Apple Platform Security May 2022: Tap to Pay on iPhone, Express Mode scare mongers and other fun

Ahh springtime, flowers and the annual Apple Platform Security (APS) update. This year’s version has many Apple Pay housekeeping changes. Previous versions put everything Apple Pay in a single section. In keeping with Apple spinning out iOS 15 Wallet app as a separate identity, Wallet has its own separate section now, covering all the things Jennifer Bailey unveiled at WWDC21: hotel-home-office keys and ID in Wallet. The Apple Pay section adds a new category for Tap to Pay on iPhone with some interesting bits.

The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with to the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.

The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was within 60 seconds of the card read on the device.

What’s interesting to me is that Tap to Pay on iPhone servers are providing a seamless payment reader experience in the same way that Apple Pay servers provide a seamless pay experience. It just works, from setup to use, the same tight integration allows payment service providers to focus on POS app development and forget about the hardware because Apple Pay takes care of everything. As Junya Suzuki tweeted recently, a lot of payment reader hardware is suddenly junk compared to what iPhone is providing with tight mobile integration and Tap to Pay servers on the backend. Now with Tap to Pay apps on the horizon, good thing that iOS 15 Wallet expanded the secure element max to 16 ain’t it?

Speaking of Wallet, this separate section covers all things “access credential” related (hotel-corporate-home-car-student ID) with App Clips suggested for provisioning multifamily home keys. Transit now includes eMoney cards (or is it e-Money, Apple seems confused about it just like Express Mode vs Express Transit) and IDs in Wallet is covered in detail. There is also an intriguing iOS 15.4 Wallet security tweak:

In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID, or passcode authentication is required before pass specific information including hotel booking details are displayed in Apple Wallet.

It sounds almost exactly what we already do with regular Apple Pay cards. Perhaps keys and passes only show a generic icon and checkmark with Express Mode with the double-click + authentication required for show details…it’s not very clear.

Speaking of Express Mode, ‘security experts’ are still scare mongering the masses with the tired old Russian security expert/Apple Pay VISA Express Transit exploit story that made the rounds last November, regurgitated by Forbes in the over the top scary sounding, and sloppily written (this is Forbes after all), “How hackers can drain your bank account with Apple and Samsung tap and pay apps“.

The whole security expert thing reminds me of what my uncle the doctor (who ran a medical research lab at Columbia University) used to say about his disdain for pharmaceutical companies, “They don’t want to cure you, they just want to keep ‘treating’ you with their medicines.” Human nature never changes. The gist is that EMV Express Transit Mode will always be a thorn in Apple Pay’s side because the security is up to the card companies.

The document is worth your time is you have any interest in Apple Pay and Wallet.

WWDC22 Wish List

It is hard to be enthusiastic about this year’s WWDC when Apple’s entire integrated software/hardware business model is coming under attack. With so much distraction these days there’s not much of a wish list, just a few observations for Apple Pay, Apple Maps and Text Layout.

Apple Pay
First up of course, is Apple Pay. After Jennifer Bailey’s WWDC21 appearance where she announced keys and ID for iOS 15 Wallet, and the separate Tap to Pay on iPhone announcement in January, I don’t think Jennifer will be in the WWDC22 keynote. She’s not going to appear just to explain that Apple Pay is not a monopoly, that’s Tim’s job with CEO level pay grade, nor is she doing to appear to just flesh out details of what’s already there. That’s what sessions are for, explaining things that I have been wishing for these past few years: an easier, more open Secure Element Pass certification process and/or new frameworks for developers to access the secure element for payments or use Tap to Pay on iPhone. There needs to a clearer path for developers who want to use the secure element for payments (Wallet) or iPhone as payment terminal (Tap to Pay on iPhone).

Apple needs to open up the NFC/Secure Element Pass certification process or clarify the process

The only possible ‘new’ Apple Pay Wallet feature I can think of is the ‘so long in the works it has gone moldy’ Code Payments. Lurking in the code shadows since iOS 13 or so, it has been around so long that Apple legal inserted official mention in a recent Apple Pay & Privacy web page update: “When you make a payment using a QR code pass in Wallet, your device will present a unique code and share that code with the pass provider to prevent fraud.” If Apple Pay delivers native device generated QR code payments without a network connection, just like all Apple Pay cards to date, it would be quite a coup but by itself, is not worth a Jennifer Bailey appearance. Other future goodies like passport in Wallet or My Number ID in Wallet are too far out to merit mention.


Apple Maps
The only new Apple Maps feature that suggests itself is Indoor Maps for stations. That’s the conclusion I come up after examining the current (February ~ May 2022) backpack image collection in Tokyo, Osaka/Kyoto and Nagoya. It is highly focused on centrally located above ground and underground station areas. Stations like Shinjuku and Tokyo are entirely underground surrounded with extensive maze like malls.

This means Apple image collection backpacks are going inside for the first time. They are either collecting data instead of images, or doing it at pre-arranged times when people are scarce. This is hard to do at a place like Shinjuku station as there are multiple companies collectively managing the entire site (JR East, Odakyu, Keio, Seibu, Tokyo Metropolitan Bureau of Transportation, Tokyo Metro, just to name a few).

So far Apple has only used their image collection in Japan for Look Around, but the current version of Look Around doesn’t make sense for station interiors unless it is heavily modified with augmented reality place labels, directions for exits, transit gates and so on. The Apple indoor maps model for airports and malls is outdated and impossible to retrofit for information dense, tightly packed Japanese stations.

Apple needs come up with something new for indoor station maps to be successful on any level. The current version of AR walking guidance only works outdoors as the camera has to scan and match surrounding building profiles. A hybrid of stored Look Around images and AR walking guides might be a way forward. Station maps have special needs to seamlessly transition between indoor and outdoor guidance modes as users leave or enter stations on their walking route to the final destination.

Recent image collection suggests Indoor Station Maps might be coming in iOS 16

I’m not holding my breath but anything is better than what we have now and Apple is certainly up to something. A new and improved, AR enhanced “Look Around” style indoor map for stations would be far more useful for Japanese iPhone users than airports or shopping malls. Nobody does indoor maps well by the way, including Google Maps and Yahoo Japan Maps.

As most readers of this blog already know, I am not optimistic that Apple Maps in Japan can become a top tier digital map service. The local 3rd party map and transit data suppliers that Apple depends on to make up the bulk of the Japanese service are certainly not top tier and old problems remain unfixed. In the case of the main Japanese map data supplier things have deteriorated.

IPC was 100% owned by Pioneer supplying their car navigation system data, but was sold to Polaris Capital Group June 1, 2021 with a new CEO (ex Oracle Japan) named the same day. In January 2022 IPC was renamed GeoTechnologies Inc. Under hedge fund Polaris Capital Group management, GeoTechnologies has been busy inflating the number of cushy company director positions, never a good sign, and pushing out shitty ad-ware apps like Torima. The focus is leveraging assets not building them.

Apple’s Japanese map problem can only be fixed by dumping GeoTechnologies for Zenrin, or Apple mapping all of Japan themselves. Apple is not pursuing either option, the image collection effort in Japan is limited and its use remains restricted to Look Around. Until this changes, expect more of the same old Japanese map problems in iOS 16 and beyond. Apple Maps is a collection of many different service parts. Some evolve and improve, some do not. Let’s hope for a good outcome with the data Apple is collecting for indoor station maps.


Apple Typography TextKit 2 migration
WWDC21 saw the unveiling of TextKit 2, the next generation replacement for the 30 year old TextKit, older than QuickDraw GX even, but much less capable. TextKit 2 marked the start of a long term migration with most of TextKit 2 initially ‘opt in’ for compatibility. We’ll find out how much of TextKit 2 will evolve to default on with an ‘opt out’. There are holes to fill too: the iOS side didn’t get all the TextKit 2 features of macOS such as UITextView (multiline text), some of the planned features like NSTextContainer apparently didn’t make the final cut either. We should get a much more complete package at WWDC22. Once the TextKit 2 transition is complete, I wonder if a Core Text reboot is next.


watchOS 9 Express Cards with Power Reserve?
Mark Gurman reported that watchOS 9 will have “a new low-power mode that is designed to let its smartwatch run some apps and features without using as much battery life.” While this sounds like Express Cards with Power Reserve (transit cards, student ID, hotel-home-car-office keys) and it might even mimic the iPhone feature to some degree, I doubt it will be a full blown version. Power Reserve is a special mode where iOS powers down itself down but leaves the lights on for direct secure element NFC transactions. iOS isn’t involved at all.

Real Power Reserve requires Apple Watch silicon that supports the hardware feature, it cannot be added with a simple software upgrade. Until that happens, a new watchOS 9 low-power mode means that watchOS still babysits Express Cards, but anything that gives us better battery life than what we have now is a good thing.

Enjoy the keynote and have a good WWDC.

Apple Pay Enhanced Fraud Prevention (updated)

Apple Wallet VISA card users report receiving ‘Enhanced Fraud Prevention’ notifications today that outline changes how Apple shares ‘fraud prevention assessments’ with payment card networks based on analyzed information from user Apple Pay transactions (purchase amount, currency, date, location, very likely more). The changes seem to apply to web and in-app purchases.

Apple has been doing most of this already. The new Apple Pay and Privacy text expands upon earlier iOS user guide text: If you have Location Services turned on, the location of your iPhone at the time you make a purchase may be sent to Apple and the card issuer to help prevent fraud. Perhaps Apple is changing ‘may be sent’ to ‘will be sent’.

Enhanced Fraud Prevention might cause problems for some Apple Pay users when people start traveling again as in-app purchase is used for adding money to transit cards. There have already been a few very recent and odd, ‘I can’t use my home issued Apple Pay card to recharge PASMO’ complaints on social media from inbound visitors. Until now this kind of thing has been unheard of for Apple Pay Suica•PASMO users. A new complication to keep an eye on going forward. So far Wallet Enhanced Fraud Protection notifications only seem to be going out to VISA card users. Why and why now?

Because it’s starting with VISA with the focus on web and in-app payments, my first thought was this is partly a response to bad publicity from the silly VISA-centric ‘Apple Pay Express Transit has been hacked!‘ story that make the rounds last October. The new Apple Pay and Privacy text outlines how the new policy applies to various Apple Pay operations: adding a card, paying with Apple Pay, using transit cards, etc.

QR Code payments in Wallet are also referenced. The official mention may indicate the long in development feature will finally see light of day, perhaps iOS 15.5, we shall see. The text says, “When you make a payment using a QR code pass in Wallet, your device will present a unique code and share that code with the pass provider to prevent fraud.” If Apple Pay delivers native device generated QR code payments without a network connection, just like all Apple Pay cards to date, it would be quite a coup.

The notification privacy text is worth reading. As of this posting the Apple Pay & Privacy web page has not been updated with Enhanced Fraud Protection information.

2022-04-22 Update
Some clarity on the reasons and timing of Enhanced Fraud Prevention: Wallet notifications went to VISA card users in various Apple Pay regions (US, Japan, Australia and more) the same day Apple switched the Apple Cash card brand from Discover to VISA debit. Kissing the Green Dot Bank/Discover backend goodbye for VISA is the smart thing to do as Apple can finally take Apple Cash international. Enhanced Fraud Prevention had to be in place first for that to happen.

The mobile wallet chokepoint

I ran across an untidy but interesting Twitter thread that mentioned Apple Pay Suica in the larger context of evolving NFC smartphone services.

Suica (Metro card / digital money in Japan) now lets you transfer the card to Apple Pay. Some thoughts about the future of FOBs, cards, and wallets…You use NFC to transfer your Suica by tapping the card with your iPhone, the same way you’d tap to use Apple Pay.

Devices support some kinds of NFC but not others. Until now, you couldn’t tap to use credit cards — it was blocked by the device.

But this is changing! Apple will support card payments now, in an app that IT will make & provide to vendors. This lets Apple compete in new hardware markets: first phones, now point-of-sale, payments, inventory mgmt, etc.

Physical cards are on the way out. But not everyone is on-board. FOBs, subway cards, ID cards, drivers licenses, and building security cards have been slow adopters of mobile. I’d love to copy my building FOB to my phone 😁 There’s nothing stopping me other than that I can’t.

Apple is moving into those markets….Airports, Driver licenses (in 30 / 50 US states). How far this tech goes & the speed of adoption depends on iOS, Android, and the people at ID / security / FOB / card companies adopting the change. They may need help! And there may be startup potential in that space… if anybody is interested!

Twitter thread

The intention was discussing the implications of Apple’s recent Tap to Pay on iPhone announcement, but it stumbled over a rarely discussed but vital point about the extremely slow migration of various physical card services to mobile devices. Why can’t we just load these in Wallet…all the technology is in place right?

The mobile chokepoint is not technology but the backend systems to seamlessly deliver, verify and securely manage individual ‘card’ services (payment cards, transit cards, ID cards, keys, etc.) in digital wallets. Those systems are not up to the job. You can be sure that Apple wants to get iOS 15 ID in Wallet driver licenses out quickly as possible but corralling all those state run systems into a coherent user friendly whole that holds up to the high expectations and massive base of iPhone users eagerly waiting to use it, is a very big challenge. It’s a similar challenge behind every kind of digital wallet service.

This backend weakness is easy to see with transit cards, there are relatively few on mobile with most of the cards exclusive or limited to certain digital wallets like Apple Pay and Samsung Pay. There are special challenges too as a mobile transit card service hosts all the functions of ye olde station kiosk card machine (card issue, adding money, pass renewal, etc.) and more, on the cloud, pushing it out to apps and connecting to digital wallet platforms like Apple Pay.

Despite the challenges, the rewards for going mobile are clear. If there is one lesson Apple Pay proved in Japan with Suica it is that building a mobile foundation early on is key to future success. Mobile laggards like Hong Kong Octopus have paid a heavy price. Unfortunately for regions where transit is operated as a public service instead of a sustainable business, spending money building transit card mobile service systems is often considered an extravagance.

This is why open loop is popular as means to get out of the plastic smartcard issue business and get mobile transit service for free using EMV contactless VISA-mastercard-AMEX payment networks. Like many things in life, free is never free.

Banks have had an easier path to mobile thanks to the strength of EMV payment networks, but only on the payment transaction end. Mobile card issue is another matter up to individual banks. Look at the Apple Pay participating bank list for the United States. The long list didn’t happen overnight. It has taken years for mobile backend systems to be put in place to make this happen.

It’s all about the backend
A sadly overlooked aspect of the Japanese market is the crazy collection of contactless payment options: Suica, iD, QUICPay, WAON, nanaco, Edy, PayPay, LinePay, dBarai, VISA-mastercard-AMEX Touch payments and more. The reason for this is Japan’s early lead in creating the first mobile payment platform, Osaifu Keitai, in 2004.

Not everybody used Osaifu Keitai early on, but it grew the mobile payments foundation so the market was ready for new mobile payment platforms when Apple Pay launched in 2016. More importantly, the early lead also meant that bank card issuers, payment networks and transit companies had backend systems firmly in place servicing a large installed base of various digital wallet capable handsets (Symbian) and smartphones (Android) that quickly extended to Apple Pay and Google Pay.

The backend flexibility is easy to see on the Mobile Suica page that shows all the different Mobile Suica flavors: Android (Osaifu Keitai), Apple Pay, Google Pay, Rakuten Pay. Mobile Suica is also on Garmin Pay, Fitbit Pay and is coming to Wear OS.

Mobile issue and verification
Adding a ‘card’ to a mobile wallet is sometimes called ‘onboarding’, but this is really a banking term: “digital onboarding is an online process to bring in new customers,” as in setting up a payment account and getting an instant issue debit or prepaid card to use in Wallet with an app, or using the app for QR Code payments (like PayPay or Toyota Wallet).

Success or failure for any mobile wallet card service depends on reliability, simplicity and the speed for adding cards and using them. From VISA:

When it comes to digital onboarding, the average amount of time after which customers abandon their application is 14 minutes and 20 seconds. Any longer than this, and 55 percent of customers leave the process.

How to boost your customer’s onboarding experience

There is also context. Futzing for 14 minutes might apply for people setting up a bank app, but a transit app user trying to get through a ticket gate at rush hour is a completely different matter. Judging from the large number of negative Suica App user reviews and complaints on twitter, Japanese transit users probably give it 2 minutes before giving up and calling it all crap. Speed is the key.

How long does it take?
The speed of adding a card to Wallet depends on a number of factors, what kind of wallet service are we dealing with (car key, hotel key, home key, office key, payment, transit, ID), does the user need an account first, can a physical card be transferred, what kind of user verification is required.

User verification with digital credentials is still in its infancy which is why driver’s licenses and state IDs in Apple Wallet is fascinating and important. How does one authenticate their own ID card? Apple explains the process but doesn’t say how long verification takes or reveal backend details:

Similar to how customers add new credit cards and transit passes to Wallet today, they can simply tap the + button at the top of the screen in Wallet on their iPhone to begin adding their license or ID… The customer will then be asked to use their iPhone to scan their physical driver’s license or state ID card and take a selfie, which will be securely provided to the issuing state for verification. As an additional security step, users will also be prompted to complete a series of facial and head movements during the setup process. Once verified by the issuing state, the customer’s ID or driver’s license will be added to Wallet.

The verification process is similar to the recent addition of Mobile Suica student commuter pass purchases where students take a picture of their student ID and upload it. Online verification takes ‘up to 2 business days’ because Mobile Suica has to manually verify the ID information with the school. Hopefully the Face ID setup-like ‘additional security step’ is the magic iPhone ingredient for instant verification by the state issuer. However notice that Apple doesn’t spell out where the face and head movements are stored. Hopefully it will stay in the Secure Enclave and never be stored on a server. We shall see when ID in Wallet launches with the iOS 15.4 update.

As you can see from the table below, the journey from backend system to Wallet varies widely by the type of service. The easier additions are the ones done in Wallet app: card scans for payment cards and ID or simply tapping to add transit cards.

Physical card scans are the primary way to add payment cards but this is changing, apps will replace plastic card scans over time. In Japan there are a growing number of ‘instant issue’ credit/debit digital cards from top tier banks that can only be added to Wallet with an app and account. Digital onboarding is the direction banks are going, where everybody has to go to an app first to add a card to Wallet. This leaves transit cards as the only card that can be added without an app or account.

Who owns the thing in Wallet?
Physical keys, fobs and plastic cards may seem inconvenient at times but they are personal property we carry on our person. One downside of digital wallets is that convenience carries a risk that the thing in Wallet isn’t necessarily ours. What is added with a simple tap can also be taken away by a technical glitch, or in a worst case scenario, without our consent. As backend systems improve and integrate, more services will migrate to our digital wallets. Without doubt much of this will be convenient but read the fine print and always keep your eyes open to the tradeoffs and risks. In other words don’t let your digital wallet be a potential chokepoint of your life.

The digital wallet endgame should never be like this

Deliciously timely iOS 15.4 Wallet and Mobile Suica day pass support

Mobile Suica day pass support starts March 12

JR East announced 2 new features for Mobile Suica yesterday: day passes and student commuter pass online purchase and renewal support. Day passes are already available for plastic Suica, Mobile Suica support starts March 12. The 4 passes are: Nobiri Holiday, Tokyo Ward Pass, Tokyo Free Pass, Yokohama-Minatomirai Free Pass.

These Mobile Suica passes will not be available at the local station ticket window, they are purchased in a new version of Suica App due by the service launch date. Only regular Mobile Suica or Mobile Suica with expired commute plan can be used for day passes, Mobile Suica with valid a commuter plan attached cannot be used. JR East is promoting the passes offering bonus JRE POINT when purchased in Suica App with a VIEW credit card.

New Wallet app strings in iOS 15.4 developer beta found by Steve Moser

The very next day after the JR East announcement Apple released the first developer iOS 15.4 beta with many new features including Wallet app strings related to transit card commute plans and stored value, such as “Save money with time based or unlimited ride plans.”

The delicious timing is not coincidence: Apple Pay Suica will certainly put these new iOS 15.4 Wallet strings to good use when the new day passes launch. Wallet app currently indicates when a Suica card is a regular type or has a commute plan attached. The addition of Suica day passes require some sort of new Wallet UI indicator.

One interesting aspect of the Mobile Suica commuter pass limitation: the current card architecture only has one area for attachted commute plans, if there is a valid commute plan it must be removed before a day pass can be added. This storage limitation is addressed by Suica 2 in 1 which holds up to 2 different commute plans but even here there is the problem of conflicting commute plan + day pass plan that exist for the same transit region on the same card. There is no way for the transit gate to determine which one to use for fare calculation: commute plan or day pass. Hence the ‘no commute plan’ rule.

Mobile Suica student commuter passes (university or vocational schools) have been around for some time, but purchase and renewal required a trip to the local JR East ticket office to confirm the school issue student ID. From February 13 students purchase and renew Mobile Suica student commute plans in a new version of Suica App after pre-registration and uploading a picture of the student ID for verification via the Mobile Suica member site (that got a desperately needed refresh). Still somewhat of a pain but much better than before.

Imagine how easy it would be if a digital student ID card loaded in Wallet could be used for secure digital confirmation instead of uploading a picture and mailing a paper copy. In time digital ID will hopefully deliver this kind of time saving convenience.