Mobile Wallet Security:
Fast track your journey toward EMVCo certification.
Mobile wallets are set to boom in the months and years ahead.
The growth in usage of mobile wallets shows no signs of slowing down, thanks in part to the two trends below.
A post-covid surge in contactless payments:
One side affect of the COVID-19 pandemic was a hike in demand for contactless payment options. This habit shift has coincided with a greater adoption of NFC technology which has led to an expectation and reliance on quick digital transactions.
The expansion of digital banking:
Banks and other financial institutions are rushing to offer mobile wallets to complement more traditional banking services. Other trends like Apple opening up NFC in the EU market means that there is more competition in the mobile wallets space.
Reliable protection against tampering, man-in-the-middle attacks, malware, and more.
EMVCo specifications act as a guide to help you mitigate sophisticated security threats and protect your hard-earned reputation.
Below, we’ll explore the two EMVCo specifications you need to comply with. We’ll also explain how Licel’s mobile wallet security solutions are tailor-made to help you meet your EMVCo certification needs.
Compliance with EMVCo security specifications.
Developers and providers of mobile wallets need to achieve EMVCo certification in order to get their solution to market. Specifications from EMVCo are vital guidelines for mitigating some of the most dangerous threats to your application. Compliance also helps you avoid mobile fraud and, in turn, makes sure you maintain the trust of your end users.
The two EMVCo specifications you need to comply with are:
- Security Guidelines for TEE-based Mobile Payments: This specification focuses on the use of Trusted Execution Environments (TEEs) to help your wallet process sensitive transactions.
- Security Guidelines for Software-based Mobile Payments: This specification addresses the security of software-only mobile payment solutions (including mobile wallets).
EMVCo Security Guidelines
TEE-based Mobile Payments.
This EMVCo specification provides detailed security measures for mobile payment solutions - including mobile wallet apps - that make use of trusted execution environments (TEEs). TEEs and vTEEs (virtual trusted execution environments) provide a secure area to store and process sensitive data, alongside a range of other enhanced protection measures.
EMVCo guidance is vital for developers of mobile wallets as they must use the enhanced protection that TEEs offer. What is more, global payment companies like Visa, Mastercard, American Express, and Discover require compliance with the guidelines for approving mobile wallet solutions.
Software-based Mobile Payments.
The EMVCo SBMP security specification provides a solid framework for protecting mobile wallet solutions. It is focused mainly on making sure that wallet apps running on consumer off-the-shelf (COTS) devices like smartphones and tablets can defend themselves from a variety of sophisticated threats.
It is a crucial specification to follow to get to market with your mobile wallet solution, prevent mobile fraud in its many guises and, ultimately, build consumer confidence in your solution.
What’s the difference between EMVCo’s Basic Platform and Enhanced Platform?
You’ll see reference to both “Basic” and “Enhanced” Platforms when reading about achieving EMVCo certification. So, what do each of them mean?
Basic Platform refers primarily to software-based app protection mechanisms, such as obfuscation, encryption, RASP, attestation, and integrity control.
Enhanced Platform involves additional security features including trusted execution environments to store and process sensitive code and data.
Basic and Enhanced Platforms in action: running an applet inside a vTEE.
Let’s take a look at an example of both Platforms in action:
The Licel Virtual Trusted Execution Environment (vTEE) is often used by our clients to run an applet. This trusted application benefits from advanced protection in the form of white box cryptography, as well as device binding to prevent attackers from cloning app data from one device to another. The Licel vTEE also stops anti-downgrade and anti-replay attacks for additional integrity.
And the Licel vTEE itself is protected by DexProtector’s multi-layered security mechanisms that are covered in EMVCo’s Basic Platform.
Combined, this represents the kind of advanced protection your mobile wallet solution needs to defend itself against modern attacks.
Licel’s security solutions can fast-track your EMVCo certification journey.
Licel’s suite of mobile channel protection solutions are ideally-placed to speed up your time-to-market journey and save you money along the way.
The fact that our protection products are already evaluated and approved for the two EMVCo specifications relevant for mobile wallet apps eliminates the most common compliance blockers.
Below we’ll highlight some of the key requirements in the EMVCo Security Guidelines for Software-based Mobile Payments specification (this includes TEE specific requirements covered in more detail in the TEE-based Mobile Payments guidelines).
We’ll also explain how each of our mobile channel security solutions solve the challenges posed.
5.2 MA-SEC-REQ-2: Asset Protection
Requirement
2.5 The security mechanisms used by the Mobile Application to protect the assets must be evaluated. If the mechanisms rely on the security of an underlying component (such as a TEE, white-box crypto, and obfuscation), then the security of the underlying component must also be evaluated and, where appropriate, certified.
Solution
DexProtector and the Licel vTEE are both evaluated and approved by EMVCo for the two specifications that are relevant for mobile wallet applications:
- Security Guidelines for TEE-based Mobile Payments
- Security Guidelines for Software-based Mobile Payments
5.3 MA-SEC-REQ-3: Mobile Application Protection (1)
Requirement
3.1 The Mobile Application must be securely installed.
3.2 The Mobile Application must be securely updated.
3.4 The Mobile Application must be protected against reverse engineering, unauthorized modification and update.
3.7 The integrity of the Mobile Application must be verified at and/or during runtime.
Solution
These requirements are satisfied by DexProtector’s robust obfuscation, encryption, and integrity control mechanisms.
DexProtector secures mobile wallet applications against both static and dynamic tampering and reverse engineering.
5.3 MA-SEC-REQ-3: Mobile Application Protection (2)
Requirement
3.8 The Mobile Application must not run on non-supported platforms and/or devices.
3.9 The Mobile Application must not run in audit, debug, or test mode.
3.10 The Mobile Application must not log sensitive data in plain (unencrypted) format.
3.11 If the Mobile Application and/or server-side detect any compromise, the Mobile Application must have the capability to be deactivated and to securely remove all sensitive data.
Solution
The DexProtector Runtime Engine’s RASP checks make sure that there are no threats in your mobile wallet application’s environment.
If any threats are detected, DexProtector can prevent the app from running and securely wipe app and user data.
5.3 MA-SEC-REQ-3: Mobile Application Protection (3)
Requirement
3.3 There must be a secure binding of the Mobile Application with the Consumer Device once the Mobile Application is installed.
3.6 The Mobile Application must not allow a user-initiated roll-back to an earlier version that can transact successfully, unless explicitly allowed.
Solution
The Licel vTEE implements device binding, meaning that it isn’t possible for attackers to clone app or user data from one device to another.
It also comes with an anti-downgrade functionality which mean bad actors cannot reinstate a previous version of the application that might have had an exploitable vulnerability.
5.6 MA-SEC-REQ-6: Reporting and Attestation (1)
Requirement
6.2 Any reporting communications, particularly error codes, must not reveal information that would aid an attacker in obtaining sensitive information.
6.3 If any compromises are detected, the Mobile Application must have the capability to report to a server-side and the user / owner of the mobile device.
6.4 If the Mobile Application relies on a server-side attestation reporting model, then the attestation protocol must implement mechanisms for:
- source and data integrity, and,
- timely reporting, to ensure that actions and responses delivered between the Mobile Application and the server result from, and reflect, the current state of the system.
Solution
Alice Threat Intelligence is our monitoring, reporting, and attestation solution. It securely communicates and displays attack reporting data to the server side for analysis.
5.6 MA-SEC-REQ-6: Reporting and Attestation (2)
Requirement
6.1 Account information and authentication data used for security reporting must be protected from unauthorized disclosure and modification.
6.5 If the Mobile Application relies on a server-side attestation reporting model, file integrity protection must be applied to configuration files, executables, and public keys/certificates used for security services on any back-end components of the attestation system.
6.6 Any reporting or attestation mechanisms must not interrupt payment transaction processing.
Solution
DexProtector and Alice work in tandem to create multiple layers of protection. Such is the case with these reporting and attestation requirements.
DexProtector’s security mechanisms to prevent tampering and reverse engineering (as well as its integrity controls) are put to use to protect data used for security reporting.
5.7 MA-SEC-REQ-7: Cryptographic Keys, Methods, and Random Numbers
Requirement
7.5 Random number generators (e.g. for unpredictable numbers) must have sufficient entropy for the required security level of the function for which they are used within the Mobile Application.
7.6 Data and cryptographic keys requiring encryption must be protected with cryptographic keys bound to the Mobile Application and Consumer Device (i.e. must be device and application bound). Keys must not be exported in plain text.
Solution
The Licel vTEE takes care of all cryptographic processes during runtime - isolated from other processes.
Mobile wallet application key material is automatically encrypted by device-specific Key Encryption Keys (KEKs) using white-box cryptography.
The Licel vTEE has been EMVCo evaluated and approved under the SBMP TEE category.
Get complete mobile channel protection for your SoftPOS solution.
DexProtector: the complete package for app and SDK security.
DexProtector is a no-code security solution for Android and iOS applications, SDKs, and libraries. Its core mechanisms include integrity control, obfuscation, encryption, anti-tampering / debugging, root detection, anti-instrumentation, anti-emulation, and SSL Pinning.
Its anti-malware, UI protection, API protection, and Device ID capabilities represent the cutting-edge of mobile application protection.
DexProtector provides the core security foundations covered in EMVCo’s SBMP specification. It has been EMVCo approved for 4 consecutive years.
Alice Threat Intelligence: real-time reporting about the threat landscape.
Alice is a threat intelligence, monitoring, and attestation solution that receives and analyzes incident insights from DexProtected applications.
Its data about the threats facing your app and the wider industry helps you to bridge the gap between vigilance and action. Alice empowers you to strengthen your security posture both now and in the near future.
Alice represents a key facet of EMVCo’s Reporting and Attestation requirements.
The Licel vTEE: designed to facilitate secure mobile transactions.
The Licel vTEE provides a secure execution environment where trusted applications can perform sensitive transactions and operations.
Designed to satisfy both PCI and EMVCo requirements, the Licel vTEE is faster and more flexible than hardware TEEs. This flexibility can help to fast-track your certification bid.
Speaking of certification, the Licel vTEE has been evaluated and approved under EMVCo’s SBMP for TEE category.
Holistic security solutions to protect the whole mobile channel.
Licel’s security solutions safeguard against some of the most sophisticated threats mobile wallet apps, mobile banking apps, and SoftPOS solutions are likely to face.
Below, we’ll cover some of the most common concerns that we hear from our clients who are aiming to get EMVCo certification for their mobile wallet. Please do get in touch with us if you have other queries that aren’t covered here.
“We need a security solution that will work on both platforms — Android and iOS.”
Licel’s security solutions are device and platform independent; they work just as well on both platforms. DexProtector, for example, is set up to run seamlessly on iOS, with no need for bitcode or awkward SDKs. It was also the first software protection tool to be evaluated by EMVCo for both Android and iOS and was recently re-approved for the 4th year in a row.
“We need to stop the damaging impact of mobile fraud.”
Licel’s mobile-channel protection solutions enable your mobile wallet to defend itself against fraud.
Alice informs you about emerging threats to your mobile wallet application, be that dangerous malware variants or new types of attacks that target mobile transaction systems. And DexProtector’s root and branch security mechanisms make fraud infinitely more difficult for bad actors to achieve.
“We need to mitigate the mobile malware threat.”
Licel’s anti-malware approach involves both Alice and DexProtector.
Among other attack data, Alice Threat Intelligence reports on the latest trojans that pose a risk to your mobile wallet app so that you’re one step ahead and can configure your security posture effectively. The latest Alice anti-malware updates even enable you to configure your application protection behavior based on the category of malware it has detected.
DexProtector mitigates the malware threat in two main ways:
Firstly, its runtime engine scans devices for malware and potentially harmful apps; if it finds something, then depending on the configuration it either closes the app or it reports the incident containing the data of its findings to the host app. Secondly, DexProtector uses UI protection to prevent malware from carrying out its go-to method of capturing screens or logging the keys (for example the PIN used by end users).
“We want to protect our IP.”
We understand that your competitive advantage lies in your intellectual property — and that needs to remain hidden from bad actors.
DexProtector’s code hardening and runtime protection mechanisms stop attackers from reverse engineering, tampering with, and stealing IP.
“We’re concerned about man-in-the middle attacks and other network threats.”
DexProtector’s communication hardening measures (Certificate Transparency and Public Key Pinning) stop bad actors from intercepting sensitive materials and data travelling from the application to the backend.
“We need to speed up our EMVCo certification bid and get to market sooner.”
At Licel we have a strong track record of helping mobile wallet apps comply with EMVCo specifications speedily, saving our clients both time and money.
The fact that our solutions hold EMVCo approval themselves (both SBMP and SBMP for TEE) means that certification labs already know that our solutions meet the most stringent requirements. This acts as a significant time saver in the EMVCo certification process and can also save you money as you won’t need to apply more than once.
Our protection products are easy to test and integrate. DexProtector can be run locally and offline, or you can automatically integrate it with Android Studio, Xcode, or simply include it as part of your CI/CD builds. It’s also a no-code solution that applies protection automatically to APKs, AABs, AARs, IPAs, Frameworks, and XCFrameworks.