Menu
Menu
inquire

Mobile Wallet Security: Fast track your journey toward EMVCo certification.

Mobile wallets are more popular than ever, but that makes them a hot target.

The growth in usage of mobile wallets shows no signs of slowing down, thanks in part to the two trends below.

A post-covid surge in contactless payments:

One side affect of the COVID-19 pandemic was a hike in demand for contactless payment options. This habit shift has coincided with a greater adoption of NFC technology which has led to an expectation and reliance on quick digital transactions.

The expansion of digital banking:

Banks and other financial institutions are rushing to offer mobile wallets to complement more traditional banking services. Other trends like Apple opening up NFC in the EU market means that there is more competition in the mobile wallets space.


Mobile wallet applications are at risk from tampering, man-in-the-middle attacks, malware, and more. That’s why enhanced protection is so important.

Sophisticated security threats can be disastrous for your business reputation and bottom line. EMVCo specifications act as a guide to help you mitigate these risks.

In the following paragraphs we’ll explore the two EMVCo specifications you need to comply with. We’ll also explain how Licel’s mobile wallet security solutions are tailor-made to help you meet your EMVCo certification needs.


Compliance with EMVCo security specifications.

Developers and providers of mobile wallets need to achieve EMVCo certification in order to get their solution to market. Specifications from EMVCo are vital guidelines for mitigating some of the most dangerous threats to your application. Compliance also helps you avoid mobile fraud and, in turn, makes sure you maintain the trust of your end users.

The two EMVCo specifications you need to comply with are:

  • Security Guidelines for TEE-based Mobile Payments: This specification focuses on the use of Trusted Execution Environments (TEEs) to help your wallet process sensitive transactions.
  • Security Guidelines for Software-based Mobile Payments: This specification addresses the security of software-only mobile payment solutions (including mobile wallets).

EMVCo Security Guidelines

TEE-based Mobile Payments.

This EMVCo specification provides detailed security measures for mobile payment solutions - including mobile wallet apps - that make use of trusted execution environments (TEEs). TEEs and vTEEs (virtual trusted execution environments) provide a secure area to store and process sensitive data, alongside a range of other enhanced protection measures.

EMVCo guidance is vital for developers of mobile wallets as they must use the enhanced protection that TEEs offer. What is more, global payment companies like Visa, Mastercard, American Express, and Discover require compliance with the guidelines for approving mobile wallet solutions.

Software-based Mobile Payments.

The EMVCo SBMP security specification provides a solid framework for protecting mobile wallet solutions. It is focused mainly on making sure that wallet apps running on consumer off-the-shelf devices (COTS) like smartphones and tablets can defend themselves from a variety of sophisticated threats.

It is a crucial specification to follow to get to market with your mobile wallet solution, prevent mobile fraud in its many guises and, ultimately, build consumer confidence in your solution.

What’s the difference between EMVCo’s Basic Platform and Enhanced Platform?

You’ll see reference to both “Basic” and “Enhanced” Platforms when reading about achieving EMVCo certification. So, what do each of them mean?

Basic Platform refers primarily to software-based app protection mechanisms, such as obfuscation, encryption, RASP, attestation, and integrity control.

Enhanced Platform involves additional security features including trusted execution environments to store and process sensitive code and data.

Basic and Enhanced Platforms in action: running an applet inside a vTEE.

Let’s take a look at an example of both Platforms in action:

The Licel Virtual Trusted Execution Environment (vTEE) is often used by our clients to run an applet. This trusted application benefits from advanced protection in the form of white box cryptography, as well as device binding to prevent attackers from cloning app data from one device to another. The Licel vTEE also stops anti-downgrade and anti-replay attacks for additional integrity.

And the Licel vTEE itself is protected by DexProtector’s multi-layered security mechanisms that are covered in EMVCo’s Basic Platform.

Combined, this represents the kind of advanced protection your mobile wallet solution needs to defend itself against modern attacks.


Licel’s security solutions can fast-track your EMVCo certification journey.

Licel’s suite of mobile channel protection solutions are ideally-placed to speed up your time-to-market journey and save you money along the way.

The fact that our protection products are already evaluated and approved by EMVCo for the same specifications you need to comply with eliminates the most common compliance blockers.

Below we’ll highlight some of the key requirements in the EMVCo Security Guidelines for Software-based Mobile Payments specification (this includes TEE specific requirements covered in more detail in the TEE-based Mobile Payments guidelines).

We’ll also explain how each of our mobile channel security solutions solve the challenges posed.


5.2 MA-SEC-REQ-2: Asset Protection

Requirement

2.5 The security mechanisms used by the Mobile Application to protect the assets must be evaluated. If the mechanisms rely on the security of an underlying component (such as a TEE, white-box crypto, and obfuscation), then the security of the underlying component must also be evaluated and, where appropriate, certified.

Solution

DexProtector and the Licel vTEE are both evaluated and approved by EMVCo for the two specifications that are relevant for mobile wallet applications:

  • Security Guidelines for TEE-based Mobile Payments
  • Security Guidelines for Software-based Mobile Payments

5.3 MA-SEC-REQ-3: Mobile Application Protection (1)

Requirement

3.1 The Mobile Application must be securely installed.

3.2 The Mobile Application must be securely updated.

3.4 The Mobile Application must be protected against reverse engineering, unauthorized modification and update.

3.7 The integrity of the Mobile Application must be verified at and/or during runtime.

Solution

These requirements are satisfied by DexProtector’s robust obfuscation, encryption, and integrity control mechanisms.

DexProtector secures mobile wallet applications against both static and dynamic tampering and reverse engineering.

5.3 MA-SEC-REQ-3: Mobile Application Protection (2)

Requirement

3.8 The Mobile Application must not run on non-supported platforms and/or devices.

3.9 The Mobile Application must not run in audit, debug, or test mode.

3.10 The Mobile Application must not log sensitive data in plain (unencrypted) format.

3.11 If the Mobile Application and/or server-side detect any compromise, the Mobile Application must have the capability to be deactivated and to securely remove all sensitive data.

Solution

The DexProtector Runtime Engine’s RASP checks make sure that there are no threats in your mobile wallet application’s environment.

If any threats are detected, DexProtector can prevent the app from running.

5.3 MA-SEC-REQ-3: Mobile Application Protection (3)

Requirement

3.3 There must be a secure binding of the Mobile Application with the Consumer Device once the Mobile Application is installed.

3.6 The Mobile Application must not allow a user-initiated roll-back to an earlier version that can transact successfully, unless explicitly allowed.

Solution

The Licel vTEE executes device binding, meaning that it isn’t possible for attackers to clone app data from one device to another.

It also comes with an anti-downgrade functionality which mean bad actors cannot reinstate a previous version of the application that might have had an exploitable vulnerability.

5.6 MA-SEC-REQ-6: Reporting and Attestation (1)

Requirement

6.2 Any reporting communications, particularly error codes, must not reveal information that would aid an attacker in obtaining sensitive information.

6.3 If any compromises are detected, the Mobile Application must have the capability to report to a server-side and the user / owner of the mobile device.

6.4 If the Mobile Application relies on a server-side attestation reporting model, then the attestation protocol must implement mechanisms for:

source and data integrity, and,

timely reporting, to ensure that actions and responses delivered between the Mobile Application and the server result from, and reflect, the current state of the system.

Solution

Alice Threat Intelligence is our monitoring, reporting, and attestation solution. It securely communicates and displays attack reporting data to the server side for analysis.

5.6 MA-SEC-REQ-6: Reporting and Attestation (2)

Requirement

6.1 Account information and authentication data used for security reporting must be protected from unauthorized disclosure and modification.

6.5 If the Mobile Application relies on a server-side attestation reporting model, file integrity protection must be applied to configuration files, executables, and public keys/certificates used for security services on any back-end components of the attestation system.

6.6 Any reporting or attestation mechanisms must not interrupt payment transaction processing.

Solution

DexProtector and Alice often work in tandem to create multiple layers of protection. Such is the case with these reporting and attestation requirements.

DexProtector’s security mechanisms to prevent tampering and reverse engineering (as well as its integrity controls) are put to use to protect data used for security reporting.

5.7 MA-SEC-REQ-7: Cryptographic Keys, Methods, and Random Numbers

Requirement

7.5 Random number generators (e.g. for unpredictable numbers) must have sufficient entropy for the required security level of the function for which they are used within the Mobile Application.

7.6 Data and cryptographic keys requiring encryption must be protected with cryptographic keys bound to the Mobile Application and Consumer Device (i.e. must be device and application bound). Keys must not be exported in plain text.

Solution

The Licel vTEE takes care of all cryptographic processes during runtime - isolated from other processes.

Mobile wallet application key material is automatically encrypted by device-specific Key Encryption Keys (KEKs) using white-box cryptography.


Get complete mobile channel protection for your SoftPOS solution.

DexProtector: the complete package for app and SDK security.

DexProtector is a no-code security solution for Android and iOS applications, SDKs, and libraries. Its core mechanisms include anti-tampering, anti-reverse engineering, and network security.

Its anti-malware capabilities, UI protection, API protection, and OTP generation represent the cutting-edge of mobile application protection.

DexProtector provides the core security foundations covered in EMVCo SBMP. It has been EMVCo approved for 4 consecutive years.

learn more

Alice Threat Intelligence: real-time reporting about the threat landscape.

Alice is a threat intelligence and monitoring solution that shares attack data about the threats facing your app and the wider industry.

It represents a key facet of EMVCo's Reporting and Attestation requirements.

learn more

The Licel vTEE: designed to facilitate secure mobile transactions.

The Licel vTEE has been evaluated and approved under EMVCo’s SBMP for TEE category.

Designed to satisfy both PCI and EMVCo requirements, the Licel vTEE is faster and more flexible than hardware TEEs. This flexibility can help to fast-track your bid for certification.

learn more

We also help you to solve other mobile payment security challenges.

Licel’s security solutions solve other problems and safeguard against some of the most sophisticated threats your mobile wallet application might be up against.

Below, we’ll cover some of the most common concerns that we hear from our clients who are aiming to get EMVCo certification for their mobile wallet. Please do get in touch with us if you have other queries that aren’t covered here.

“We need a security solution that works for both platforms — Android and iOS.”

Licel’s security solutions work just as well on both platforms. DexProtector, for example, is set up to run seamlessly on iOS, with no need for bitcode or awkward SDKs. It was also the first software protection tool evaluated and approved by EMVCo for both Android and iOS and was recently re-approved for the 4th year in a row.

“We need our mobile wallet solution to defend itself against fraud.”

Licel’s mobile-channel protection solutions provide robust defense against the growing threat of fraud.

Alice provides a constant stream of insightful data about current and emerging threats to your mobile wallet solution, be that dangerous malware variants or new types of attacks that target mobile transaction systems. DexProtector’s root and branch security mechanisms make fraud infinitely more difficult for bad actors to achieve.

“We’re worried about the impact of mobile malware.”

Licel’s anti-malware approach is powerful and involves both Alice and DexProtector.

Among other attack data, Alice Threat Intelligence reports on the latest trojans that pose a risk to your mobile wallet solution so that you’re one step ahead and can configure your security posture effectively. The latest Alice anti-malware updates even enable you to configure your application protection behavior based on the category of malware it has detected.

DexProtector mitigates the malware threat in two main ways:

Firstly, its runtime engine scans devices for malware and potentially harmful apps; if it finds something, then depending on the configuration it either closes the app or it reports the incident containing the data of its findings to the host app. Secondly, DexProtector uses UI protection to prevent malware from carrying out its go-to method of capturing screens or logging the keys (for example the PIN used by end users).

“We need to protect our mobile wallet solution from IP theft.”

We understand that your competitive advantage lies in your IP — and that needs to remain hidden from bad actors.

DexProtector’s code hardening and runtime protection mechanisms stop attackers from reverse engineering, tampering with, and stealing IP.

“We need to guard against man-in-the middle attacks and other network threats.”

DexProtector’s communication hardening measures (Certificate Transparency protocols and Public Key Pinning) stop bad actors from intercepting sensitive materials and data travelling from the application to the backend.

“We need to achieve EMVCo certification straight away and minimize time to market.”

At Licel we have a strong track record of helping mobile wallet solutions attain EMVCo compliance speedily, saving our clients both time and money.

The fact that our solutions hold EMVCo approval themselves (both SBMP and SBMP for TEE) makes a massive difference. Certification labs already know that our solutions meet the most stringent EMVCo requirements, which acts as a significant time saver in the certification process and can also save you money as you won’t need to apply more than once.

Our protection products are easy to test and integrate. DexProtector can be run locally and offline, or you can automatically integrate it with Android Studio, Xcode, or simply include it as part of your CI/CD builds. It’s also a no-code solution that applies protection automatically to APKs, AABs, AARs, IPAs, Frameworks, and XCFrameworks.


Ready to get a head start with your EMVCo certification?