EMVCo SBMP Security Requirements: How Licel solutions can help you achieve EMVCo SBMP compliance.
What is EMVCo SBMP?
EMVCo SBMP is EMVCo’s security evaluation process for Software-Based Mobile Payment solutions. It is a globally-recognised and respected framework that evaluates and certifies the security of mobile applications that rely on software to protect sensitive data and processes.
Licel solutions - DexProtector, the Licel vTEE, and Alice Threat and Device Intelligence - help app developers achieve EMVCo SBMP compliance by enabling trusted execution of sensitive operations on consumer devices. While Licel solutions leverage secure hardware where available, they also address the limitations of these components by extending protection beyond what platform APIs or hardware security alone can offer. This allows for the robust protection of keys, code, and data throughout the app’s lifecycle.
The evolution of EMVCo SBMP
In January 2025, version 1.5 of the EMVCo SBMP requirements was released. This revised version adds to a rigorous evaluation framework, extending its focus to ecosystem-wide app-based financial interactions. Mobile app protection needs to be more precise these days to defend against sophisticated threats, and the latest version of the requirements recognizes this new reality.
Introducing Licel solutions: designed to mitigate modern threats
DexProtector: the complete package for app and SDK security.
DexProtector is a no-code security solution for Android and iOS applications, SDKs, and libraries. Its core mechanisms include integrity control, obfuscation, encryption, anti-tampering / debugging, root detection, anti-instrumentation, anti-emulation, and SSL Pinning.
Its anti-malware, UI protection, API protection, and Device Intelligence capabilities represent the cutting-edge of mobile application protection.
DexProtector, evaluated and approved by EMVCo for 5 consecutive years, provides the core security foundations to help you achieve EMVCo SBMP approval.
The Licel vTEE: a secure environment for trusted applications to perform sensitive transactions and operations.
The Licel Virtual Trusted Execution Environment offers greater flexibility and faster time-to-market compared to hardware TEEs, as it removes dependencies on specific OEM hardware. The upshot of this is a high, uniform level of security that can be deployed across your entire user base (and a wide range of Android and iOS devices). This consistency is crucial for both security and for simplifying the compliance process.
Speaking of compliance, it has been evaluated and approved under EMVCo’s SBMP for TEE category for both Android and iOS.
The Licel vTEE: write once, run everywhere - securely.
Alice Threat and Device Intelligence: real-time reporting about the threat landscape.
Alice is a threat intelligence and monitoring solution that receives and analyzes incident insights from DexProtected applications.
Alice's advanced device intelligence draws upon a rich set of risk signals based on hundreds of device and environment parameters.
This data about the threats facing your app and the wider industry helps you to bridge the gap between vigilance and action. Alice empowers you to strengthen your security posture both now and in the near future.
A proud legacy of EMVCo evaluation and approval
We understand how important compliance with EMVCo SBMP is for forward-thinking developers who value security. That’s why we also regularly have our own products evaluated by independent laboratories and approved by EMVCo. DexProtector has been evaluated and approved for 5 years in a row now as an EMVCo SBMP Software Protection Tool (SPT) - for both Android and iOS. And the Licel vTEE is currently the only TEE of any kind - either hardware or software - to be evaluated and approved under EMVCo SBMP TEE.
The upshot of this evaluation and approval is that our clients find it much easier to achieve EMVCo SBMP compliance for their own applications after partnering with us. That’s because many of the stringent security requirements are already fulfilled by our solutions.


EMVCo SBMP Security Requirements and Licel Solutions
Why Licel for EMVCo SBMP compliance?
- Evaluated and approved by EMVCo for 5 years running
- Designed to fulfill SBMP Software Protection Tool and vTEE requirements
- Full coverage of mobile channel protection: app, device, and backend protection
- Faster compliance, lower costs, and less development complexity
In the following paragraphs, we share some specific requirements within EMVCo SBMP and explain how Licel products can find a solution to these challenges.
2.4 Consumer Device Platform
2.4.1 Basic Platform
Requirement
“Therefore, the Mobile Application should implement countermeasures (e.g. white-box cryptography, obfuscation, and binary protection), make use of Software Protection Tools, and / or make use of a virtual TEE (vTEE) to enhance its security and protect sensitive information and security assets.”
Solution
DexProtector’s core mechanisms include binary protection to prevent static analysis. Obfuscation, encryption, virtualisation, and isolation harden your application, helping to prevent attackers from reverse engineering (and tampering with) it.
The Licel vTEE comes with white-box cryptography and a virtual trusted execution environment automatically implemented. Cryptographic operations, key material, keys, and the execution of sensitive cryptographic algorithms are isolated and secured against external threats.
2.4.2 Enhanced Platform
Requirement
“The Mobile Application, or parts of it, can also be implemented as a Trusted Application (TA) in the Trusted Execution Environment (TEE) of the Consumer Device.”
Solution
The Licel vTEE enables you to run Trusted Applications (TA) within its trusted execution environment. This helps to bring security to inherently untrusted devices, on both platforms; Android and iOS.
3. Mobile Application Software Life Cycle and Best Practices
3.1.1 Application Design and Development: Secure Communication Channels
Requirement
“No matter how securely data is stored while at rest, it can still be at risk whilst in transit, so it must be protected accordingly.”
Solution
DexProtector comes with network communications protections to prevent man-in-the-middle attacks. These include Public Key Pinning and Certificate Transparency.
3.1.2 Application Design and Development: Platform Security
Requirement
“Ideally, the Mobile Application and its relying service-side and back-end controls should be able to monitor the platform it is running on, detect any abnormalities (e.g. reporting) that may arise in a compromised device, and act accordingly.”
Solution
DexProtector’s RASP Engine and Alice Threat and Device Intelligence work together to provide ongoing protections against threats in your application’s environment. The DexProtector RASP engine is able to detect and disallow instances of the app running on rooted devices and dynamic binary instrumentation tools such as Frida, for example. Alice then compiles and shares reports that detail anomalies so that you have a complete view of the threats your app is up against and how attacks are evolving over time.
3.1.3 Application and Device Attestation (1/2)
Requirement
“The Mobile Application should periodically check its own integrity and the status of the device. Depending on the solution model used, the integrity of the Mobile Application most likely relies on the underlying hardware and/or on server-side controls.”
Solution
Integrity control is a fundamental aspect of Licel’s solutions. One of DexProtector’s key goals is to make sure that you can trust that the application that you’ve created hasn’t been modified in some way - as a result of bad actors tampering with or patching your application’s binaries.
3.1.3 Application and Device Attestation (2/2)
Requirement
“Therefore, the security of the solution cannot rely solely on the security of the Mobile Application. It may also rely on the security status of the Consumer Device and on server-side components and controls. Server-side controls might be able to detect a software-based solution or device compromise either by transactional data analysis (e.g. monitoring and fraud detection) or by information explicitly provided by the device (e.g. device attestation).”
Solution
Licel’s solutions establish device trust through our proprietary attestation engine. This technology provides a cryptographically signed statement, anchored in the device's hardware-backed keystore, which proves the integrity of both the device and the calling application. This hardware-level proof is augmented by Alice's advanced device intelligence, which provides a rich set of risk signals based on hundreds of device and environment parameters. This combined, proprietary evidence is reported to the backend, enabling a highly confident decision on whether to trust the device before provisioning credentials.
3.3 User Enrolment
Requirement
“The user enrolment process must verify, through remote device attestation, whether the device is in a trusted state before releasing protected data to, or storing private information on, the Consumer Device.”
Solution
Licel solutions - and particularly DexProtector’s RASP engine allied with Alice Threat and Device Intelligence - provide vital information that determines (on the backend) whether it is communicating with a device that can be trusted. Licel solutions are the source of truth and can help transform inherently untrusted devices into those that can be trusted to handle sensitive payment data.
3.4 Provisioning and Credential Issuance
Requirement
“One will need to ensure that credentials are installed in and tightly bound to the right device, and that the process is not vulnerable to reverse engineering.”
Solution
The Licel vTEE carries out device binding to a specific user device using unique keys. This stops attackers tampering with your application or SDK, which means they cannot initiate fraudulent activity. Device binding is reinforced by DexProtector’s enhanced security measures, while Alice Threat and Device Intelligence’s anti-fraud mechanisms provide an additional layer of protection.
3.6 Monitoring and Reporting Information
Requirement
“Once the Mobile Application has been designed and built, it is important to develop monitoring and reporting functionality. This will enable relevant data to be retrieved and reported to control servers at specific points in the operation of the Mobile Application. The intelligent use of such data has several benefits, including:
• Early detection of malware on Consumer Devices: A control server can collect the type of information that, when used intelligently, will help to establish the nature and size of an attack on any given portfolio, thereby limiting the potential damage.
• Improvements in fraud detection: Fraud detection systems can draw on a more comprehensive set of data and will therefore become more adept at identifying potentially fraudulent transactions.
• Enhancing the user experience: This level of data can help back-end systems to make better-informed decisions on transaction authentication and authorisation, thereby reducing the need for repeated or intrusive consumer verification.
If a compromise is detected, appropriate action will need to be taken. Depending on the severity of the compromise, this could include a range of measures – from suspension of the payment capability and contacting the cardholder through full deactivation of the Mobile Application and deletion of all Card Credentials.”
Solution
Alice Threat and Device Intelligence enables you to increase observability over usage of your mobile apps, to identify malware, compromised devices, and suspicious activity, and to assess risk factors for each user session in real-time and retrospectively.
You can use the Alice API to retrieve Device Intelligence data for the current session and evaluate the risk profile. This profile encompasses a multitude of factors, enabling the system to assess the device's risk level comprehensively.
3.7 Mobile Application Security and Management (1/2)
Requirement
“From the outset, one should accept that the Mobile Application will be targeted by attackers – possibly through malware, reverse engineering, opportunism, or attempts to infiltrate relying websites or back-end systems. It is important to protect the Mobile Application against any unauthorised modification or updates and to ensure that it can verify its own integrity at least at runtime.”
Solution
Licel products protect your application across the entire mobile channel, providing solutions to stop some of the most damaging attacks facing mobile apps today. DexProtector’s RASP engine enables your application to protect itself at runtime and makes sure that the integrity of your app has not been compromised.
3.7 Mobile Application Security and Management (2/2)
Requirement
“As the Mobile Application is downloaded and installed on a potentially hostile device, it is highly likely that any unauthorized application modification or update is the result of either malware or a malicious user. The Mobile Application should not only be able to resist such attacks but should also be able to report them to the appropriate relying system or to act appropriately (stop execution).”
Solution
Licel’s Anti-Malware module provides apps with integrated malware and Potentially Harmful App detection capabilities. It checks for known malware signatures, as well as heuristic checks which flag indicators of potential interference by malware or PHAs.
The UI Protection Module prevents screen capture, protects sensitive user credentials, and reduces the threat of remote access fraud.
Alice Threat and Device Intelligence is fundamental to Licel's Anti-Malware and Device Intelligence solutions, with critical data accessible via the Alice Enterprise API to feed risk assessments in real-time and retrospectively.
3.7.1 Application and Platform Update Mechanism
Requirement
“The update mechanism must incorporate good version control, roll-back detection, as well as protection of the credential data. The Mobile Application might depend on the underlying platform to securely implement this functionality.”
Solution
The Licel vTEE comes with built-in downgrade and replay attack protection on the client side, and DexProtector's Mobile API Protection feature offers the capability to secure backend APIs from equivalent types of abuse.
4. Mobile Application Security Architecture
4.1 Architecture of the Mobile Application
Requirement
“The level of protection required will depend on the lifetime of those assets and their sensitivity. The lifetime or sensitivity must be reduced (for example, by enhancing back-end server functionality providing additional detection for compromised devices), or the assets must be moved to a more secure location such as within a TEE. Additionally, mobile application protection must be applied (for example, white-box crypto, obfuscation, and binary protection), to augment the risk protection provided by the platform and server-side components.”
Solution
A combination of DexProtector and the Licel vTEE - both of which are also evaluated and approved by EMVCo under SBMP and SBMP TEE respectively - provide enhanced protection for business critical mobile apps that carry out sensitive transactions and operations. DexProtector’s core security mechanisms include obfuscation, encryption, RASP, and integrity control to protect against any kind of tampering of the application’s binaries. The Licel vTEE comes with white-box cryptography and a virtual trusted execution environment automatically implemented, which helps to prevent attackers from stealing ultra-sensitive data such as payment credentials, tokenised cards, and protected health information (PHI).
4.2.3 Payment Threats
Requirement
Protection against:
“The successful deployment of an attack (especially one that can infect and spread to multiple Consumer Devices) which proceeds undetected (for a period of time) and delivers active assets from compromised devices to unauthorized devices.
An attack which enables an unauthorized party to perform fraudulent payments via remote access to legitimate devices that have been compromised.
Mobile Application cloning where a single compromised Consumer Device duplicates (clones) its assets to unauthorized devices or where data is selectively duplicated so that multiple (partial) clones may all transact without detection.”
Solution
Licel’s Anti-Malware module comes with integrated malware and Potentially Harmful App detection capabilities. It checks for known malware signatures and heuristic checks which detect and disallow potential interference by malware or PHAs.
Licel’s UI Protection Module also prevents screen capture, protects sensitive payment credentials, and reduces the threat of remote access fraud.
The multiple layers of protection offered by DexProtector’s RASP engine, Alice, and Licel’s Device ID module also make cloning much more difficult to carry out. Even the tiniest difference in a device can be detected; what is more, the data is cryptographically bound to the legitimate device, meaning it is almost impossible to clone that data onto another device.
6. Attacks
The attack scenarios below are set out within the EMVCo SBMP requirements. For each of them we explain how Licel solutions can stop them succeeding.
Bypass mobile platform (e.g. OS) security controls
Gain privileged access to Mobile Application processing and assets
Attack Path: A malware infection uses a published exploit or zero-day attack targeted at a specific platform vulnerability which can be used to escalate privilege
Solution
In this scenario, Licel’s Anti-Malware module would detect and report the presence of the malware, enabling you to restrict activity and block sensitive transactions and operations on the app. As a result, the malware would be unable to extract sensitive information from the application.
The Licel vTEE comes with white-box cryptography and a virtual trusted execution environment automatically implemented. And so cryptographic operations, key material, keys, and the execution of sensitive cryptographic algorithms are isolated and secured against external threats.
Reverse engineer Mobile Application source code
Recover sensitive source code and extract sensitive Mobile Application assets.
Attack Path: Native code disassembly // Java code de-compilation // Code structure analysis // Asset extraction // Roll-back to previous version of Mobile Application
Solution
DexProtector’s security mechanisms protect against both static and dynamic tampering and reverse engineering. Robust code obfuscation and asset encryption help to prevent static attacks, while DexProtector’s RASP engine detects and disallows dynamic instrumentation tools like Frida.
Modify Mobile Application code
Alter behaviour of Mobile Application.
Attack Path: Code is modified or malicious code injected, for example to present false information to the user
Solution
DexProtector signs the application, using dynamically reconstructed keys. That means it easily detects changes in the app - even the smallest modification to the code will result in a false signal and the app not functioning. This is reinforced by other integrity checks and runtime protection mechanisms.
Exploit interfaces between components
Abuse the interfaces between the components that make up the payment application.
Attack Path:
- Masquerade as a legitimate payment application in the REE interacting with a trusted application in the TEE.
- Compromise the results of consumer authentication, thereby fooling the Mobile Application into believing that CDCVM has been performed.
- Compromise payment application functionality to relay sufficient information to a remote endpoint, enabling payment to occur with that remote endpoint.
Solution
Mutual authentication of different components of the app is vital. Licel protection layers are bound cryptographically, from tamper-proofing against both static and dynamic attacks, to eliminating the possibility of interference via dynamic instrumentation tools. They secure inter-process communication across the whole mobile channel.
Extract assets in runtime
Recover assets from an application running under the attacker’s control.
Attack Path: The application is executed under debugger, emulator, or dynamic binary instrumentation (DBI). The attacker intercepts plaintext assets at the time they are being processed in memory.
Solution
DexProtector’s RASP engine detects runtime threats such as debuggers, emulators, and dynamic binary instrumentation tools such as Frida; it can be configured to prevent the application from running once detected. Alice Threat and Device Intelligence also delivers reports to the backend about these incidents so that you can keep on top of the threats facing your application.
Modify mobile application code flow
Manipulate critical mobile application functionality.
Attack Path: The application is executed under debugger, emulator or DBI. The attacker injects malicious code that alters the logic of the application in order to perform fraudulent payments directly on the device, facilitate recovery of assets for off-device attacks, suppress reporting to backend, etc.
Solution
This attack scenario is made much more difficult to carry out by the DexProtector RASP engine, which is able to detect debuggers, emulators, and dynamic instrumentation tools such as Frida.
These attacks aren’t theoretical - they’re happening right now in the wild. Licel solutions help mobile apps stay compliant, resilient, and prepared for what’s next.
EMVCo SBMP compliance made easier: the big picture
We know that achieving (and continuing to achieve) EMVCo SBMP compliance can be quite daunting and resource heavy. Our mobile channel protection solutions are designed to facilitate the whole process for you.
Compliance without the stress
We’re committed to achieving the highest security standards ourselves, which is why we have also had DexProtector and the Licel vTEE evaluated by independent labs and approved by EMVCo. By integrating our solutions, you leverage pre-validated security frameworks that align perfectly with EMVCo SBMP requirements. The upshot of this is that you significantly reduce the time and costs associated with carrying out your own security assessments, which speeds up your time to market journey and reduces development costs.
Dealing with evolving threats
Part of the reason we get our own solutions tested and verified at least once a year is that threats evolve. We want to be absolutely certain that our products protect against the most sophisticated attacks out there and cover the latest requirements. Compliance is a continuous commitment, and so our solutions can help to make sure your application doesn’t just meet EMVCo SBMP requirements this year, but next year, and the year after that.
Save time and money
Costs and time commitments can rise quickly when when you’re aiming to meet stringent security standards like EMVCo SBMP. But the fact that Licel solutions have already been evaluated and approved means you can avoid repeated security validations which can be expensive and time-consuming. It also reduces the need for extensive custom development.
Get ahead of the competition
Achieving compliance with EMVCo SBMP is a good idea as, by doing so, you’re proving that your application is able to defend itself against the latest and most sophisticated security threats. But more than this, it positions your organisation as leader in secure mobile solutions, which can help to increase customer trust and confidence.
Want to streamline the EMVCo SBMP compliance journey?
Find out more about how our solutions can help.