Mobile Threat Catalogue

Host Card Emulation Application Attacks


Threat Category: Application-based


Threat Description: HCE payments do not directly leverage the security of storing cryptographic keys in the Secure Element, and therefore must securely manage cryptographic secrets and transaction details at the application level. Operating at a lower security baseline makes HCE-based payment apps attractive targets for financially-motivated attackers. The further-lowered security baseline of rooted or jail-broken mobile devices renders HCE-based apps highly vulnerable to compromise.

Threat Origin

Secure Element Deployment & Host Card Emulation v1.0 1

Exploit Examples

Not Applicable

CVE Examples

Not Applicable

Possible Countermeasures


Deploy EMM or containerization solutions to prohibit the use HCE-based apps on rooted or jail-broken devices.

Use app-vetting services for HCE-based payment apps to determine if they are trustworthy prior to deployment.

Mobile Device User

Do not use HCE-based apps on rooted or jail-broken devices.

Mobile App Developer

Review additional methods for ensuring the confidentiality and integrity of mobile payments. Sources of additional guidance include the Smart Card Alliance 2 and Mozido 3


  1. Secure Element Deployment & Host Card Emulation v1.0, white paper, SIMalliance, 2014; [accessed 10/24/2016] 

  2. Host Card Emulation (HCE) 101, white paper MNFCC-14002, Smart Card Alliance Mobile & NFC Council, 2014; [accessed 10/24/2016] 

  3. HCE Payment - How it works and best practices for banks, white paper, Mozido, 2016; [accessed 8/1/2022]