Threat Category: Application-based
Threat Description: HCE payments do not directly leverage the security of storing cryptographic keys in the Secure Element, and therefore must securely manage cryptographic secrets and transaction details at the application level. Operating at a lower security baseline makes HCE-based payment apps attractive targets for financially-motivated attackers. The further-lowered security baseline of rooted or jail-broken mobile devices renders HCE-based apps highly vulnerable to compromise.
Secure Element Deployment & Host Card Emulation v1.0 1
Deploy EMM or containerization solutions to prohibit the use HCE-based apps on rooted or jail-broken devices.
Use app-vetting services for HCE-based payment apps to determine if they are trustworthy prior to deployment.Mobile Device User
Do not use HCE-based apps on rooted or jail-broken devices.Mobile App Developer
Secure Element Deployment & Host Card Emulation v1.0, white paper, SIMalliance, 2014; http://simalliance.org/wp-content/uploads/2015/03/Secure-Element-Deployment-Host-Card-Emulation-v1.0.pdf [accessed 10/24/2016] ↩
Host Card Emulation (HCE) 101, white paper MNFCC-14002, Smart Card Alliance Mobile & NFC Council, 2014; http://www.smartcardalliance.org/downloads/HCE-101-WP-FINAL-081114-clean.pdf [accessed 10/24/2016] ↩
HCE Payment - How it works and best practices for banks, white paper, Mozido, 2016; https://members.nfcw.com/1980/hce-payment-works-best-practices-banks/ [accessed 8/1/2022] ↩