Use cryptographic key protection solution such as Whitebox Cryptography to ensure -
a. Cryptographic keys are not discovered at any time, and are not present in static form or in runtime memory
b. Data is protected at rest, in transit and in-use
Protect application binary from reverse-engineering and code tampering/modification attacks
Leverage vulnerability/penetration testing and ensure that known risks – including those identified in the OWASP mobile top 10 list, in particular, are addressed
References:
None
Additional Information:
HCE (Host Card Emulation) will allow a smartcard to be emulated on the mobile phone without using an SE (hardware secure element), which introduced following key security risks that were not present in SE-based NFC services:
• Attacker could gain access to sensitive information such as payment credentials and cardholder information
• Malware applications could attack the OS and exploit the device and mobile payment app
• Malicious user could gain access to information stored within the mobile payment application and use it to make fraudulent payments
Security implications of bypassing the hardware SE must be considered because applications running on the Android OS are much more vulnerable to malicious attacks.
On behalf of Prashanth Thandavamurthy of Arxan Technologies, Inc.
New Threat
Threat Category: Payment
Threat:
Threat Origin: None
Exploit Example:
http://paybefore.com/wp-content/uploads/2014/04/Secure-Element-Deployment-Host-Card-Emulation-v1.0.pdf
http://www.smartcardalliance.org/downloads/HCE-101-WP-FINAL-081114-clean.pdf
CVE Example: None
Possible Countermeasures:
References: None
Additional Information: HCE (Host Card Emulation) will allow a smartcard to be emulated on the mobile phone without using an SE (hardware secure element), which introduced following key security risks that were not present in SE-based NFC services:
• Attacker could gain access to sensitive information such as payment credentials and cardholder information
• Malware applications could attack the OS and exploit the device and mobile payment app
• Malicious user could gain access to information stored within the mobile payment application and use it to make fraudulent payments
Security implications of bypassing the hardware SE must be considered because applications running on the Android OS are much more vulnerable to malicious attacks.