HCE Security Implications
Analyzing the security aspects of HCE
In 2013 Google introduced its mobile Operating System, Android 4.4 (KitKat). Android 4.4 (KitKat) included a new Near Field Communication (NFC) feature: Host-based Card Emulation (HCE). HCE has garnered quite some attention in the NFC and mobile payment industry, because it opens up the possibility to perform NFC card emulation without using the Secure Element (SE) in mobile handsets. As a response to this, Mastercard and Visa published specifications on Cloud-Based Mobile Payments.
UL believes that HCE will continue to accelerate the introduction of NFC services, because it creates a simpler way to provide NFC card emulation services compared to other available hardware based options. At this point in time, HCE is used in plenty of mobile payment implementations, including third-party wallet solutions like Android Pay and Samsung Pay. This technical solution has great added value for Service Providers (SPs) since HCE requires the use of a wider range of security measures, keeping an infrequent connection to the internet in mind. But in exchange for these limitations, other factors such as time to market, development costs and the need to cooperate with other parties decline tremendously. These SPs must, however, be fully aware of the security risks caused by the lack of the hardware-based security as provided by an SE.
Although HCE technology does not provide hardware security features, mitigating these risks can be done combining a number of techniques, including code obfuscation or white-box cryptography.