EMVCo SBMP Security Requirements: How Licel solutions can help you achieve EMVCo SBMP compliance.

“Therefore, the Mobile Application should implement countermeasures (e.g. white-box cryptography, obfuscation, and binary protection), make use of Software Protection Tools, and / or make use of a virtual TEE (vTEE) to enhance its security and protect sensitive information and security assets.”

DexProtector’s core mechanisms include binary protection to prevent static analysis. Obfuscation, encryption, virtualisation, and isolation harden your application, helping to prevent attackers from reverse engineering (and tampering with) it.

The Licel vTEE comes with white-box cryptography and a virtual trusted execution environment automatically implemented. Cryptographic operations, key material, keys, and the execution of sensitive cryptographic algorithms are isolated and secured against external threats.

“The Mobile Application, or parts of it, can also be implemented as a Trusted Application (TA) in the Trusted Execution Environment (TEE) of the Consumer Device.”

The Licel vTEE enables you to run Trusted Applications (TA) within its trusted execution environment. This helps to bring security to inherently untrusted devices, on both platforms; Android and iOS.

More about Trusted Applications.

“No matter how securely data is stored while at rest, it can still be at risk whilst in transit, so it must be protected accordingly.”

DexProtector comes with network communications protections to prevent man-in-the-middle attacks. These include Public Key Pinning and Certificate Transparency.

“Ideally, the Mobile Application and its relying service-side and back-end controls should be able to monitor the platform it is running on, detect any abnormalities (e.g. reporting) that may arise in a compromised device, and act accordingly.”

DexProtector’s RASP Engine and Alice Threat and Device Intelligence work together to provide ongoing protections against threats in your application’s environment. The DexProtector RASP engine is able to detect and disallow instances of the app running on rooted devices and dynamic binary instrumentation tools such as Frida, for example. Alice then compiles and shares reports that detail anomalies so that you have a complete view of the threats your app is up against and how attacks are evolving over time.  

“The Mobile Application should periodically check its own integrity and the status of the device. Depending on the solution model used, the integrity of the Mobile Application most likely relies on the underlying hardware and/or on server-side controls.”

Integrity control is a fundamental aspect of Licel’s solutions. One of DexProtector’s key goals is to make sure that you can trust that the application that you’ve created hasn’t been modified in some way - as a result of bad actors tampering with or patching your application’s binaries.

“Therefore, the security of the solution cannot rely solely on the security of the Mobile Application. It may also rely on the security status of the Consumer Device and on server-side components and controls. Server-side controls might be able to detect a software-based solution or device compromise either by transactional data analysis (e.g. monitoring and fraud detection) or by information explicitly provided by the device (e.g. device attestation).”

Licel’s solutions establish device trust through our proprietary attestation engine. This technology provides a cryptographically signed statement, anchored in the device's hardware-backed keystore, which proves the integrity of both the device and the calling application. This hardware-level proof is augmented by Alice's advanced device intelligence, which provides a rich set of risk signals based on hundreds of device and environment parameters. This combined, proprietary evidence is reported to the backend, enabling a highly confident decision on whether to trust the device before provisioning credentials.

“The user enrolment process must verify, through remote device attestation, whether the device is in a trusted state before releasing protected data to, or storing private information on, the Consumer Device.”

Licel solutions - and particularly DexProtector’s RASP engine allied with Alice Threat and Device Intelligence - provide vital information that determines (on the backend) whether it is communicating with a device that can be trusted. Licel solutions are the source of truth and can help transform inherently untrusted devices into those that can be trusted to handle sensitive payment data.

“One will need to ensure that credentials are installed in and tightly bound to the right device, and that the process is not vulnerable to reverse engineering.”

The Licel vTEE carries out device binding to a specific user device using unique keys. This stops attackers tampering with your application or SDK, which means they cannot initiate fraudulent activity. Device binding is reinforced by DexProtector’s enhanced security measures, while Alice Threat and Device Intelligence’s anti-fraud mechanisms provide an additional layer of protection.

“Once the Mobile Application has been designed and built, it is important to develop monitoring and reporting functionality. This will enable relevant data to be retrieved and reported to control servers at specific points in the operation of the Mobile Application. The intelligent use of such data has several benefits, including:

• Early detection of malware on Consumer Devices: A control server can collect the type of information that, when used intelligently, will help to establish the nature and size of an attack on any given portfolio, thereby limiting the potential damage.

• Improvements in fraud detection: Fraud detection systems can draw on a more comprehensive set of data and will therefore become more adept at identifying potentially fraudulent transactions.

• Enhancing the user experience: This level of data can help back-end systems to make better-informed decisions on transaction authentication and authorisation, thereby reducing the need for repeated or intrusive consumer verification.

If a compromise is detected, appropriate action will need to be taken. Depending on the severity of the compromise, this could include a range of measures – from suspension of the payment capability and contacting the cardholder through full deactivation of the Mobile Application and deletion of all Card Credentials.”

Alice Threat and Device Intelligence enables you to increase observability over usage of your mobile apps, to identify malware, compromised devices, and suspicious activity, and to assess risk factors for each user session in real-time and retrospectively.

You can use the Alice API to retrieve Device Intelligence data for the current session and evaluate the risk profile. This profile encompasses a multitude of factors, enabling the system to assess the device's risk level comprehensively.

“From the outset, one should accept that the Mobile Application will be targeted by attackers – possibly through malware, reverse engineering, opportunism, or attempts to infiltrate relying websites or back-end systems. It is important to protect the Mobile Application against any unauthorised modification or updates and to ensure that it can verify its own integrity at least at runtime.”

Licel products protect your application across the entire mobile channel, providing solutions to stop some of the most damaging attacks facing mobile apps today. DexProtector’s RASP engine enables your application to protect itself at runtime and makes sure that the integrity of your app has not been compromised.

“As the Mobile Application is downloaded and installed on a potentially hostile device, it is highly likely that any unauthorized application modification or update is the result of either malware or a malicious user. The Mobile Application should not only be able to resist such attacks but should also be able to report them to the appropriate relying system or to act appropriately (stop execution).”

Licel’s Anti-Malware module provides apps with integrated malware and Potentially Harmful App detection capabilities. It checks for known malware signatures, as well as heuristic checks which flag indicators of potential interference by malware or PHAs. 

The UI Protection Module prevents screen capture, protects sensitive user credentials, and reduces the threat of remote access fraud.

Alice Threat and Device Intelligence is fundamental to Licel's Anti-Malware and Device Intelligence solutions, with critical data accessible via the Alice Enterprise API to feed risk assessments in real-time and retrospectively. 

“The update mechanism must incorporate good version control, roll-back detection, as well as protection of the credential data. The Mobile Application might depend on the underlying platform to securely implement this functionality.”

The Licel vTEE comes with built-in downgrade and replay attack protection on the client side, and DexProtector's Mobile API Protection feature offers the capability to secure backend APIs from equivalent types of abuse.

“The level of protection required will depend on the lifetime of those assets and their sensitivity. The lifetime or sensitivity must be reduced (for example, by enhancing back-end server functionality providing additional detection for compromised devices), or the assets must be moved to a more secure location such as within a TEE. Additionally, mobile application protection must be applied (for example, white-box crypto, obfuscation, and binary protection), to augment the risk protection provided by the platform and server-side components.”

A combination of DexProtector and the Licel vTEE - both of which are also evaluated and approved by EMVCo under SBMP and SBMP TEE respectively - provide enhanced protection for business critical mobile apps that carry out sensitive transactions and operations. DexProtector’s core security mechanisms include obfuscation, encryption, RASP, and integrity control to protect against any kind of tampering of the application’s binaries. The Licel vTEE comes with white-box cryptography and a virtual trusted execution environment automatically implemented, which helps to prevent attackers from stealing ultra-sensitive data such as payment credentials, tokenised cards, and protected health information (PHI). 

Protection against:

“The successful deployment of an attack (especially one that can infect and spread to multiple Consumer Devices) which proceeds undetected (for a period of time) and delivers active assets from compromised devices to unauthorized devices.

An attack which enables an unauthorized party to perform fraudulent payments via remote access to legitimate devices that have been compromised.

Mobile Application cloning where a single compromised Consumer Device duplicates (clones) its assets to unauthorized devices or where data is selectively duplicated so that multiple (partial) clones may all transact without detection.”

Licel’s Anti-Malware module comes with integrated malware and Potentially Harmful App detection capabilities. It checks for known malware signatures and heuristic checks which detect and disallow potential interference by malware or PHAs. 

Licel’s UI Protection Module also prevents screen capture, protects sensitive payment credentials, and reduces the threat of remote access fraud.

The multiple layers of protection offered by DexProtector’s RASP engine, Alice, and Licel’s Device ID module also make cloning much more difficult to carry out. Even the tiniest difference in a device can be detected; what is more, the data is cryptographically bound to the legitimate device, meaning it is almost impossible to clone that data onto another device.

Attack Path: A malware infection uses a published exploit or zero-day attack targeted at a specific platform vulnerability which can be used to escalate privilege

In this scenario, Licel’s Anti-Malware module would detect and report the presence of the malware, enabling you to restrict activity and block sensitive transactions and operations on the app. As a result, the malware would be unable to extract sensitive information from the application. 



The Licel vTEE comes with white-box cryptography and a virtual trusted execution environment automatically implemented. And so cryptographic operations, key material, keys, and the execution of sensitive cryptographic algorithms are isolated and secured against external threats.

Attack Path: Native code disassembly // Java code de-compilation // Code structure analysis // Asset extraction // Roll-back to previous version of Mobile Application

DexProtector’s security mechanisms protect against both static and dynamic tampering and reverse engineering. Robust code obfuscation and asset encryption help to prevent static attacks, while DexProtector’s RASP engine detects and disallows dynamic instrumentation tools like Frida.

Attack Path: Code is modified or malicious code injected, for example to present false information to the user

DexProtector signs the application, using dynamically reconstructed keys. That means it easily detects changes in the app - even the smallest modification to the code will result in a false signal and the app not functioning. This is reinforced by other integrity checks and runtime protection mechanisms.

Attack Path:

Mutual authentication of different components of the app is vital. Licel protection layers are bound cryptographically, from tamper-proofing against both static and dynamic attacks, to eliminating the possibility of interference via dynamic instrumentation tools. They secure inter-process communication across the whole mobile channel.

Attack Path: The application is executed under debugger, emulator, or dynamic binary instrumentation (DBI). The attacker intercepts plaintext assets at the time they are being processed in memory.

DexProtector’s RASP engine detects runtime threats such as debuggers, emulators, and dynamic binary instrumentation tools such as Frida; it can be configured to prevent the application from running once detected. Alice Threat and Device Intelligence also delivers reports to the backend about these incidents so that you can keep on top of the threats facing your application.

Attack Path: The application is executed under debugger, emulator or DBI. The attacker injects malicious code that alters the logic of the application in order to perform fraudulent payments directly on the device, facilitate recovery of assets for off-device attacks, suppress reporting to backend, etc.

This attack scenario is made much more difficult to carry out by the DexProtector RASP engine, which is able to detect debuggers, emulators, and dynamic instrumentation tools such as Frida.