new Apple Maps feature that suggests itself is AR enhanced ‘Look Around’ indoor maps for stations. That’s the conclusion after examining the current (February ~ May 2022) backpack image collection in Tokyo, Osaka, Kyoto and Nagoya. It is highly focused on stations, and stations such as Shinjuku, Tokyo, Shibuya, Ikebukuro, etc., are mostly underground, surrounded with densely packed extensive maze like malls.

This means Apple image collection in Japan is going indoors for the first time, likely at pre-arranged times when people are scarce. This is hard to do at a place like Shinjuku station as multiple companies collectively manage the entire site (JR East, Odakyu, Keio, Seibu, Tokyo Metropolitan Bureau of Transportation, Tokyo Metro, just to name a few).

Apple needs something new with indoor maps as the current incarnation is inadequate for stations. As Google Maps Live has shown in Tokyo station, AR walking guidance is a good fit for indoor maps that navigate users through intricate, information dense underground station mazes, though Google’s version has its problems. New and improved, AR enhanced “Look Around” style indoor station maps with walking directions that seamlessly guide users from transit gate to final destination would be far more useful than they are now.

Recent image collection suggests Indoor Station Maps might be coming in iOS 16

Overall, I am not optimistic that Apple Maps in Japan can become a top tier digital map service. The local 3rd party map and transit data suppliers that Apple depends on to make up the bulk of the Japanese service are decidedly not top tier. Old problems remain unfixed. In the case of the main Japanese map data supplier things have deteriorated.

Increment P (IPC) was 100% owned by Pioneer but was sold to Polaris Capital Group in June 2021 with a new CEO (ex Oracle Japan) who quickly changed the name to GeoTechnologies Inc. Under hedge fund Polaris Capital Group led management the company has been busy inflating the number of cushy company director positions, never a good sign, and pushing out shitty ad-ware apps like Torima. The focus is leveraging assets not building them.

Apple’s Japanese map problem can only be fixed by dumping low quality GeoTechnologies for a top quality digital map supplier like Zenrin (the amateurish UK backed Open Street Map effort in Japan is not worth serious consideration) or Apple aggressively mapping Japan themselves. Apple has not pursued either option: the image collection effort in Japan is leisurely and limited, its use remains restricted to Look Around. Until this changes, expect more of the same old fundamental Japanese map problems in iOS 16 and beyond. Apple Maps is a collection of many different service parts. Some evolve and improve, some do not. Let’s hope for a good outcome with the data Apple is collecting for indoor station maps.


Apple Typography TextKit 2 migration
WWDC21 saw the unveiling of TextKit 2, the next generation replacement for the 30 year old TextKit, older than QuickDraw GX even, but much less capable. TextKit 2 marked the start of a long term migration with most of TextKit 2 initially ‘opt in’ for compatibility. We’ll find out how much of TextKit 2 will evolve to default on with an ‘opt out’. There are holes to fill too: the iOS side didn’t get all the TextKit 2 features of macOS such as UITextView (multiline text), some of the planned features like NSTextContainer apparently didn’t make the final cut either. We should get a much more complete package at WWDC22. Once the TextKit 2 transition is complete, I wonder if a Core Text reboot is next.


watchOS 9 Express Cards with Power Reserve?
Mark Gurman reported that watchOS 9 will have “a new low-power mode that is designed to let its smartwatch run some apps and features without using as much battery life.” While this sounds like Express Cards with Power Reserve (transit cards, student ID, hotel-home-car-office keys) and it might even mimic the iPhone feature to some degree, it will not be the real thing. Power Reserve on iPhone is a special mode where iOS powers down itself down but leaves the lights on for direct secure element NFC transactions. iOS isn’t involved at all.

Real Power Reserve requires an Apple silicon design that supports the hardware feature on Apple Watch, it cannot be added with a simple software upgrade. Until that happens, a new watchOS 9 low-power mode means that watchOS still babysits Express Cards, but anything that gives us better battery life than what we have now is a good thing. We’ll find out later this year if Apple Watch series 8 is the real Power Reserve deal.

Enjoy the keynote and have a good WWDC.

State of Suica 2022

Now that the 1st wave of Suica 2 in 1 card launches is complete, it’s a good time to review the ‘State of Suica’. And it’s always interesting to examine the cultural differences too, when it comes to labeling trends as ‘good’ or ‘bad’. Westerners for example invariably say, what’s the point of having so many Suica card flavors? It’s a waste, better to have just one. It’s a classic double standard professing to want but insisting that life should revolve around single kind of credit card. Japanese don’t seem to care much as the culture is adept at ‘振り分け’: this thing for doing this, that thing for doing that. And the region affiliate users getting Suica for the first time seem pretty excited and all Suica varieties work the same for transit and e-Money purchases.

As of now we have the following plastic Suica card flavors beside the regular Suica available at station kiosks: Rinkai Suica, Monorail Suica, Welcome Suica and Suica Light. On the Mobile Suica side we have: Osaifu Keitai, Apple Pay, Google Pay, Fitbit Pay and Garmin Pay, along with branded Mobile Suica for Rakuten Suica and au Suica on Osaifu Keitai and Mizuho Suica on iOS. Last but not least we have 11 new Suica 2 in 1 Region Affiliate Transit cards that are the keystone of JR East’s MaaS strategy.

What exactly are the differences? It comes down to commuter passes or points. For Suica 2 in 1 cards specifically, it is both. This is a small but very important difference. All the other non-regular Suica outside 2 in 1, come with specific features and limitations. Rakuten and KDDI au users can recharge those Suica with those outside point systems but they can’t add commute plans. Welcome Suica expires in 28 days, Rinkai and Monorail Suica exist for commuter passes and nothing else, and so on.

Suica 2 in 1 doesn’t have limitations and does more than any other Suica: it can hold 2 different commuter passes (one from JR East, one from the region affiliate) and it supports 2 different point systems: messy JRE POINT which is an optional account setup manually linked to the Suica card number, and local government subsidized region affiliate transit points which are automatic and stored on the card itself. The only thing the user needs to do is use the appropriate card for transit to earn and use transit point discounts.

In a mobile payment era where everybody is distinguishing themselves with increasingly complex reward point schemes, the simplicity and flexibility of Suica 2 in 1 transit points, think of it as locally processed transit point stored fare, can go places that old Suica cannot. Imagine how many more people would use Suica transit in Tokyo if it came with transit point discounts. There are other 2 in 1 features not yet supported by regular Suica: disabled and elderly transit user discounts. These are coming to Tokyo area plastic issue Suica, and PASMO too, this October though I suspect those won’t come to Mobile Suica until it gets an upgrade.

Mobile FeliCa hasn’t been updated to the next generation ‘Super Suica’ FeliCa SD2 architecture yet, but once updated we should see Suica 2 in 1 on mobile and new Suica features, along with more Suica 2 in 1 Region Affiliate cards. All in all the new Suica 2 in 1 card format tells us where JR East wants to go.

There are some interesting numbers from the JR East FY results. All things transit took a huge hit in FY 2021 from the COVID pandemic, Suica included, but are now recovering though still below pre-covid transaction levels. Another surprise is the popularity of Eki-Net eTickets, a 39% usage rate is not bad for a service that only started in March 2020. One of the smarter things JR East did with Eki-Net eTicket discounts is making them simple and available to all Eki-Net users and credit cards. The JR Central EX system has 2 different Shinkansen eTicket tiers (EX-Press and smartEX) with larger EX discounts limited to select credit cards.

There are lots of things that JR East needs to do longterm, more Suica day passes, Mobile Suica recharge that is available 24/7, phasing out legacy mag strip ticketing and UWB touchless transit gates. In the short term we have Cloud Suica and Mobile ICOCA coming online in March 2023, the end of the current fiscal year. At the very least it should be an interesting time for JR West ICOCA users, and one more nail in the PiTaPa coffin.


The Weekly

2022-05-14 Early Rainy Season

Will Pixel Watch finally deliver global NFC Google Pay?
Ever since Apple made global NFC standard on all iPhone and Apple Watch models in 2017, global NFC has become a litmus test of ultimate Apple-like user friendliness. When inbound devices can add Suica, it’s not only cool, but also necessary to get around. Garmin and Fitbit wearables do the global NFC thing, but Android remains stubbornly ‘buy a Japanese smartphone to do the Suica FeliCa thing.’

In the global NFC sweepstakes then, every Google Pixel release cycle is a game of ‘will they or won’t they’ finally deliver global NFC. Actually Pixel is already global NFC with Mobile FeliCa ready to go, but Google disables it on all non-Japanese Pixel models.

Which brings us to Pixel Watch which got a sneak peek at Google I/O 2022. The buzz on Japanese Twitter was basically: I want one, but not if it does’t have Suica support. Fair enough, I bet a lot of people are thinking that and not only in Japan. After all, Hong Kong users would love having a Pixel Watch that supports Octopus.

The good news is that Suica appears to be coming to Google Pay for Wear OS. Various Suica string have appeared in recent Google Pay APKs. This is expected: it would certainly be very awkward if Pixel Watch doesn’t support Suica when Fitbit devices do.

But this begs a bigger question. Wouldn’t it be extremely awkward if Pixel 7 doesn’t support Suica out of the box when Pixel Watch does? I would say so. But then again one hopes The Android Ready SE Alliance is working to fix all that, and do away with Android HCE nonsense once and for all.


Digital My Number on track for Android 2022 launch, Apple Wallet due in 2023
The Ministry of Internal Affairs and Communications (MIC) digital version of My Number Card (Individual Number Card) is on track to launch in 2022 (October-ish?). The latest MIC Work Group PDF document has a full outline of the digital My Number system and the various services the Japanese government plans to link with it. In late 2020 MIC said they were ‘in discussions’ with Apple to bring digital My Number to Wallet and this has not changed. Nikkei reporter Mayumi Hirosawa saw a chance to grab some eyeballs and published, The My Number iPhone Wall, a typical Nikkei ‘article’ of lazy, subjective, puerile observations angled as big bad Apple, but nothing new.

Meanwhile Yasuhiro Koyama’s online article on Keitai Watch is far more interesting and informative. MIC official Takashi Uekariya, the goto My Number digital guy, says the MIC and Apple are ‘working hard’ to bring digital My Number to Apple Pay Wallet, and that because Apple locks down new iOS features far in advance, timing wise it looks like iOS 17 in fall 2023 is the likely target for My Number on Apple Wallet. It would be nice though if Apple could surprise us later on in the iOS 16 release cycle, always good to raise the bar and deliver above expectations.

Looking at the larger picture, MIC documentation clearly states that My Number digital card requires a GlobalPlatform embedded Secure Element (GPSE) device, and that except for a small amount of SIM Free Android junk, most smartphones sold in Japan (both Apple and Android) are GPSE certified. An interesting sidelight is that ‘FeliCa chip’ Osaifu Keitai Android devices will support My Number NFC-B transactions. Going forward that means nobody in Japan will buy a device without a GPSE that doesn’t support My Number digital card and the associated banking services that will link to it. Kiss HCE goodbye.


The JR East paper ticket booklet replacement problem has a solution: Suica 2 in 1 transit points
It might seem like a great idea for JR East to migrate the legacy paper ticket bundle (the good old buy 10 and get one free) to Suica…but there’s this little problem of JRE POINT. Repeat Point Service has the same basic concept, 10 trips on the same route in the same month earn you a free trip in JRE POINT. Unfortunately, setting up a JRE POINT account is a pain in the ass, and getting the points back into Suica balance is a huge pain in the ass. For Mobile Suica there’s JRE POINT app + Suica app + Suica Pocket. For plastic Suica there’s JRE POINT app + a visit to the local station kiosk. It’s way beyond the ability of elderly transit users who just want to save on expenses.

Suica 2 in 1 Region Affiliate cards are a much better deal because they have transit points built in. No registration, no setup, just use the transit card and the system does everything for you. Automatically earned points are turned around and automatically used for paying fare. Simple, useful incentive: all one does is use the card for transit and receives a discount in return. This is the way it should be. JR East would be smart if they implemented a similar automatic transit point feature for Tokyo region Suica. JRE POINT is fine for larger more complex integration such shopping and Eki-Net ticket purchase, but integrated, invisible transit points for discounted regular transit would fill a big post-Covid need. I guarantee people would start riding the rails again after the long pandemic pause.

Apple removes region requirement for Suica, swaps recharge with top up and other updates

Sometimes it takes Apple support pages a while to acknowledge the current reality of iOS. iOS 15 Wallet brought ‘region free’ transit cards with an improved UI so that allowed Apple Pay users from anywhere to add transit cards directly in Wallet. Apple support document HT207155 “Add a Suica or PASMO card to Apple Wallet removed the ‘device region set to Japan’ requirement in an April 29, 2022 update, some 6 months after the iOS 15 release.

‘Region free’ transit cards are not all equally region free however: some transit cards only accept locally issued Apple Pay cards for adding money. This is the case for Hong Kong Apple Pay Octopus and all Chinese T-Union brand transit cards (too many to list). Octopus does offer a surprisingly user unfriendly iOS Octopus for Tourist app for tourists add Octopus to Wallet, that unfortunately locks in usurious currency exchange rates.

Suica remains the first, and best, truly region free transit card because you can “pay for transit rides and make purchases with just a tap,” and all Wallet payment cards that support in-app payments are good for adding money to Suica (and PASMO).

There are also some interesting tweak updates in the companion support doc: Use Suica or PASMO cards on iPhone or Apple Watch in Japan. The first is Apple going all in with the UK English ‘top up’ as the default English word for adding money to prepaid cards. Why not stick with regional differences? Does Apple want America to become a cultural extension of Great Britain or something? Recharge was used previously in the US doc version though I suspect most Americans use reload. ‘Top up’ is too quainty UK English for my tastes, sounds like drinking. I’ll stick with recharge.

The other change is an expanded Check the balance section that now includes If your Suica or PASMO card balance doesn’t update, with a link to a fairly new support doc, “If your transit card balance doesn’t update in Apple Wallet.” If there is one common complaint from Suica and PASMO users it is that the sometimes sluggish Apple Pay recharge process, usually due to a poor internet connection, occasionally results in the balance not updating. As the Apple doc states: the truth is always in the recent transactions list.

The last new tweak is a new section: Get a refund for purchases made with your Suica or PASMO. It has good advice that should have been there from Apple Pay Suica launch day, “return the item to the same terminal where you made the purchase before you use Suica or PASMO to make another purchase using Apple Pay.”

Unfortunately Apple failed to update has the Use the Suica or PASMO app section, leaving some very outdated and incorrect information. Shinkansen eTicket service in Suica App ended back in March 2020, and Green Car tickets were never available in PASMO app.

I guess they were too busy swapping American English with British English to notice the errors.

Add a Suica or PASMO card to Apple Wallet: no more region settings