Apple Platform Security May 2022: Tap to Pay on iPhone, Express Mode scare mongers and other fun

Ahh springtime, flowers and the annual Apple Platform Security (APS) update. This year’s version has many Apple Pay housekeeping changes. Previous versions put everything Apple Pay in a single section. In keeping with Apple spinning out iOS 15 Wallet app as a separate identity, Wallet has its own separate section now, covering all the things Jennifer Bailey unveiled at WWDC21: hotel-home-office keys and ID in Wallet. The Apple Pay section adds a new category for Tap to Pay on iPhone with some interesting bits.

The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with to the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.

The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was within 60 seconds of the card read on the device.

What’s interesting to me is that Tap to Pay on iPhone servers are providing a seamless payment reader experience in the same way that Apple Pay servers provide a seamless pay experience. It just works, from setup to use, the same tight integration allows payment service providers to focus on POS app development and forget about the hardware because Apple Pay takes care of everything. As Junya Suzuki tweeted recently, a lot of payment reader hardware is suddenly junk compared to what iPhone is providing with tight mobile integration and Tap to Pay servers on the backend. Now with Tap to Pay apps on the horizon, good thing that iOS 15 Wallet expanded the secure element max to 16 ain’t it?

Speaking of Wallet, this separate section covers all things “access credential” related (hotel-corporate-home-car-student ID) with App Clips suggested for provisioning multifamily home keys. Transit now includes eMoney cards (or is it e-Money, Apple seems confused about it just like Express Mode vs Express Transit) and IDs in Wallet is covered in detail. There is also an intriguing iOS 15.4 Wallet security tweak:

In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID, or passcode authentication is required before pass specific information including hotel booking details are displayed in Apple Wallet.

It sounds almost exactly what we already do with regular Apple Pay cards. Perhaps keys and passes only show a generic icon and checkmark with Express Mode with the double-click + authentication required for show details…it’s not very clear.

Speaking of Express Mode, ‘security experts’ are still scare mongering the masses with the tired old Russian security expert/Apple Pay VISA Express Transit exploit story that made the rounds last November, regurgitated by Forbes in the over the top scary sounding, and sloppily written (this is Forbes after all), “How hackers can drain your bank account with Apple and Samsung tap and pay apps“.

The whole security expert thing reminds me of what my uncle the doctor (who ran a medical research lab at Columbia University) used to say about his disdain for pharmaceutical companies, “They don’t want to cure you, they just want to keep ‘treating’ you with their medicines.” Human nature never changes. The gist is that EMV Express Transit Mode will always be a thorn in Apple Pay’s side because the security is up to the card companies.

The document is worth your time is you have any interest in Apple Pay and Wallet.

In the Apple Pay monopoly debate context is everything

John Gruber did everyone a favor outlining some of the stakes at play in the remarkably glib, “Remarks by Executive Vice-President Vestager on the Statement of Objections sent to Apple over practices regarding Apple Pay.” The objections are annoyingly vague and refuse to specify how Apple Pay stifled competition and innovation:

(The) Digital Markets Act will…require companies designated as gatekeepers to ensure effective interoperability with hardware and software features they use themselves in their ecosystems. This includes access to NFC for mobile payments.

Today’s case addresses a conduct by Apple that has been ongoing since Apple Pay was first rolled out in 2015 <sic, 2014 actually>. This conduct may have distorted competition on the mobile wallets market in Europe. It prevented emergence of new and innovative competition that could have challenged Apple.

Mark Gurman and Jillian Deutsch at Bloomberg also did everybody a favor unmasking PayPal as one of the instigators behind the EU Commission Apple Pay investigation. Yes, that PayPal…the financial service that snuffs out user accounts whose politics they don’t like, or worse just seizes their money.

Both pieces miss important context surrounding the debate however…and with this issue context is all, especially how Apple Pay is playing out in other global markets. Most of what follows I’ve covered in earlier posts but hope to pull the various issues together in one post. Yet again, we kickoff with an updated Apple Pay diagram.

‘Open’ NFC, gatekeepers and secure element wars
Europe has been calling Apple Pay unfair since the very beginning, with many EU member banks holding out as long as they could. German banks only joined Apple Pay in December 2018 when Vestager was already actively seeking Apple Pay complaints. Less than a year later Germany passed a bill to force Apple to ‘open’ their NFC chip. Australian banks tried the same in 2017.

The so called Apple ‘NFC chip’ is not a chip at all but a hardware/software sandwich. The Apple Pay ecosystem described in iOS Security is a collection of tightly integrated polished pieces: Secure Element, Secure Enclave, NFC Controller, Wallet and Apple Pay Servers, all wrapped into a slick, easy to use UI with a final security wall of ‘secure intent’, a double-click side button hot-wired to the Secure Element. This approach has been so successful that people divide mobile payments history into pre-Apple Pay and post-Apple Pay eras.

NFC has been on Android far longer than iPhone, and ‘open NFC’ at that, but is far less successful capturing mobile payment users than Apple Pay. This is because Android device manufactures made the classic mistake of taking the ‘let’s take awesome NFC technology and figure out how we’re going to market it’ approach. Jennifer Bailey’s Apple Pay team choose the hyper focused Steve Jobs approach of starting with the customer experience and building backwards while asking: “what incredible benefits can we give the customer, where can we take the customer?” That choice made all the difference.

Apple Pay has a very simple rule: any card that loads a Java Card applet into their embedded secure element (eSE) has to reside in Wallet app. The maximum number depends on how many Java Card applets it can hold at any one time, the previous limit was 12, the iOS 15 Wallet limit is 16 cards. Developers have two ways to access iPhone NFC: 1) Core NFC framework for NFC operations that don’t use the secure element, 2) Secure Element pass certificates for NFC operations that need secure element transactions (payments, keys, ID, passes). Any developer who wants to run applets in the eSE has to apply for a PassKit NFC/Secure Element Pass Certificate. This is covered by NDA but a company called PassKit (not Apple) gives us an idea what Apple’s Secure Element Pass guidelines are:

Apple care a great deal about the user experience. Before granting NFC certificate access they will ensure that you have the necessary hardware, software and capabilities to develop or deploy an ecosystem that is going to deliver an experience consistent with their guidelines.

The end to end user experience, the whole reason behind the success of Apple Pay. But this gatekeeping is what riles banks and financial service providers who want to load their applets into the secure element without the Apple Pay gatekeeping, without the Apple Pay ecosystem and without the Apple Pay commission. They want to do their own transactions with their own app for free. This is what the EU Commission means when Vestager says: “Evidence on our file indicates that some developers did not go ahead with their plans as they were not able to to (sic) reach iPhone users.” It should read: when they were not able to reach iPhone users for free. Either the developer didn’t apply for a Secure Element Pass, didn’t pass the certification process, balked at Apple’s certification conditions, or couldn’t agree on Apple Pay commission rates.

Secure element gatekeeping is not new, it is an essential part of the secure element system:

A Secure Element (SE) is a microprocessor chip which can store sensitive data and run secure apps such as payment. It acts as a vault, protecting what’s inside the SE (applications and data) from malware attacks that are typical in the host (i.e. the device operating system). Secure Elements handle all sorts of applications that are vital to our modern digital lives…

Mobile Payments
Here, the Secure Element securely stores card/cardholder data and manages the reading of encrypted data. During a payment transaction it acts like a contactless payment card using industry standard technology to help authorize a transaction. The Secure Element could either be embedded in the phone or embedded in your SIM card.

Lifecycle management
It’s crucial that SE-embedded devices are secure throughout their lifecycle. That’s why Secure Elements need to have an end-to-end security strategy. It’s no use developing a robust security solution for a device which becomes obsolete after a period of use. This is why Secured Elements can be updated continuously to counter new threats.

What is a secure element?

Few people, especially a PayPal or EU Commission vice president, discuss the crucial secure element lifecycle management aspect. It’s not convenient for them to say the secure element ‘gatekeeper’ is responsible for keeping it secure. Far more convenient for their arguments to omit this, portray gatekeeping as unnecessary and gatekeepers as evil. In the end however, Apple has to maintain secure element updates from the various licensed secure element providers (EMV,FeliCa Networks, MIFARE, and so on) if secure payments are going to work at all This is what people who say, ‘it’s my device, we should be able to use NFC how we want,’ do not understand.

People also forget that nothing is free, you get what you pay for. With Apple Pay as gatekeeper, users get simplicity, innovation and feature updates. Simplicity: users get NFC they can use out of the box without Android-like NFC complexity such as secure element positions and obscure express mode settings.

Innovation: Apple Pay has features like Global NFC. iPhone and Apple Watch are the only smart devices that come with FeliCa built in as standard to use in Hong Kong or Japan, while Android limits functionality by market region. It’s astounding that Android, not even Google Pixel Android, has matched this basic functionality yet. We’re seeing more innovation as Ultra Wide Band (UWB) extends Wallet functionality to include ‘Touchless’ car keys and eventually, UWB enhanced automatic card selection as you approach the reader; more helpful than you might think.

Feature updates that, ‘just work’: the recent seamless Apple Cash switch from Discover to VISA, PBOC 2.0 flavored China T-Union transit cards, MIFARE Student ID, or the addition of in-app purchases and dual mode NFC for Japanese VISA card users when VISA JP finally buried the hatchet with Apple.

And the lesson? Apple Pay changed everything in the Japanese payments market, a catalyst that opened up competition and payment choices, for everybody. All boats rose together. It’s one of the most vibrant payment markets that Apple Pay operates in.

Japan is key to understanding what’s really going on in the Apple Pay monopoly debate. Japan was the first market with an established mobile payment platform in place, long before mobile EMV contactless payments took off in Europe. iPhone also has a much larger marketshare in Japan than it does in Europe. It’s a shame people pass up the opportunity to learn from the successes and failures here.

So what’s the EU Committee vision for ‘open NFC’? I think it’s a rehash of the secure element wars when carriers locked mobile payment services to SIM contracts. In 2013 Google incorporated SimplyTapp HCE (Host Card Emulation ‘secure element in the cloud’) technology as a NFC ‘workaround’ to ‘free’ NFC from the evil clutches of mobile carriers. Sound familiar? Android NFC has never been right since.

How little things change, swap ‘evil mobile carriers’ for ‘evil Apple’ and you have the same self serving ‘open’ vs ‘closed’ NFC chip nonsense that people are debating today. FeliCa Dude, the ultimate industry insider who has experienced it all, said it best: ‘It’s all eSE or nothing now.’

And yet we now have Île-de-France Mobilités (IDFM) turning back the clock, circumventing the eSE on NFC equipped Android devices and going all in with HCE for IDFM’s Smart Navigo service for Android. To me this says all you need to know what European priorities are regarding the ‘open NFC’ model: eliminate eSE gatekeepers by forcing the less secure network dependent HCE as a required option. Good luck with that. From a transit perspective, based on Mobile Suica user experiences, I don’t think HCE Smart Navigo will be a smooth ride.

The EU Committee ‘open NFC’ vision might look ideal…to Apple Pay competitors. Regular users however, will have to deal with the ugly reality of multiple NFC apps, multiple NFC secure element modes and clashing updates that cancel out NFC services. Apple Silicon eSE space is limited to 16 cards. If that sounds like a lot now, wait until you have credit cards, transit cards, home, car and office keys and ID installed along with ‘open’ NFC apps wanting their own eSE space too. Services will be squeezed out forcing the user to intervene. If the EU Committee thinks this environment fosters competition and innovation while growing mobile payment use, dream on.

Japanese tech journalist Junya Suzuki has covered NFC mobile payment developments in Europe, America and Japan for over 2 decades. He doesn’t think the EU is playing an even hand here, in his opinion Samsung and Huawei would never face the scrutiny that Apple now faces. In typical European cultural fashion, EU motives pay lip service to fair open markets while playing an underhanded game of chess to make Apple do what EU banking interests want Apple to do. In other words, a double standard.

What does Apple need to do?
I’ve always said that Apple needs to make the Secure Element Pass application process as transparent as possible. Keeping the blackbox NDA process as it is now makes Apple Pay a target, increasingly difficult to defend the status quo. Secure Element access on the level of Core NFC is a long shot, the very definition of a secure element means there has to be a developer certification process similar to EMVCo, FeliCa Networks, MIFARE, Calypso Networks Association, etc., that protects the privacy and business interests of all parties. But it would be great if there is a middle way where Apple can securely open things up for iPhone as a digital wallet, and iPhone as a payment terminal. We’ll see if Apple has anything to say about the subject at WWDC22.


Recommended reading: Ruimin Yang’s wonderfully detailed analysis, “Apple Pay monopoly, are we really comparing ‘Apples’ with ‘Apples?“outlines the entire Apple Pay system architecture, how it compares to other digital wallet platforms, (Google Pay, Samsung Pay) and what ‘open vs closed’ means in the ‘Apple Pay is a monopoly’ debate.

The digital wallet service suspension front line

That was quick. When I made the above table for mobile wallet chokepoint, there was no indication we’d get EMV confirmation so quickly. Many were quick to applaud sanctions against Russia to stop the war with Ukraine, and while stopping war is always the right thing to do, hurting citizens is never the right thing to do. Turning off basic digital wallet services should give people pause. What is easily done in one place can be easily done anywhere.

It’s also not clear cut how it is being done. Is Apple turning off select Russian bank services in Wallet or turning off select payment applets in the Apple Pay secure element, or turning off Wallet for Russian Apple ID users? Most likely the first but there’s no way to be sure and there is no way that Apple or Google will ever tell us.

Long lines at Moscow Metro transit gates are not so clear cut either. Open loop isn’t standard on all transit gates, most them being Troika transit card only, and according to a Twitter follower, physical Troika card only, not Google Pay/Samsung Pay Troika which only rolled out recently. If so this suggests the (so far only one) picture of long lines could be due to Troika system issues instead of Apple Pay/Google Pay/Samsung Pay, hacking, or something else.

VISA and mastercard soon followed and cut their services in Russia. Many people in Japan noted how easily all this happened and expressed their distrust, saying they would think twice about using digital wallet services from Apple and Google. Many also noted the importance of Japan having it’s own FeliCa technology and FeliCa based e-Money payment network

The value of non-EMV native payment networks controlled and operated by native companies should be clear to everyone by this point. Always, always have a backup plan. One thing is certain, warfare that attacks basic public service infrastructure like transit and digital wallets, far and away from any front line, is the new ugly reality.

The mobile wallet chokepoint

I ran across an untidy but interesting Twitter thread that mentioned Apple Pay Suica in the larger context of evolving NFC smartphone services.

Suica (Metro card / digital money in Japan) now lets you transfer the card to Apple Pay. Some thoughts about the future of FOBs, cards, and wallets…You use NFC to transfer your Suica by tapping the card with your iPhone, the same way you’d tap to use Apple Pay.

Devices support some kinds of NFC but not others. Until now, you couldn’t tap to use credit cards — it was blocked by the device.

But this is changing! Apple will support card payments now, in an app that IT will make & provide to vendors. This lets Apple compete in new hardware markets: first phones, now point-of-sale, payments, inventory mgmt, etc.

Physical cards are on the way out. But not everyone is on-board. FOBs, subway cards, ID cards, drivers licenses, and building security cards have been slow adopters of mobile. I’d love to copy my building FOB to my phone 😁 There’s nothing stopping me other than that I can’t.

Apple is moving into those markets….Airports, Driver licenses (in 30 / 50 US states). How far this tech goes & the speed of adoption depends on iOS, Android, and the people at ID / security / FOB / card companies adopting the change. They may need help! And there may be startup potential in that space… if anybody is interested!

Twitter thread

The intention was discussing the implications of Apple’s recent Tap to Pay on iPhone announcement, but it stumbled over a rarely discussed but vital point about the extremely slow migration of various physical card services to mobile devices. Why can’t we just load these in Wallet…all the technology is in place right?

The mobile chokepoint is not technology but the backend systems to seamlessly deliver, verify and securely manage individual ‘card’ services (payment cards, transit cards, ID cards, keys, etc.) in digital wallets. Those systems are not up to the job. You can be sure that Apple wants to get iOS 15 ID in Wallet driver licenses out quickly as possible but corralling all those state run systems into a coherent user friendly whole that holds up to the high expectations and massive base of iPhone users eagerly waiting to use it, is a very big challenge. It’s a similar challenge behind every kind of digital wallet service.

This backend weakness is easy to see with transit cards, there are relatively few on mobile with most of the cards exclusive or limited to certain digital wallets like Apple Pay and Samsung Pay. There are special challenges too as a mobile transit card service hosts all the functions of ye olde station kiosk card machine (card issue, adding money, pass renewal, etc.) and more, on the cloud, pushing it out to apps and connecting to digital wallet platforms like Apple Pay.

Despite the challenges, the rewards for going mobile are clear. If there is one lesson Apple Pay proved in Japan with Suica it is that building a mobile foundation early on is key to future success. Mobile laggards like Hong Kong Octopus have paid a heavy price. Unfortunately for regions where transit is operated as a public service instead of a sustainable business, spending money building transit card mobile service systems is often considered an extravagance.

This is why open loop is popular as means to get out of the plastic smartcard issue business and get mobile transit service for free using EMV contactless VISA-mastercard-AMEX payment networks. Like many things in life, free is never free.

Banks have had an easier path to mobile thanks to the strength of EMV payment networks, but only on the payment transaction end. Mobile card issue is another matter up to individual banks. Look at the Apple Pay participating bank list for the United States. The long list didn’t happen overnight. It has taken years for mobile backend systems to be put in place to make this happen.

It’s all about the backend
A sadly overlooked aspect of the Japanese market is the crazy collection of contactless payment options: Suica, iD, QUICPay, WAON, nanaco, Edy, PayPay, LinePay, dBarai, VISA-mastercard-AMEX Touch payments and more. The reason for this is Japan’s early lead in creating the first mobile payment platform, Osaifu Keitai, in 2004.

Not everybody used Osaifu Keitai early on, but it grew the mobile payments foundation so the market was ready for new mobile payment platforms when Apple Pay launched in 2016. More importantly, the early lead also meant that bank card issuers, payment networks and transit companies had backend systems firmly in place servicing a large installed base of various digital wallet capable handsets (Symbian) and smartphones (Android) that quickly extended to Apple Pay and Google Pay.

The backend flexibility is easy to see on the Mobile Suica page that shows all the different Mobile Suica flavors: Android (Osaifu Keitai), Apple Pay, Google Pay, Rakuten Pay. Mobile Suica is also on Garmin Pay, Fitbit Pay and is coming to Wear OS.

Mobile issue and verification
Adding a ‘card’ to a mobile wallet is sometimes called ‘onboarding’, but this is really a banking term: “digital onboarding is an online process to bring in new customers,” as in setting up a payment account and getting an instant issue debit or prepaid card to use in Wallet with an app, or using the app for QR Code payments (like PayPay or Toyota Wallet).

Success or failure for any mobile wallet card service depends on reliability, simplicity and the speed for adding cards and using them. From VISA:

When it comes to digital onboarding, the average amount of time after which customers abandon their application is 14 minutes and 20 seconds. Any longer than this, and 55 percent of customers leave the process.

How to boost your customer’s onboarding experience

There is also context. Futzing for 14 minutes might apply for people setting up a bank app, but a transit app user trying to get through a ticket gate at rush hour is a completely different matter. Judging from the large number of negative Suica App user reviews and complaints on twitter, Japanese transit users probably give it 2 minutes before giving up and calling it all crap. Speed is the key.

How long does it take?
The speed of adding a card to Wallet depends on a number of factors, what kind of wallet service are we dealing with (car key, hotel key, home key, office key, payment, transit, ID), does the user need an account first, can a physical card be transferred, what kind of user verification is required.

User verification with digital credentials is still in its infancy which is why driver’s licenses and state IDs in Apple Wallet is fascinating and important. How does one authenticate their own ID card? Apple explains the process but doesn’t say how long verification takes or reveal backend details:

Similar to how customers add new credit cards and transit passes to Wallet today, they can simply tap the + button at the top of the screen in Wallet on their iPhone to begin adding their license or ID… The customer will then be asked to use their iPhone to scan their physical driver’s license or state ID card and take a selfie, which will be securely provided to the issuing state for verification. As an additional security step, users will also be prompted to complete a series of facial and head movements during the setup process. Once verified by the issuing state, the customer’s ID or driver’s license will be added to Wallet.

The verification process is similar to the recent addition of Mobile Suica student commuter pass purchases where students take a picture of their student ID and upload it. Online verification takes ‘up to 2 business days’ because Mobile Suica has to manually verify the ID information with the school. Hopefully the Face ID setup-like ‘additional security step’ is the magic iPhone ingredient for instant verification by the state issuer. However notice that Apple doesn’t spell out where the face and head movements are stored. Hopefully it will stay in the Secure Enclave and never be stored on a server. We shall see when ID in Wallet launches with the iOS 15.4 update.

As you can see from the table below, the journey from backend system to Wallet varies widely by the type of service. The easier additions are the ones done in Wallet app: card scans for payment cards and ID or simply tapping to add transit cards.

Physical card scans are the primary way to add payment cards but this is changing, apps will replace plastic card scans over time. In Japan there are a growing number of ‘instant issue’ credit/debit digital cards from top tier banks that can only be added to Wallet with an app and account. Digital onboarding is the direction banks are going, where everybody has to go to an app first to add a card to Wallet. This leaves transit cards as the only card that can be added without an app or account.

Who owns the thing in Wallet?
Physical keys, fobs and plastic cards may seem inconvenient at times but they are personal property we carry on our person. One downside of digital wallets is that convenience carries a risk that the thing in Wallet isn’t necessarily ours. What is added with a simple tap can also be taken away by a technical glitch, or in a worst case scenario, without our consent. As backend systems improve and integrate, more services will migrate to our digital wallets. Without doubt much of this will be convenient but read the fine print and always keep your eyes open to the tradeoffs and risks. In other words don’t let your digital wallet be a potential chokepoint of your life.

The digital wallet endgame should never be like this

Why the fuss about an iPhone NFC payment terminal?

I have to admit I’m a little confused about the brouhaha over the latest Mark Gurman rumor: “Apple is planning a new service that will let businesses accept payments directly on their iPhones without any extra hardware.”

Okay, so what are we talking here? Oh, Apple is adding new Core NFC functions that let any 3rd party app be a POS software backend!

I doubt it.

Maybe PassKit NFC Certificates are going away! Look EU, look Australia…our NFC is open open for business! Anybody can use iPhone now as payment terminal! Anybody with an iPhone can skim payments cards in the wild!

Are you kidding?

You see there is this little thing called EMV c-e-r-t-i-f-i-c-a-t-i-o-n for all payment terminal hardware and separate certification for VISA, Mastercard, etc. Do people really think Apple is going to give those away for free along with a bundled POS app for payment transactions? Think again.

Look, there are a ton of certified cheap Android based NFC-QR-whatchamacallit all-in-one reader devices out there that suck. They’re only as good as network connection, the OS and the POS app + payment transaction backend. Apple isn’t going to compete with that.

I don’t know about anybody else but I’m way more interested in how Apple would pull off the business software end of this rumor because the hardware end is already a given. And it would never see the light of day in FeliCa land Japan, that’s for sure. Success in America is not guaranteed either. Just ask the App Clips team.