The subject of mobile payments has been hitting the headlines recently, with the launch from Google of Android Pay at Mobile World Congress 2015, marking a defining moment in the future of mobile payments. With the worldwide mobile payment market projected at over 450 million users and a transaction value of more than $721 billion by 2017, there is plenty at stake.
With this in mind, payment systems only work when everyone accepts the same form of payment. Look at credit cards where the market is dominated by just a few global of players, and thereby supports some degree of standardisation for providers and consumers. Similarly, there isn’t room for a different payment system for every phone maker – the market would simply become too fragmented.
With a number of options available to provide mobile payment, including the approach, Android Pay, from Google found in the Host Card Emulation (HCE) capability, seen in Android 4.4. This new option for merchants and financial institutions is software-based technology that permits a phone to perform card emulation on an NFC-enabled device without relying on hardware device updates to support security features. The alternative HCE approach requires a security layer within the mobile payment application itself without hardware constraints. This approach negates the need for consumers to own the latest versions of hardware devices to take advantage of greater convenience with security.
Android Pay is one of the few payment approaches that targets third party app developers to create branded payment products and the underlying technology supports an open API (Application Programming Interface) that can be leveraged by a multitude of Android devices. This software-based open approach makes it the optimal option for consumers, merchants and banks as there isn’t the need to develop different apps for different devices or change devices. However, the challenge that needs to be confronted head-on is in ensuring that the payment tokens, the cryptographic keys within the software, are properly secured.
For these standalone mobile payment apps, including examples such as Apple Pay, consumer mobile data can be protected against fraud and transaction losses by protecting the mobile app itself from threats such as tampering and malware insertion. Developers should implement ‘application hardening’ techniques at the beginning of the software development cycle to provide application self-protection security. Inserting security processes within the app itself will yield self-aware, self-defending and tamper-resistant applications.
There is no doubt that mobile payments applications and platforms will continue to grow in popularity and, with personal data and banking and payment details up for grabs by hackers as they will become an increasingly lucrative target. Security innovation must be kept in-step with the innovation in mobile wallets and payments services.
by Winston Bond, European Technical Manager at Arxan Technologies.
About Winston Bond
Founding member of the Arxan Technologies team in Europe, with responsibility for evangelising and supporting Arxan’s suite of security solutions that protect software from reverse-engineering, tampering and hacking.
The list of customers that I have been instrumental in winning and retaining for Arxan includes major names in banking, games, digital TV, CA/DRM and CAD software.
About Arxan Technologies
Arxan provides the world’s strongest application protection solutions. Our unique patented guarding technology 1) Defends applications against attacks, 2) Detects at run-time when an attack is being attempted, and 3) Responds to detected attacks to stop them, alert, or repair. Arxan offers solutions for software running on mobile devices, desktops, servers, and embedded platforms – including those connected as part of the Internet of Things (IoT) – and is currently protecting applications running on more than 300 million devices across a range of industries, including: financial services, high tech/independent software vendors (ISVs), manufacturing, healthcare, digital media, gaming, and others. The company’s headquarters and engineering operations are based in the United States with global offices in EMEA and APAC.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.