Android iPhone and iPad Security

Which NFC Payment App Offers You the Most Security?

Dan Price 25-10-2017

NFC payments are taking over the world — or at least revolutionizing how we pay for goods in stores. In case you’re not aware, the technology is booming in much of Europe, Canada, and Asia.


The UK wants all point of sale terminals to be contactless by 2020, while more than 53 percent of Australians use an NFC app at least once per week. In China, NFC payment systems have become so prevalent that experts believe the country is on track to become the first cashless society within just a few short years.

The United States is a bit behind the curve, but gaining ground rapidly. Businesses such as McDonalds and Walgreens now offer contactless payments, with many more coming online all the time.

As the number of businesses accepting NFC apps grows, so too does the number of apps. But in the Western Hemisphere, three lead the pack: Apple Pay, Android Pay, and Samsung Pay Everything You Need to Know about Apple Pay, Samsung Pay, and Android Pay Android Pay, Samsung Pay, Apple Pay all have their advantages and disadvantages. Let's take a look at exactly how each of them works and who can use them. Read More . Let’s look at the security merits of each one.

Apple Pay

We’ve taken an extensive look at the security of Apple Pay Apple Pay Is Safer Than You Think: 5 Facts To Prove It Mobile-based payment services like Apple Pay are becoming more and more popular. But what security features does it offer? What safeguards are in place? Is it safe? Read More in an article elsewhere on MakeUseOf. The app has been around since 2014. You’ll find it in all versions of the iPhone 6, 7, 8, and X. You can use it to pay in stores, and if you own a Mac, you can also use it to make online payments.


Like many apps, Apple Pay’s principal security safeguard is tokenization. Instead of storing your actual credit card numbers on the device, the app creates virtual accounts numbers.

Tokenization works thanks to a complicated process of encryption. After you’ve entered your credit card details into the app, the device encrypts them and sends them to Apple’s servers. Upon receipt of the numbers, Apple decrypts them, adds your card’s payment network, and re-encrypts them with a key that only your card network can unlock.

The provider then authorizes the addition of the card, creates a device-specific Device Account Number (DAN), encrypts it, and sends it to Apple. Apple can’t decrypt it. Finally, Apple adds the DAN to the Secure Element (SE) on your phone. The Secure Element is an industry-standard technology which we’ll talk more about shortly.

most secure nfc payment app apple pay


Apple also protects you against loss How to Track and Locate Your iPhone Using Location Services You can track your iPhone and share or find its location using the iPhone Location Services feature. We show you how. Read More thanks to the Find My iPhone app. It lets you erase the device remotely and thus wipe any credit, debit, prepaid, and rewards cards you have saved. You can also use your Apple ID account page to notify your card providers. They will automatically block any payments made through the Apple ID app.

All sounds great, but Apple Pay does raise some privacy concerns. According to the app’s Terms of Service:

“Apple sends information about your iTunes and App Store account activity, information about your device, information about your device usage, and your location at the time that you add your credit, debit, or prepaid card to your bank or card issuer.”

Sounds worrying.


Android Pay

Many of the core security features of Android Pay are the same as Apple Pay. The process of tokenization is broadly similar, but with one fundamental difference.

most secure nfc payment app android pay

Instead of using the Secure Element to generate tokens, Android Pay uses a process known as Host Card Emulation (HCE).

Host Card Emulation has been part of the Android operating system since version 4.4. Instead of hosting payment credentials on a Secure Element inside a device, HCE places them in a remote environment and uses the cloud to communicate with the device.


This has some key benefits over a physical SE:

  • The storage space of a physical SE is limited, HCE storage is scalable.
  • An HCE element can draw on more computing power and thus implement more robust security measures.
  • Remote SEs deployed via HCE leads to fewer stakeholders and lower costs for the consumer.

However, there is one security drawback: because HCE relies on a remote Secure Element, it has to allow you to make payments while you’re offline. It’s like using a temporary credit card.

The window of opportunity doesn’t last long; eventually, you’ll have to reconnect to the server before you can make more payments. But it does mean that someone who comes into possession of your device and who knows your PIN number could disable your Wi-Fi and go on a mini-spending spree before you have time to react. The risk is minimal, but it exists.

Samsung Pay

The last one of the “big three” NFC payment apps is Samsung Pay. It’s the South Korean company’s answer to Apple Pay. Like Apple Pay, it’s a proprietary app that only runs on Samsung products.

Before we get into the app’s security details, it’s worth mentioning one feature that’s not offered by either Android or Apple. Samsung Pay supports NFC point-of-sale terminals and also works with the ubiquitous Magnetic Secure Transmission (MST) and Europay MasterCard Visa (EMV) readers. As such, it’s a more holistic product.

Samsung falls back on Samsung Knox to guard against suspicious activity. In turn, Knox is built on the ARM TrustZone architecture. TrustZone security has three facets, the TIMA KeyStore, real-time kernel protection, and attestation

Samsung phones take a leaf out of Apple’s book; the Secure Element is physically located on the device itself. HCE technology is not used. In the recent Samsung S8 phone The Greatest Smartphone You Shouldn't Buy: Samsung Galaxy S8 Review (and Giveaway!) The $800 Samsung Galaxy S8 is, without question, the best smartphone ever made. But you probably shouldn't buy one. Read More , digital security giant Gemalto was responsible for the SEs.

most secure nfc payment app samsung pay

When making payments, all three apps are very similar. You’ll need to use your PIN or biometric ID to authorize each payment. For larger amounts, you’ll typically have to supply a signature as well. Because of the tokenization process, the vendor will never see your card details.

If you lose your phone, you can use an online app that can block and wipe the Samsung Pay app remotely.

Should You Stick With Cash and Cards?

No app is perfect 5 NFC Security Issues to Consider Before Your Next Contactless Payment NFC contactless payments don't provide a cast iron guarantee of safety. Just like any financial transaction, there are weaknesses and loopholes. Consider these five NFC security issues before you make another contactless payment. Read More — hackers are always looking for loopholes and ways to exploit you and your data.

If you follow the tech news, you’ll occasionally see stories pop up that expose flaws in NFC apps. For example, in August 2016, a security researcher argued Samsung Pay’s tokens were not sufficiently randomized and could become predictable.

Similarly, in March 2016, experts argued criminals could load stolen credit cards onto Apple Pay, use them for a brief time, then discard the phone.

Of course, the situation is worrying. But NFC apps are all more secure than using cash and the traditional signature-to-authorize credit cards. Most importantly, as the technology matures further, the security of the apps is only going to improve.

Do You Use NFC Apps?

In this article, we’ve given you a brief introduction to the security features offered by three of the biggest payment apps in Europe and North America.

Do you use NFC apps? Do you trust them? Are they secure enough? And do you think they can replace cash Mobile Payments Are Coming -- Here's Why I'll Still Use Cash Mobile payments are all the rage with Android Pay, Apple Pay, and Samsung Pay all making a splash. But are they worth it? Read More ? You can leave all your opinions and feedback in the comments below. And remember to share this article with your followers on social media.

Image Credit: REDPIXEL/Depositphotos

Related topics: Contactless Payment, NFC, Online Privacy, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. George
    October 28, 2017 at 12:45 am

    OK, I know you’re all geeks, but starting a sentence, in fact the whole article with an undefined acronym is poor writing. Not once did you mention what NFC meant. Proper tech writing requires the spelling out of a term with the acronym in parentheses for the first use, use of acronym OK thereafter. E.g.: Near Field Communication (NFC) is becoming commonplace, but not as commonplace as the expression “Tap to Pay” is for the layperson.

  2. David Martchouk
    October 25, 2017 at 8:08 pm

    Lol, how can using NFC apps be more secure than cash? A bird will fly in and steal my cash while I am trying to pay for a product?

    Also, I am curious, what is your latest article on cards with tap and how insecure those are?

    • ReadandShare
      October 26, 2017 at 2:00 am

      Lose you cash / wallet and there's a good chance you kiss it goodbye.

      Lose your credit card - even if someone charges a trip to Las Vegas or whatever -- your bank will likely reimburse you if you report the theft 'in a timely manner' (usually within 30-60 days).

      Lose your phone (with the payment app and NFC feature) - the thief is unlikely to be able to buy or charge stuff without knowing your screen lock password. And even if the thief somehow could -- again, the issuing bank(s) of your credit cards will likely make you whole once you report the loss.

    • ReadandShare
      October 26, 2017 at 2:02 am

      I use Android Pay and I like the convenience and safety. Wish more merchants will participate (hey VONS!).