Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mobile Payments on Android Using Host Card Emul...

Mobile Payments on Android Using Host Card Emulation (HCE)

VIDEO of this Presentation at Droidcon NYC 2015: https://www.youtube.com/watch?v=0bXg30qA7EA

Overview: Learn how Host Card Emulation (HCE) works on Android to enable contactless payments. This is shown by following along with an example application, Handstand Pay (https://github.com/handstandsam/HandstandPay). This example app uses Visa MSD data that was the first form of contactless payments. This presentation also overviews the latest cloud-based secure element HCE solutions using a tokenization provider.

Presented at:
* Droidcon NYC 2015 - August 27, 2015
* AnDevCon Boston 2015 - July 31, 2015

Sam Edwards

August 27, 2015
Tweet

More Decks by Sam Edwards

Other Decks in Programming

Transcript

  1. NFC PAYMENTS ON ANDROID • NFC on Android 2.3 (December

    2010) • Secure hardware element required • Restricted access to secure element because of manufacturers and carriers • HCE on Android 4.4 (October 2013) • HCE API released • Secure element no longer required 5
  2. + = 4.4+ EXACT VIRTUAL REPRESENTATION OF A SMART CARD

    USING ONLY SOFTWARE Host Card Emulation on
  3. 57.4% PHONES ON ANDROID 4.4+ GOOGLE STATS AS OF AUGUST

    3, 2015 http://developer.android.com/about/dashboards/index.html
  4. • Apple Pay exclusively • Secure element only • Open

    NFC and HCE APIs • HCE and/or secure element • Depends on hardware, OS & carrier restrictions ANDROID > IOS
  5. US EMV MANDATE - OCTOBER 2015 INC “The party, either

    the issuer or merchant, who does not support EMV, assumes liability for counterfeit card transactions.” http://www.paymentsleader.com/will-retailers-be-ready-for-emv-by-oct-2015/
  6. • Gets all the press • Apple controlled user experience

    • Secure element • Contactless & in-app payments • Apple hardware required
  7. • US Beta started Tuesday & Launch on September 28th

    • Contactless Terminals • Secure element • Magstripe Terminals • Using LoopPay Technology
  8. • Google Wallet • Virtual MasterCard, charges to cards on

    file • Contactless and in-app payments • Android Pay • Requires card issuer integration • Tokenized version of original card • Contactless and in-app payments HCE IMPLEMENTATIONS
  9. [VIDEO] HCE IN ACTION • Vending Machine • Walgreens •

    Panera • Duane Reade • Jet Blue [VIDEO] USING HANDSTAND PAY AT: VENDING MACHINE, WALGREENS, PANERA BREAD, DUANE READE, JET BLUE AIRLINES
  10. SOME LESSONS LEARNED • Everyone calls it “Apple Pay” •

    Single tap? Double tap? • Airplane Mode disables NFC as well • Employees aren’t trained on contactless
  11. PAYMENT APPS ARE HEAVY LIFTING Custom • Terminal communication •

    User experience • Payment credential management
  12. • Must Extend • android.nfc.cardemulation.HostApduService • Purpose • Process and

    respond to terminal commands • Runs When • Device is tapped on terminal and you are the default for an AID HCE REQUIRES A HostApduService HostApduService
  13. HostApduService @TargetApi(Build.VERSION_CODES.KITKAT)
 public class HandstandApduService extends HostApduService {
 
 @Override


    public byte[] processCommandApdu(byte[] commandApdu, Bundle extras) {
 
 byte[] responseApdu = …;
 return responseApdu;
 } @Override
 public void onDeactivated(int reason) { } }
  14. HostApduService in AndroidManifest.xml <service
 android:name=".apdu.HandstandApduService"
 android:exported="true"
 android:permission="android.permission.BIND_NFC_SERVICE">
 <intent-filter>
 <action android:name="android.nfc.cardemulation.action.HOST_APDU_SERVICE"

    />
 
 <category android:name="android.intent.category.DEFAULT" />
 </intent-filter>
 
 <meta-data
 android:name="android.nfc.cardemulation.host_apdu_service"
 android:resource="@xml/apdu_config" />
 </service>
  15. HostApduService CONFIGURATION <host-apdu-service xmlns:android="http://schemas.android.com/apk/res/android"
 android:apduServiceBanner="@drawable/front"
 android:description="@string/apdu_description"
 android:requireDeviceUnlock="false">
 
 <aid-group
 android:category="payment"


    android:description="@string/aid_group_description">
 <aid-filter
 android:name="325041592E5359532E4444463031"
 android:description="@string/aid_ppse_description" />
 <aid-filter
 android:name="A0000000031010"
 android:description="@string/aid_visa_description" /> </aid-group>
 
 </host-apdu-service>
  16. DEFAULT PAYMENT APP public static void ensureSetAsDefaultPaymentApp(Activity context) {
 NfcAdapter

    nfcAdapter = NfcAdapter.getDefaultAdapter(context);
 CardEmulation cardEmulation = CardEmulation.getInstance(nfcAdapter); ComponentName componentName = new ComponentName(context, HandstandApduService.class);
 boolean isDefault = cardEmulation.isDefaultServiceForCategory(componentName, CardEmulation.CATEGORY_PAYMENT);
 
 if (!isDefault) {
 Intent intent = new Intent(CardEmulation.ACTION_CHANGE_DEFAULT);
 intent.putExtra(CardEmulation.EXTRA_CATEGORY, CardEmulation.CATEGORY_PAYMENT);
 intent.putExtra(CardEmulation.EXTRA_SERVICE_COMPONENT, componentName);
 context.startActivityForResult(intent, REQUEST_CODE_DEFAULT_PAYMENT_APP);
 }
 }
  17. FAVOR FOREGROUND APP FROM ACTIVITY @Override
 public void onResume() {


    super.onResume();
 if (isLollipopOrHigher()) { setAsPreferredHceService();
 }
 IntentFilter paymentSentIntentFilter = new IntentFilter(HandstandApduService.PAYMENT_SENT);
 LocalBroadcastManager lbm = LocalBroadcastManager.getInstance(PayActivity.this);
 lbm.registerReceiver(animationBroadcastReceiver, paymentSentIntentFilter);
 creditCardView.updateValues(); }
 @Override
 public void onPause() {
 super.onPause();
 if (isLollipopOrHigher()) {
 unsetAsPreferredHceService();
 }
 IntentFilter paymentSentIntentFilter = new IntentFilter(HandstandApduService.PAYMENT_SENT);
 LocalBroadcastManager lbm = LocalBroadcastManager.getInstance(PayActivity.this);
 lbm.unregisterReceiver(animationBroadcastReceiver);
 }
  18. FAVOR FOREGROUND APP @TargetApi(Build.VERSION_CODES.LOLLIPOP) public void setAsPreferredHceService() {
 boolean allowsForeground

    = cardEmulation.categoryAllowsForegroundPreference(CardEmulation.CATEGORY_PAYMENT);
 if (allowsForeground) {
 ComponentName hceComponentName = new ComponentName(context, HandstandApduService.class);
 cardEmulation.setPreferredService(PayActivity.this, hceComponentName);
 } }
 
 @TargetApi(Build.VERSION_CODES.LOLLIPOP) public void unsetAsPreferredHceService() {
 boolean allowsForeground = cardEmulation.categoryAllowsForegroundPreference(CardEmulation.CATEGORY_PAYMENT);
 if (allowsForeground) {
 ComponentName hceComponentName = new ComponentName(context, HandstandApduService.class);
 cardEmulation.unsetPreferredService(PayActivity.this);
 }
 }
  19. START ACTIVITY private void startPaymentActivityInBackgroundThread() {
 new Runnable() {
 @Override


    public void run() { //Start Payment Activity in background thread for HostApduService performance
 Intent intent = new Intent(getApplicationContext(), PayActivity.class);
 intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_SINGLE_TOP);
 getApplicationContext().startActivity(intent); }
 }.run();
 }
  20. SEND LOCAL BROADCAST FROM SERVICE @TargetApi(Build.VERSION_CODES.KITKAT)
 public class HandstandApduService extends

    HostApduService { 
 @Override
 public void onDeactivated(int reason) {
 isProcessing = false;
 Context context = getApplicationContext();
 LocalBroadcastManager lbm = LocalBroadcastManager.getInstance(context); //Send local broadcast message telling the app that the payment has been sent
 lbm.sendBroadcast(new Intent(PAYMENT_SENT));
 } }
  21. RECEIVE LOCAL BROADCAST IN ACTIVITY public class PayActivity extends Activity

    { @Override
 public void onResume() { IntentFilter paymentSentIntentFilter = new IntentFilter(HandstandApduService.PAYMENT_SENT);
 LocalBroadcastManager lbm = LocalBroadcastManager.getInstance(PayActivity.this);
 lbm.registerReceiver(broadcastReceiver, paymentSentIntentFilter); } }
  22. COMMAND 1: SELECT PPSE • Do you support Proximity Payment

    Service Environment (PPSE)? • 00A404000E325041592E5359532E444446303100
 • Yes, and we only support Visa. • F23840E325041592E5359532E4444463031A511BF0 C0E610C4F07A00000000310108701019000 http://blog.simplytapp.com/2014/01/host-card-emulation-series-swipeyours.html
  23. STEP 2: SELECT AID • The terminal asks us to

    use Visa, because that’s what we told them to do. • 00A4040007A000000003101000
 • We support Visa-MSD. • 6F1E8407A0000000031010A513500B5649534120 4352454449549F38039F66029000 http://blog.simplytapp.com/2014/01/host-card-emulation-series-swipeyours.html
  24. STEP 3: GET PROCESSING OPTIONS • Get Processing Options (GPO)

    • 80A80000048302800000
 • Tell the terminal we only support Visa-MSD • 80060080080101009000 http://blog.simplytapp.com/2014/01/host-card-emulation-series-swipeyours.html
  25. STEP 4: READ RECORD • Terminal requests payment data. •

    00B2010C00
 • Returns the Magstripe “Track 2”information. • 701257104941594325785315D2406121100000409 000 http://blog.simplytapp.com/2014/01/host-card-emulation-series-swipeyours.html
  26. ON DEVICE SECURITY • Android 4.4+ • Username/Password • Device

    Administration • Android M • New Fingerprint Sensor API • android.permission.USE_FINGERPRINT • FingerprintManager.authenticate() • Confirm Credential • Make sure user unlocked phone in last __ minutes http://developer.android.com/guide/topics/admin/device-admin.html https://developer.android.com/preview/api-overview.html#fingerprint-authentication
  27. CLOUD-BASED SECURITY • Tokenization • Replace the PAN with limited

    use data that passes seamlessly through the payment system. • Keys • Expire quickly preventing their misuse. • Device Fingerprinting • Validate the phone. Data analysis provides real-time transaction assessment to identify unusual activity. • Transaction Risk Analysis • The more data used to measure and analyze, the better the overall security.
  28. DYNAMIC TOKENIZATION ACTUAL TOKENIZED 4941 1111 1111 1111 HAPPENS EVERY

    TRANSACTION 4941 1111 1111 1112 4941 1111 1111 1113
  29. WHAT CAN I DO NOW? • Get a Visa Prepaid

    Card (or use your own at your own risk) • Try out Handstand Pay, fork it on Github and hack it • Check out Simply Tapp’s Mobile SDK for cloud based payments