I recently received my Teracube phone from their Kickstarter project. It’s my first Android phone. I had initially felt like that I had a real uphill battle for learning the new operating system after having never used a smart phone that isn’t an iOS phone. However, most of the stuff is exactly the same. Somethings are worse, and some are better, but - so far, none are dramatically better or worse than the other. Currently, my only headache is that Android 9 (and judging from the changelogs, 10 as well) have terrible text selection compared to iOS, and like iOS’s keyboard better, for reasons that are difficult to articulate.

I will say that it appears that Android apps typically have a far more granular level of customization, which has been a bit of a bonus, but some apps don’t bother hiding the things that most human beings will never need to fiddle with in an Advanced section. And as someone who has to support users who sometimes fiddle with things that they shouldn’t - I’d prefer those things to be tucked out of sight a bit better.

Despite having worked for Apple for many years, I’m not brand loyal to anyone. What had shook me on being favoring to Apple’s smartphones was their choice to heed to China’s demands to pull the app that the Hong Kong protestors had been using to keep themselves safe from the police. I’ve softened from that a bit since then since Google is far worse for privacy at a fundamental business practices than Apple appears to be, so I think it’s a lesser of two evils situation. Once the Purism phone gets to a point where I’d think I’d want it to be my daily driver, I’ll probably dump both Apple and Android based phones for something open source.

The purpose of this whole post is that as I keep moving more and more of the reglar tasks that I do with my iPhone SE to the Teracube, I decided to set up Google Pay. I had really enjoyed using Apple Pay, and I do remember that I used to be able to speak intelligently to Apple’s customers about the technology behind it, but I’ve gotten rusty. I setup Google Pay, which was just as easy as setting up Apple Pay, and I used it on a vending machine to get some Doritos. While eating those chips, I realized that not only had I not moved my SIM card from my iPhone to the Android (meaning I had no cellular service), I also had not joined the phone to the building’s wifi, yet the purchase was completed and my bank account was charged. Despite the phone having no obvious way of contacting the outside world - I had managed this transaction. I had to remind myself how this works.

Deciding to refresh my memories on these, I visited Apple’s Apple Pay site and Google’s Google Pay site, but both had only information on the real basics. I wanted to know a bit more specifically about how was my phone able to approve a transaction without it being able to speak to the Internet?

I did some digging to see if I could fine more information, even if it wasn’t straight from the horse’s mouth. Android Authority’s 2014 article Everything you need to know about Host Card Emulation had a good amount of information, even though it was a decade old. Wikipedia’s article on Apple Pay also dived into the technology. MarketWatch’s 2019 article What is Google Pay, and is it safe? was a little sparse on the technological details. I think that I hit a real jackpot with Apple Store technica’s 2014 article How Apple Pay and Google Wallet actually work.

My take aways:

  1. When you setup Apple or Google payment systems, you must have network connectivity. Your device transmits whatever card you’re desiring to use to Apple or Google, and there is a negotiation with the card issuer. If the card isn’t supported, it’s rejected and you’re notified as such. If it is supported, Apple or Google stores your payment information on file and issues your device a “token”. The token is probably a hash of some sort. I wasn’t able to see what that hash might be, but I’d presume it’s something nice and modern like SHA-256. Which looks like: 5fb4ba1a651bae8057ec6b5cdafc93fa7e0b7d944d6f02a4b751de4e15464def or maybe they’ve dialed it up to SHA-512, a3c014ca3190b6d4425654b1988ab950491e75358977c604b612c320f55b4a2978e361d0441250cfb6b8e4ec7450150fd38a83ffa3dedfa822dde84dd7c4989a
  2. That token exists on your phone for a period of time that may be a day or may be limitless, I saw conflicting information. That token (which is just a string of characters) is your method of payment. When your phone is used to make a contactless payment using NFC (the wireless technology that is used between your phone and the payment reader) it transmits that token after the phone has done whatever security steps that you’ve programmed it to do before sending it, which is usually a code, a finger print, or a face scan.
  3. That token is sent off to Apple where it is matched up with your payment method, then transmitted to your bank to debit that amount, and the vendor is then notified that the transaction was successful.

This means that the phone doesn’t need any sort of network connectivity, but the vendor does need it. It also means that the information that the vendor receives is limited, which can help with privacy. Ideally, that token is refreshed regularly, since if it is somehow stolen, it’s ability to be used for illegitimate transactions would cease as soon as Apple or Google issued a new token.

I did read a Forbes article, Millions Are Being Lost To Apple Pay Fraud—Will Apple Card Come To The Rescue?, that indicated a method of fraud that uses Apple Pay, but isn’t a fraud against Apple Pay. The difference is that when it comes to fraud detection, payment processors and banks have thresholds of trust, which are typically multi point. If the financial institution that issues my card knows that I’m living in Virginia, and making transactions in Virginia, and then within an hour of making a purchase in Virginia, my card is used to make a point-of-sales transaction in Hawaii, that’s probably a red flag. However, if my card is used to make a transaction online with a Hawaiian vendor, that is less worrisome, since that’s very possible. The Forbes article indicates that stolen credit cards, registered through Apple Pay could be used to make purchases that would otherwise not be able to be made. If my card is stolen and used to make unusual purchases, that’ll be flagged as suspicious card activity pretty quickly. However, if the card is registered with Apple Pay (or Google Pay), since the transactions are a bit more opaque for the card issuer due to the nature of the technology, and coming from Apple or Google, who are more trusted, the threshold for suspicious activity isn’t met as easily.

So - Apple and Google Pay are likely more secure for an individual compared to using good ol’ plastic credit cards with a magnetic stripe and you should probably use them. The fraud issues appear to be not from ripping off Apple or Google Pay users, but plastic users.