Secure mobiles (I): new technological solutions

Over the last few years, the payments industry has contributed new technological approaches aimed at offering secure and user-friendly mobile payment solutions. These new solutions are also applicable to other mobile services that need to protect sensitive data (such as passwords and digital content).

There are three solutions on the market:

The first step taken by tech firms and payment brands was to include a secure chip (known as a Secure Element) into a phone. This chip, combined with an NFC antenna, lets the phone emulate contactless card payments. After years of development, this solution is now starting to be seen in lots of phone and tablet products.

SIM cards, issued by telecom companies, were the first and easiest choice for these secure elements. SIMs have isolated hardware and operating systems that run independently from the phone itself. Additionally, payment applications can be installed alongside the service provider’s applications. Other chip-based solutions have appeared in recent years, such as embedded secure elements (eSE), removable SD cards and add-ons. Secure elements, in any of their form factors, share strong security features, based on hardware isolation.

Although secure elements have solved security concerns for the payment industry, chip based solutions require complex agreements between banks, technological partners and secure element issuers (MNO for SIM cards and Mobile Manufacturers for eSE), which has hampered the development of new applications. Additionally, SE cannot be used by other sectors like premium content providers which require more storage capacity and data transfer capabilities. For these reasons, simpler and more powerful ways to deploy solutions have emerged.

Host Card Emulation (HCE), a new kind of software architecture capable of emulating a card without a secure element, debuted in Google’s Android 4.4 KitKat in 2013. Thanks to this new architecture, mobile payment applications could be now installed and run in the host processor of the mobile, while security measures are provided via servers in the Cloud. In 2014, the payment schemes announced that they will support HCE technology, and released their own specifications like Visa Ready Program for Cloud-based Payment and MasterCard Cloud Based Payments. This software-only approach simplifies the ecosystem for banks as they could launch their own HCE-Cloud mobile payment applications available for download by users, like any other app.

HCE-Cloud’s architecture allows payment applications to run in the mobile OS, but this solution doesn’t provide the security level provided by a Secure Elements. To overcome this difficulty, developers and service providers have integrated technology and risk management solutions. To minimize risk, HCE-Cloud solutions combine different software countermeasures such as a unique PAN number per transaction, tokenization (i.e. PAN encryption into a token that can only be decrypted by token servers) or code obfuscation.

The Trusted Execution Environment (TEE) is another architecture designed to boost security in mobile applications. It represents a middle ground between secure elements and cloud systems, as it combines software and hardware security resources. A mobile with TEE has two operating systems that run in parallel, the rich execution environment (i.e. Android OS) where normal applications are executed, and a trusted OS (TEE), where only authorized and reliable applications are run (trusted apps).

The level of isolation between the two execution environments and between the trusted apps depends on the how well TEE is implemented. TEE provides a secure and flexible solution applicable not only to payment but to any sensitive applications, from pay-per-view to corporate identification.

Although these three technologies can be used as stand-alone solution, they can also be combined. For instance, TEE is compatible with both solutions. An HCE payment application could run in the TEE, to improve its security. Additionally, HCE applications (with or without a TEE) may still use an SE to store some critical data.

The next post will analyze the different security certification options for these technologies.