Killing the golden egg goose

Amid the swirling EU ‘iPhone must be open’ debate, there’s an angle for everybody. Every proponent, from software developers who want side-loading to payment networks and banks who want open NFC, to EU regulators who want ‘open market’ (yeah right), and especially software ‘security’ companies who want to sell endless fixes for endless security breeches engineered by… you know who, expect a bonanza. iPhone finally released from the Apple walled garden is gonna make everybody rich.

Japanese developers and tech reporter veterans are thankfully more detached and acerbic than passionately hysterical westerners who are more in love with passionate hysteria than clear thinking. Not that they love Apple, Google, Microsoft, etc., or don’t think they should be regulated in some way, they just seem more aware of practical reality. If you want to know what opening iPhone means look no further than this; Everyone’s favorite iPhone will fall prey to shitty antivirus software companies. A world where you throw money away.

Maybe shitty antivirus software companies and shitty bank payment networks will make more money from a heavily regulated and opened iPhone, in the short term, and it will be users who are forced to throw their money away because they don’t understand the complexity being forced on them. As Steve Jobs once said, customers are pay Apple to make those choices and strip away the complexity. Not anymore.

In the new world order there aren’t bundled hardware + software smart devices to choose from, users choose the hardware, then they choose the software. Good luck with that. In the long term, a new world where hardware and software can’t be sold as a closed bundle is going to break a lot of hardware development business models out there, not just Apple’s. All those passionate ‘open’ proponents better be prepared for hard reality when the cut open the iPhone goose that laid golden eggs, and find nothing.

Apple Platform Security May 2022: Tap to Pay on iPhone, Express Mode scare mongers and other fun

Ahh springtime, flowers and the annual Apple Platform Security (APS) update. This year’s version has many Apple Pay housekeeping changes. Previous versions put everything Apple Pay in a single section. In keeping with Apple spinning out iOS 15 Wallet app as a separate identity, Wallet has its own separate section now, covering all the things Jennifer Bailey unveiled at WWDC21: hotel-home-office keys and ID in Wallet. The Apple Pay section adds a new category for Tap to Pay on iPhone with some interesting bits.

The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with to the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.

The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was within 60 seconds of the card read on the device.

What’s interesting to me is that Tap to Pay on iPhone servers are providing a seamless payment reader experience in the same way that Apple Pay servers provide a seamless pay experience. It just works, from setup to use, the same tight integration allows payment service providers to focus on POS app development and forget about the hardware because Apple Pay takes care of everything. As Junya Suzuki tweeted recently, a lot of payment reader hardware is suddenly junk compared to what iPhone is providing with tight mobile integration and Tap to Pay servers on the backend. Now with Tap to Pay apps on the horizon, good thing that iOS 15 Wallet expanded the secure element max to 16 ain’t it?

Speaking of Wallet, this separate section covers all things “access credential” related (hotel-corporate-home-car-student ID) with App Clips suggested for provisioning multifamily home keys. Transit now includes eMoney cards (or is it e-Money, Apple seems confused about it just like Express Mode vs Express Transit) and IDs in Wallet is covered in detail. There is also an intriguing iOS 15.4 Wallet security tweak:

In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID, or passcode authentication is required before pass specific information including hotel booking details are displayed in Apple Wallet.

It sounds almost exactly what we already do with regular Apple Pay cards. Perhaps keys and passes only show a generic icon and checkmark with Express Mode with the double-click + authentication required for show details…it’s not very clear.

Speaking of Express Mode, ‘security experts’ are still scare mongering the masses with the tired old Russian security expert/Apple Pay VISA Express Transit exploit story that made the rounds last November, regurgitated by Forbes in the over the top scary sounding, and sloppily written (this is Forbes after all), “How hackers can drain your bank account with Apple and Samsung tap and pay apps“.

The whole security expert thing reminds me of what my uncle the doctor (who ran a medical research lab at Columbia University) used to say about his disdain for pharmaceutical companies, “They don’t want to cure you, they just want to keep ‘treating’ you with their medicines.” Human nature never changes. The gist is that EMV Express Transit Mode will always be a thorn in Apple Pay’s side because the security is up to the card companies.

The document is worth your time is you have any interest in Apple Pay and Wallet.

WWDC22 Wish List

It is hard to be enthusiastic about this year’s WWDC when Apple’s entire integrated software/hardware business model is coming under attack. With so much distraction these days there’s not much of a wish list, just a few observations for Apple Pay, Apple Maps and Text Layout.

Apple Pay
First up of course, is Apple Pay. After Jennifer Bailey’s WWDC21 appearance where she announced keys and ID for iOS 15 Wallet, and the separate Tap to Pay on iPhone announcement in January, I don’t think Jennifer will be in the WWDC22 keynote. She’s not going to appear just to explain that Apple Pay is not a monopoly, that’s Tim’s job with CEO level pay grade, nor is she doing to appear to just flesh out details of what’s already there. That’s what sessions are for, explaining things that I have been wishing for these past few years: an easier, more open Secure Element Pass certification process and/or new frameworks for developers to access the secure element for payments or use Tap to Pay on iPhone. There needs to a clearer path for developers who want to use the secure element for payments (Wallet) or iPhone as payment terminal (Tap to Pay on iPhone).

Apple needs to open up the NFC/Secure Element Pass certification process or clarify the process

The only possible ‘new’ Apple Pay Wallet feature I can think of is the ‘so long in the works it has gone moldy’ Code Payments. Lurking in the code shadows since iOS 13 or so, it has been around so long that Apple legal inserted official mention in a recent Apple Pay & Privacy web page update: “When you make a payment using a QR code pass in Wallet, your device will present a unique code and share that code with the pass provider to prevent fraud.” If Apple Pay delivers native device generated QR code payments without a network connection, just like all Apple Pay cards to date, it would be quite a coup but by itself, is not worth a Jennifer Bailey appearance. Other future goodies like passport in Wallet or My Number ID in Wallet are too far out to merit mention.


Apple Maps
The only new Apple Maps feature that suggests itself is Indoor Maps for stations. That’s the conclusion I come up after examining the current (February ~ May 2022) backpack image collection in Tokyo, Osaka/Kyoto and Nagoya. It is highly focused on centrally located above ground and underground station areas. Stations like Shinjuku and Tokyo are entirely underground surrounded with extensive maze like malls.

This means Apple image collection backpacks are going inside for the first time. They are either collecting data instead of images, or doing it at pre-arranged times when people are scarce. This is hard to do at a place like Shinjuku station as there are multiple companies collectively managing the entire site (JR East, Odakyu, Keio, Seibu, Tokyo Metropolitan Bureau of Transportation, Tokyo Metro, just to name a few).

So far Apple has only used their image collection in Japan for Look Around, but the current version of Look Around doesn’t make sense for station interiors unless it is heavily modified with augmented reality place labels, directions for exits, transit gates and so on. The Apple indoor maps model for airports and malls is outdated and impossible to retrofit for information dense, tightly packed Japanese stations.

Apple needs come up with something new for indoor station maps to be successful on any level. The current version of AR walking guidance only works outdoors as the camera has to scan and match surrounding building profiles. A hybrid of stored Look Around images and AR walking guides might be a way forward. Station maps have special needs to seamlessly transition between indoor and outdoor guidance modes as users leave or enter stations on their walking route to the final destination.

Recent image collection suggests Indoor Station Maps might be coming in iOS 16

I’m not holding my breath but anything is better than what we have now and Apple is certainly up to something. A new and improved, AR enhanced “Look Around” style indoor map for stations would be far more useful for Japanese iPhone users than airports or shopping malls. Nobody does indoor maps well by the way, including Google Maps and Yahoo Japan Maps.

As most readers of this blog already know, I am not optimistic that Apple Maps in Japan can become a top tier digital map service. The local 3rd party map and transit data suppliers that Apple depends on to make up the bulk of the Japanese service are certainly not top tier and old problems remain unfixed. In the case of the main Japanese map data supplier things have deteriorated.

IPC was 100% owned by Pioneer supplying their car navigation system data, but was sold to Polaris Capital Group June 1, 2021 with a new CEO (ex Oracle Japan) named the same day. In January 2022 IPC was renamed GeoTechnologies Inc. Under hedge fund Polaris Capital Group management, GeoTechnologies has been busy inflating the number of cushy company director positions, never a good sign, and pushing out shitty ad-ware apps like Torima. The focus is leveraging assets not building them.

Apple’s Japanese map problem can only be fixed by dumping GeoTechnologies for Zenrin, or Apple mapping all of Japan themselves. Apple is not pursuing either option, the image collection effort in Japan is limited and its use remains restricted to Look Around. Until this changes, expect more of the same old Japanese map problems in iOS 16 and beyond. Apple Maps is a collection of many different service parts. Some evolve and improve, some do not. Let’s hope for a good outcome with the data Apple is collecting for indoor station maps.


Apple Typography TextKit 2 migration
WWDC21 saw the unveiling of TextKit 2, the next generation replacement for the 30 year old TextKit, older than QuickDraw GX even, but much less capable. TextKit 2 marked the start of a long term migration with most of TextKit 2 initially ‘opt in’ for compatibility. We’ll find out how much of TextKit 2 will evolve to default on with an ‘opt out’. There are holes to fill too: the iOS side didn’t get all the TextKit 2 features of macOS such as UITextView (multiline text), some of the planned features like NSTextContainer apparently didn’t make the final cut either. We should get a much more complete package at WWDC22. Once the TextKit 2 transition is complete, I wonder if a Core Text reboot is next.


watchOS 9 Express Cards with Power Reserve?
Mark Gurman reported that watchOS 9 will have “a new low-power mode that is designed to let its smartwatch run some apps and features without using as much battery life.” While this sounds like Express Cards with Power Reserve (transit cards, student ID, hotel-home-car-office keys) and it might even mimic the iPhone feature to some degree, I doubt it will be a full blown version. Power Reserve is a special mode where iOS powers down itself down but leaves the lights on for direct secure element NFC transactions. iOS isn’t involved at all.

Real Power Reserve requires Apple Watch silicon that supports the hardware feature, it cannot be added with a simple software upgrade. Until that happens, a new watchOS 9 low-power mode means that watchOS still babysits Express Cards, but anything that gives us better battery life than what we have now is a good thing.

Enjoy the keynote and have a good WWDC.

In the Apple Pay monopoly debate context is everything

John Gruber did everyone a favor outlining some of the stakes at play in the remarkably glib, “Remarks by Executive Vice-President Vestager on the Statement of Objections sent to Apple over practices regarding Apple Pay.” The objections are annoyingly vague and refuse to specify how Apple Pay stifled competition and innovation:

(The) Digital Markets Act will…require companies designated as gatekeepers to ensure effective interoperability with hardware and software features they use themselves in their ecosystems. This includes access to NFC for mobile payments.

Today’s case addresses a conduct by Apple that has been ongoing since Apple Pay was first rolled out in 2015 <sic, 2014 actually>. This conduct may have distorted competition on the mobile wallets market in Europe. It prevented emergence of new and innovative competition that could have challenged Apple.

Mark Gurman and Jillian Deutsch at Bloomberg also did everybody a favor unmasking PayPal as one of the instigators behind the EU Commission Apple Pay investigation. Yes, that PayPal…the financial service that snuffs out user accounts whose politics they don’t like, or worse just seizes their money.

Both pieces miss important context surrounding the debate however…and with this issue context is all, especially how Apple Pay is playing out in other global markets. Most of what follows I’ve covered in earlier posts but hope to pull the various issues together in one post. Yet again, we kickoff with an updated Apple Pay diagram.

‘Open’ NFC, gatekeepers and secure element wars
Europe has been calling Apple Pay unfair since the very beginning, with many EU member banks holding out as long as they could. German banks only joined Apple Pay in December 2018 when Vestager was already actively seeking Apple Pay complaints. Less than a year later Germany passed a bill to force Apple to ‘open’ their NFC chip. Australian banks tried the same in 2017.

The so called Apple ‘NFC chip’ is not a chip at all but a hardware/software sandwich. The Apple Pay ecosystem described in iOS Security is a collection of tightly integrated polished pieces: Secure Element, Secure Enclave, NFC Controller, Wallet and Apple Pay Servers, all wrapped into a slick, easy to use UI with a final security wall of ‘secure intent’, a double-click side button hot-wired to the Secure Element. This approach has been so successful that people divide mobile payments history into pre-Apple Pay and post-Apple Pay eras.

NFC has been on Android far longer than iPhone, and ‘open NFC’ at that, but is far less successful capturing mobile payment users than Apple Pay. This is because Android device manufactures made the classic mistake of taking the ‘let’s take awesome NFC technology and figure out how we’re going to market it’ approach. Jennifer Bailey’s Apple Pay team choose the hyper focused Steve Jobs approach of starting with the customer experience and building backwards while asking: “what incredible benefits can we give the customer, where can we take the customer?” That choice made all the difference.

Apple Pay has a very simple rule: any card that loads a Java Card applet into their embedded secure element (eSE) has to reside in Wallet app. The maximum number depends on how many Java Card applets it can hold at any one time, the previous limit was 12, the iOS 15 Wallet limit is 16 cards. Developers have two ways to access iPhone NFC: 1) Core NFC framework for NFC operations that don’t use the secure element, 2) Secure Element pass certificates for NFC operations that need secure element transactions (payments, keys, ID, passes). Any developer who wants to run applets in the eSE has to apply for a PassKit NFC/Secure Element Pass Certificate. This is covered by NDA but a company called PassKit (not Apple) gives us an idea what Apple’s Secure Element Pass guidelines are:

Apple care a great deal about the user experience. Before granting NFC certificate access they will ensure that you have the necessary hardware, software and capabilities to develop or deploy an ecosystem that is going to deliver an experience consistent with their guidelines.

The end to end user experience, the whole reason behind the success of Apple Pay. But this gatekeeping is what riles banks and financial service providers who want to load their applets into the secure element without the Apple Pay gatekeeping, without the Apple Pay ecosystem and without the Apple Pay commission. They want to do their own transactions with their own app for free. This is what the EU Commission means when Vestager says: “Evidence on our file indicates that some developers did not go ahead with their plans as they were not able to to (sic) reach iPhone users.” It should read: when they were not able to reach iPhone users for free. Either the developer didn’t apply for a Secure Element Pass, didn’t pass the certification process, balked at Apple’s certification conditions, or couldn’t agree on Apple Pay commission rates.

Secure element gatekeeping is not new, it is an essential part of the secure element system:

A Secure Element (SE) is a microprocessor chip which can store sensitive data and run secure apps such as payment. It acts as a vault, protecting what’s inside the SE (applications and data) from malware attacks that are typical in the host (i.e. the device operating system). Secure Elements handle all sorts of applications that are vital to our modern digital lives…

Mobile Payments
Here, the Secure Element securely stores card/cardholder data and manages the reading of encrypted data. During a payment transaction it acts like a contactless payment card using industry standard technology to help authorize a transaction. The Secure Element could either be embedded in the phone or embedded in your SIM card.

Lifecycle management
It’s crucial that SE-embedded devices are secure throughout their lifecycle. That’s why Secure Elements need to have an end-to-end security strategy. It’s no use developing a robust security solution for a device which becomes obsolete after a period of use. This is why Secured Elements can be updated continuously to counter new threats.

What is a secure element?

Few people, especially a PayPal or EU Commission vice president, discuss the crucial secure element lifecycle management aspect. It’s not convenient for them to say the secure element ‘gatekeeper’ is responsible for keeping it secure. Far more convenient for their arguments to omit this, portray gatekeeping as unnecessary and gatekeepers as evil. In the end however, Apple has to maintain secure element updates from the various licensed secure element providers (EMV,FeliCa Networks, MIFARE, and so on) if secure payments are going to work at all This is what people who say, ‘it’s my device, we should be able to use NFC how we want,’ do not understand.

People also forget that nothing is free, you get what you pay for. With Apple Pay as gatekeeper, users get simplicity, innovation and feature updates. Simplicity: users get NFC they can use out of the box without Android-like NFC complexity such as secure element positions and obscure express mode settings.

Innovation: Apple Pay has features like Global NFC. iPhone and Apple Watch are the only smart devices that come with FeliCa built in as standard to use in Hong Kong or Japan, while Android limits functionality by market region. It’s astounding that Android, not even Google Pixel Android, has matched this basic functionality yet. We’re seeing more innovation as Ultra Wide Band (UWB) extends Wallet functionality to include ‘Touchless’ car keys and eventually, UWB enhanced automatic card selection as you approach the reader; more helpful than you might think.

Feature updates that, ‘just work’: the recent seamless Apple Cash switch from Discover to VISA, PBOC 2.0 flavored China T-Union transit cards, MIFARE Student ID, or the addition of in-app purchases and dual mode NFC for Japanese VISA card users when VISA JP finally buried the hatchet with Apple.

And the lesson? Apple Pay changed everything in the Japanese payments market, a catalyst that opened up competition and payment choices, for everybody. All boats rose together. It’s one of the most vibrant payment markets that Apple Pay operates in.

Japan is key to understanding what’s really going on in the Apple Pay monopoly debate. Japan was the first market with an established mobile payment platform in place, long before mobile EMV contactless payments took off in Europe. iPhone also has a much larger marketshare in Japan than it does in Europe. It’s a shame people pass up the opportunity to learn from the successes and failures here.

So what’s the EU Committee vision for ‘open NFC’? I think it’s a rehash of the secure element wars when carriers locked mobile payment services to SIM contracts. In 2013 Google incorporated SimplyTapp HCE (Host Card Emulation ‘secure element in the cloud’) technology as a NFC ‘workaround’ to ‘free’ NFC from the evil clutches of mobile carriers. Sound familiar? Android NFC has never been right since.

How little things change, swap ‘evil mobile carriers’ for ‘evil Apple’ and you have the same self serving ‘open’ vs ‘closed’ NFC chip nonsense that people are debating today. FeliCa Dude, the ultimate industry insider who has experienced it all, said it best: ‘It’s all eSE or nothing now.’

And yet we now have Île-de-France Mobilités (IDFM) turning back the clock, circumventing the eSE on NFC equipped Android devices and going all in with HCE for IDFM’s Smart Navigo service for Android. To me this says all you need to know what European priorities are regarding the ‘open NFC’ model: eliminate eSE gatekeepers by forcing the less secure network dependent HCE as a required option. Good luck with that. From a transit perspective, based on Mobile Suica user experiences, I don’t think HCE Smart Navigo will be a smooth ride.

The EU Committee ‘open NFC’ vision might look ideal…to Apple Pay competitors. Regular users however, will have to deal with the ugly reality of multiple NFC apps, multiple NFC secure element modes and clashing updates that cancel out NFC services. Apple Silicon eSE space is limited to 16 cards. If that sounds like a lot now, wait until you have credit cards, transit cards, home, car and office keys and ID installed along with ‘open’ NFC apps wanting their own eSE space too. Services will be squeezed out forcing the user to intervene. If the EU Committee thinks this environment fosters competition and innovation while growing mobile payment use, dream on.

Japanese tech journalist Junya Suzuki has covered NFC mobile payment developments in Europe, America and Japan for over 2 decades. He doesn’t think the EU is playing an even hand here, in his opinion Samsung and Huawei would never face the scrutiny that Apple now faces. In typical European cultural fashion, EU motives pay lip service to fair open markets while playing an underhanded game of chess to make Apple do what EU banking interests want Apple to do. In other words, a double standard.

What does Apple need to do?
I’ve always said that Apple needs to make the Secure Element Pass application process as transparent as possible. Keeping the blackbox NDA process as it is now makes Apple Pay a target, increasingly difficult to defend the status quo. Secure Element access on the level of Core NFC is a long shot, the very definition of a secure element means there has to be a developer certification process similar to EMVCo, FeliCa Networks, MIFARE, Calypso Networks Association, etc., that protects the privacy and business interests of all parties. But it would be great if there is a middle way where Apple can securely open things up for iPhone as a digital wallet, and iPhone as a payment terminal. We’ll see if Apple has anything to say about the subject at WWDC22.


Recommended reading: Ruimin Yang’s wonderfully detailed analysis, “Apple Pay monopoly, are we really comparing ‘Apples’ with ‘Apples?“outlines the entire Apple Pay system architecture, how it compares to other digital wallet platforms, (Google Pay, Samsung Pay) and what ‘open vs closed’ means in the ‘Apple Pay is a monopoly’ debate.

How much will Smart Navigo HCE suck?

It’s interesting parsing app reviews that say ‘this app sucks’. How does it suck and why? As I’ve said before, the overwhelming negative App Store reviews for Suica App are less about the app and more about lousy carrier auto-connect • free WiFi connections messing with the Mobile Suica recharge function. Most users see Suica App as the software that controls everything Mobile Suica AND iPhone NFC hardware. It does not of course but people dump all blame on Suica App anyway.

It’s a complete mystery why people even bother using Suica App when so much Mobile Suica functionality is built in Apple Pay Wallet right out of the box. Nevertheless it’s safe to conclude that Suica App user angst is network related. People assume the WiFi and cellular icons at the top of the iPhone screen indicate a healthy internet connection, which they decidedly do not.

Most of what Mobile Suica does is done without an internet connection. The only time it needs one is recharge time with a credit card in Apple Pay Wallet app or Suica App. All that complaining over one Mobile Suica feature however, tells us something important about WiFi and cellular internet connections in station areas and on trains: they suck. Despite ubiquitous cellular and WiFi coverage, reliable internet is notoriously fickle in those famously busy Japanese train stations. This is the real reason behind all those ‘this app sucks’ Suica App reviews.

Which brings us to Smart Navigo, the Île-de-France Mobilités (IDFM) Paris region transit card for mobile that is going wide on Android smartphones this year. IDFM has spent a lot of time and expense working with Calypso Networks Association (CNA), the transaction tech used for Navigo, to implement the less secure network dependent Calypso HCE ‘cloud’ secure element approach as the default mobile transit tech for Android devices in 2022.

It is very unusual that IDFM chose HCE as their go to mobile strategy on Android when the more secure hardware embedded secure element (eSE) is standard on all smartphone NFC devices, and does the job without internet connections. HCE is very different from eSE in that both NFC smartphone and the reader need a connection to talk with a server. HCE was also conceived for leisurely supermarket checkout, not the challenging transit enviroment. How does Calypso HCE compare to the network-less eSE experience? CNA says:

For security reasons, transactions using the personalization key or the load key are not possible through the NFC interface, and must be done with a secure connection to a server.

Only the Calypso debit key is stored in the HCE application for validation on entrance and control during travel, coupled with a mechanism of renewal of the Calypso Serial Number (CSN) to mitigate the risk of fraud : a part of the CSN contains date and time of validity of the debit key which shall be checked by the terminals.

Thales says: poor mobile network coverage can make HCE services inaccessible. In short no internet connection, no mobile transit service. Let’s compare the basic mobile transit card features of Mobile Suica with Calypso HCE:

It’s too bad IDFM didn’t study Mobile Suica shortcomings, they could have learned a few things. Most certainly they understand HCE shortcomings but chose it anyway for unknown (political?) reasons. Right out of the gate Smart Navigo HCE won’t support power reserve NFC transactions even on Android devices that support it for regular eSE NFC. In total, there are 6 core Smart Navigo features that are internet connection dependent vs 1 Mobile Suica feature. 6 more things to complain about when they don’t work…in other words the Smart Navigo HCE suck index is 6 times greater than Mobile Suica. If Suica App is anything to go by, there are going to be a lot of bad Google Play reviews for the HCE version of the Île-de-France Mobilités App.

iPhone and Apple Watch users can be thankful that Apple Pay Navigo will use eSE (as Samsung Pay Navigo already does), and avoid most of this mess when the service launches in 2023, matching the Mobile Suica experience, feature for feature.