Apple Platform Security May 2022: Tap to Pay on iPhone, Express Mode scare mongers and other fun

Ahh springtime, flowers and the annual Apple Platform Security (APS) update. This year’s version has many Apple Pay housekeeping changes. Previous versions put everything Apple Pay in a single section. In keeping with Apple spinning out iOS 15 Wallet app as a separate identity, Wallet has its own separate section now, covering all the things Jennifer Bailey unveiled at WWDC21: hotel-home-office keys and ID in Wallet. The Apple Pay section adds a new category for Tap to Pay on iPhone with some interesting bits.

The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with to the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.
The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was within 60 seconds of the card read on the device.

What’s interesting to me is that Tap to Pay on iPhone servers are providing a seamless payment reader experience in the same way that Apple Pay servers provide a seamless pay experience. It just works, from setup to use, the same tight integration allows payment service providers to focus on POS app development and forget about the hardware because Apple Pay takes care of everything. As Junya Suzuki tweeted recently, a lot of payment reader hardware is suddenly junk compared to what iPhone is providing with tight mobile integration and Tap to Pay servers on the backend. Now with Tap to Pay apps on the horizon, good thing that iOS 15 Wallet expanded the secure element max to 16 ain’t it?

Speaking of Wallet, this separate section covers all things “access credential” related (hotel-corporate-home-car-student ID) with App Clips suggested for provisioning multifamily home keys. Transit now includes eMoney cards (or is it e-Money, Apple seems confused about it just like Express Mode vs Express Transit) and IDs in Wallet is covered in detail. There is also an intriguing iOS 15.4 Wallet security tweak:

In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID, or passcode authentication is required before pass specific information including hotel booking details are displayed in Apple Wallet.

It sounds almost exactly what we already do with regular Apple Pay cards. Perhaps keys and passes only show a generic icon and checkmark with Express Mode with the double-click + authentication required for show details…it’s not very clear.

Speaking of Express Mode, ‘security experts’ are still scare mongering the masses with the tired old Russian security expert/Apple Pay VISA Express Transit exploit story that made the rounds last November, regurgitated by Forbes in the over the top scary sounding, and sloppily written (this is Forbes after all), “How hackers can drain your bank account with Apple and Samsung tap and pay apps“.

The whole security expert thing reminds me of what my uncle the doctor (who ran a medical research lab at Columbia University) used to say about his disdain for pharmaceutical companies, “They don’t want to cure you, they just want to keep ‘treating’ you with their medicines.” Human nature never changes. The gist is that EMV Express Transit Mode will always be a thorn in Apple Pay’s side because the security is up to the card companies.

The document is worth your time is you have any interest in Apple Pay and Wallet.

Apple Pay Japan 2020 Wrap Up Wish List

A two word summary for people in a hurry: COVID and PASMO. As everybody in Japan knows at this point, COVID drove cashless payment use more than any government program could, or anything else for that matter. Cashless went from being the perennial ‘next big thing’ to first choice at checkout in a surprisingly short time with a growing number of ‘cashless only’ places. Here’s a short recap of the best and worst all things Apple Pay Japan in 2020.

The Worst: Face ID Apple Pay
COVID meant mandatory face mask wear outside the home. iPhone Face ID users outside of Asia quickly learned that Face ID and especially Face ID Apple Pay really sucks with face masks. Apple tweaked Face ID slightly to alleviate the issue but this is a long term problem with no short term workaround. Apple had the foresight to resurrect Touch ID in iPhone SE 2, the right device coming at the right time. For the time being it will hold up the middle and lower range iPhone user base in Japan. Face ID is such a marketing embarrassment right now that Apple only features Touch ID recharge on the Apple Pay PASMO page. The real short term future proof Face ID Apple Pay fix is Apple Watch.

The Biggest: Apple Pay PASMO
Mobile PASMO finally joined Mobile Suica, first on Osaifu Keitai Android then Apple Pay, the biggest and most important launch for Apple Pay Japan in 2020. Suica and PASMO combined represent 80% of the entire transit IC card market. In terms of pure usability, a large and diverse installed base, with Express Transit powered transit and purchases on iPhone and Apple Watch, PASMO easily beat all other Apple Pay service rollouts this year. Apple had VIP execs and foreign media on hand at the press event, something they haven’t done since the Apple Pay Japan launch in 2016.

The Most Influential: Toyota Wallet
The Toyota Wallet App rollout I wrote about a year ago turned out to be the model everybody is doing now: ‘XX Pay’ or ‘XX Wallet’ app consisting of a user account linked to a bank or credit card with a flexible payment dual mode front end offering QR Code payment via the app and a ‘instant issue’ prepaid card in Apple Pay Wallet. The Apple Pay Line Pay card launched on December 22 is the exact same model. Instant app issue debit and prepaid Wallet cards do away with plastic issue costs and lower the user entry bar, amount other things. Expect more of this in 2021, actually expect everybody to do this in 2021.

The WildCard: App Clips
iOS 14.3 App Clip Code support completed the picture for App Clip developers, but it will take time to see how they play out in a market overcrowded with mobile payment options. I think there is always a chance for a low cost high quality service which intelligently designed App Clips can deliver. The key will be solving the Japanese Softcream Cashless Index (SCI) Challenge: can App Clip cashless do a faster more reliable job than good old food ticket vending machines, without an app and without an account? How streamlined can it be and still be an App Clip? I hope we can find the answers to those questions in 2021… but there’s one more thing.

The Missing: Apple Pay Code Payments
The iOS 14 Apple Pay AliPay/Apple Pay Code Payment has been in open secret test mode for nearly a year with no firm release in sight. If screenshots are anything to go by, Apple Pay Code Payments are done with a virtual Wallet ‘card’ like any other and Apple Pay Wallet cards have certain properties:

Direct side button Wallet activation with automatic Face/Touch ID authentication and payment at the reader.
Device transactions handled by the eSE without a network connection.
Ability to set a default main card for Apple Pay use.

Supporting QR Code payments with an Apple Pay Wallet ‘card’ moves QR payments out of the app and removes some, but not all, of the QR payment friction points. It makes App Clips a better user experience too when all payments can be accomplished with Apple Pay.

Ultimately I hope the Apple Pay Wallet card model moves away from single mode technology and evolves to multimode awareness that encompasses NFC, Ultra Wideband, QR, etc. It has too. Our smartphones must be smart and take care of any payment technology for us. They have to because things are only going to get more complicated. People ridicule the Japanese payments landscape but that will be everywhere. Card companies and banks push EMV as a ‘global standard’ but EMV already comes in different flavors like PBOC, so does NFC (NFC A-B-F-V), and Ultra Wideband is joining the mix.

That’s what digital payments are all about: combining complex things into ‘it just works’ simplicity. Anybody can create or load a Suica, Octopus or PASMO into Apple Pay, without signing up or creating a new account, and start using it for lots of different instant payments. That’s how simple it should always be. That’s my 2021 Apple Pay wish.

Best wishes for a happy and safe 2021.

UPDATE: Reader Apple Pay Wishes for 2021

>Mine would be for VISA Japan to support Apple Pay.
>Mine are resurrecting #FeliCa-based @VisaJP TOUCH (can be rebranded), @id_credit re-attempts @ #FeliCa network expansion overseas starting w/ equipping end-users w/ the technology in new card distribution (via digital & physical), & @JCB_CARD expands @QUICPay_PR network overseas.

Is there an App Clip Code for that?

Embedded NFC integrated App Clip Code (L) and Scan-only App Clip Code (R)

iOS 14.3 is the big coming out party for App Clips now that App Clip Codes are in place. Apple posted App Clip Code HIG documentation, App Clip Code Generation tools and more. There are lots of interesting tidbits and 3 ways to engage:

iPhone XS and later models with NFC reader mode: “The NFC-integrated variant uses an iPhone icon at its center that guides people to hold their device close to the App Clip Code.”
Pre iPhone XS models without NFC reader mode: “scan it using the NFC Tag Reader in Control Center.”
All iPhones using Camera app or Code Scanner: “scan-only variant uses a camera icon in its center to let people know to use the Camera app or the Code Scanner in Control Center to scan the App Clip Code.”

The guideline also states, “for NFC-integrated App Clip Codes, choose Type 5 NFC tags.” Type 5 tags are ISO 15693/NFC V used for library books, medical packaging, ski passes etc., but choose instead of use is a recommendation not a rule. Core NFC lists ISO7816, ISO15693, FeliCa, and MIFARE tag support. NFC Forum Tag definitions are:

NFC Forum Tag	ISO	JIS	NFC	Products/Protocol
Type 1	ISO 14443-3-A	–	A	TOPAZ, various
Type 2	ISO 14443-3-A		A	NXP MIFARE Ultralite
Type 3	ISO 18093	JIS X 6319-4	F	Sony FeliCa
Type 4	ISO 14443-4-A ISO 14443-4-B		A/B	NXP MIFARE DESFire
Type 5	ISO 15693		V	NXP ICODE, various

The Wikipedia NFC tag table is also helpfully detailed

So why is Apple going to all this trouble to market App Clip Codes? They could have done it all with QR Codes and NFC tags but App Clips are mini apps, App Store quality apps without the App Store. The branding of App Clip Codes defines a different and unique user experience. The NFC reader mode App Clip experience is slick ‘point and run’ fun, but the 2 for 1 ‘scan only or NFC embedded’ in one App Clip Code is practical: (1) physically accessible and close = NFC, (2) physically inaccessible or far away = code scan.

There will be many different App Clip user experiences running from general app launches to specific actions. Based on my Kitasando Coffee App Clip experience I would say, the quicker and more focused the App Clip experience, the more likely the user will use it again or go in for the full app. Apple’s HIG documentation emphasizes clarity and simplicity…good advice.

Now all I want to know is when can I finally buy softcream with an App Clip.

App Clips at Kitasando Coffee

Kitasando Coffee was one of the Japan debut sites for App Clips. I finally had time to check it out today. The overall experience was similar to the Starbucks app mobile order and pay. Regulars would use the full blown Coffee App but I wanted to see how fast the App Clip ‘point and pay’ experience would be.

My iPhone 11 NFC reader mode kicked in and launched the Coffee App Clip, I ordered and paid with Apple Pay, all just under a minute even with first timer ‘what do I do now’ pauses, then waited for the order to be filled. There was no ‘Sign in with Apple ID’ step, just point, order, pay, pickup. The video shows the whole process with the order wait time edited out.

App Clips does a very good job of utilizing NFC reader mode and loading time with 4G LTE was also good. I still have doubts about the experience in a marginal WiFi environment (the WiFi Assist factor) and hope to test different places as App Clips gain traction. Bottom line: if NFC with reader mode is this slick, why would anybody bother with QR or App Clip Codes?

UPDATE
iOS 14.3 beta has support for Apple designed App Clip Code scanning. Here is a quick screen recording of the scan process and animation. The App Clip Code is a photo of the ExxonMobile gas pump stickers that launched October 22. The App Clip does not load because the ExxonMobile App is not available in Japan.

Apple Pay Contactless Adoption Outlook 4Q 2020

MacRumors posted an interesting comment Tim Cook made in the 4Q 2020 earnings call

As you can imagine in this environment, people are less wont to hand over a card. Contactless payment has taken on a different level of adoption and I don’t think we’ll go back. The United States has been lagging in contactless payments and I think the pandemic may very well put the U.S. on a different trajectory there. We are very bullish on this area and there are more things that Apple can do in this space so this is an area of great interest to us.

What exactly are the ‘more things that Apple can do in this space’ Tim is talking about? There are two iOS 14 Apple Pay features that haven’t arrived yet: App Clips and Apple Pay QR Code Payments.

App Clips are ‘here’ but you wouldn’t know it. An October 22 tweet announced 2 Tokyo coffee shops offering App Clips, the debut locations for Japan. NFCW reports ExxonMobil’s ‘point and pay’ App Clip with App Clip Code stickers at USA gas pumps though only the NFC tag part is working. ExxonMobil rolled those out the same time as Japan. Ken Nishimura of Coral Capital has an interestingly detailed write up of the Tokyo App Clips launch with a screen recoding of the App Clips order process.

We are cashless…App Clips at Tailored Cafe but the nifty Apple-designed App Clip Code stickers aren’t available in Japan yet (Coral Capital blog)

The problem is that the Apple-designed App Clip Codes aren’t fully ready yet and require a future iOS 14 update (iOS 14.3?) to enable optical code reading, as noted in the iOS 14 web page fine print. Also note the 2 flavors of NFC tag reading iPhones: 1) automatic NFC with reader mode (iPhone Xs and later), 2) manual Control Center NFC scan mode (pre-iPhone XS).

I expect iOS 14 Apple Pay QR Code Payments to arrive at the same time. It only makes sense to enable and launch App Clip Codes + Apple Pay QR Code Payments together as one rollout. The only question is announcement timing. We already have the ‘soft’ App Clips Code October 22 launch in Japan and USA. If Apple holds another event this year, I think there’s a very good chance we’ll hear about it.