How Google took a page from Apple to secure Android Pay

In case you missed it, Google launched a new mobile payment service at its annual I/O developers conference Thursday. It's called Android Pay. But didn't Google already have a mobile payment service? Yes, yes, Google Wallet. That's not going away--in fact, it's getting a reboot as a peer-to-peer payment service--but Android Pay works a lot more like Apple Pay than Google's last attempt.

That's a good thing. Google Wallet required you to wake your phone, open the Wallet app, and enter a pin number if you decided to protect the app with a passcode, all before waving your phone near the payment terminal. That's a lot of work.

Android Pay will work just like Apple Pay: Upload your card information to the app, and Google will create one-time account numbers to represent your actual card number, so merchants never see your information. Then hold your Android phone near a payment terminal and watch the screen come to life with your cards already stored inside. Tap the card you want to use, and authenticate your purchase with your fingerprint (a feature like Touch ID that's new to Android M).

Sounds more than a little familiar.

Google gets serious about security--sort of

But Google was years ahead of Apple when it came to NFC payments, you say? Well, yes, but it certainly didn't perfect them. First, Google lacked support from three of the four big carriers, which were backing their own mobile payment service called Softcard, which recently folded into Google. The company also found a rival in Visa, which was also developing its own NFC payment option. And at last count just a few months ago, Google Wallet had support from just over 300,000 retail locations, a far cry from the 700,000-plus that are on board with Android Pay, plus the 1,000 apps that support Android Pay purchases.

Then there's the not-so-small issue of security, which Apple went to great lengths to perfect. Android Pay uses tokenization to create virtual representations of your real card numbers, just like Apple Pay. The big difference between the two services is that Apple uses a Secure Element, a physical chip inside your phone, to store your encrypted financial data. Android Pay, like Google Wallet before it, uses Host Card Emulation, storing your encrypted data in the cloud.

That can be off-putting. Google Wallet also stored all of your transaction information, including time, date, and geolocation, within the Wallet app. So helpful! And so creepy. Android Pay is now far more secure than its predecessor, thanks to tokenization and fingerprint authentication, though it sounds like the service still stores information on what you bought and when--you'll be able to see "transaction details right on your phone," Google said in a blog post announcing the new service.

No fingerprint? No problem

Google's biggest Android issue is fragmentation--the fact that not everyone can install the latest version of its OS at the same time--so it made Android Pay backward compatible to devices running KitKat and up (two OS versions ago). But only the latest version of Android supports fingerprint authentication for purchases, and not all Android phones have fingerprint sensors. If a phone lacks a fingerprint sensor, or if the phone isn't on Android M, then Android Pay reverts to a passcode or pattern unlocking mechanism, losing the security inherent in fingerprint authentication to begin with--and basically making the new feature new in name only.

Apple has the advantage of being able to push out software upgrades instantly, which means every iPhone owner with compatible hardware (6, 6 Plus, or Apple Watch) could immediately start using Apple Pay on launch day. And while it would be great if Apple fans with older iPhones could use Apple Pay, too, the security features just aren't in place (unless you have an iPhone 5, 5s, or 5c and an Apple Watch). Don't have a fingerprint sensor in your iPhone? Sorry, no Apple Pay for you. Better safe than sorry.

But Google beefing up its mobile payment service to compete with Apple is good news, because it forces both companies to improve. For instance, Android Pay works with your rewards cards and loyalty programs, which Apple is reportedly planning to add to Apple Pay. Once retailers finally move to NFC payment terminals, paying for stuff with your phone instead of a physical card will at long last become the norm.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleGooglesecurityGoogle I/OAndroid PayApple Pay

More about AppleGoogleNFCVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Caitlin McGarry

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts