Google Pay requires SafetyNet verification, which means it only works with a Google-approved hard & software combination, so not with GrapheneOS for example...

I hate that banks use this proprietary "standard" for NFC payments

▲

Arch-TK an hour ago | parent | next [-]

SafetyNet works in GrapheneOS. What Google Pay requires is that the attested signature is trusted by them, a lot of apps, including many banking apps (at least in the UK) use safetynet but do not require the signature is trusted.

▲

mschuster91 6 hours ago | parent | prev [-]

I get where that one is coming from though - tap-to-pay is considered second-factor-authenticated, aka no PIN entry is necessary at the PoS terminal because the user already entered their PIN or presented biometric credentials to the smartphone.

If a malware were able to snatch the key material that represents the credit card outright or it could (by running as root) act to the TEE like it were Google Pay's NFC controller app, it would enable the actor controlling the malware to spoof the credit card on their own phone... and since tap-to-pay is considered authenticated, chances are next to zero you can dispute the payment.

	▲	63stack 6 hours ago \| parent \| next [-]
		>If a malware were able to snatch the key material that represents the credit card I'm pretty sure that data is stored in the secure enclave, which is impossible to access by design, root, no root, bootloader unlocked, google approved or not.
	▲	nani8ot 3 hours ago \| parent \| prev [-]
		There's already a better way to check whether an Android phone is secure enough and it is independent of any proprietary OS certification: basicIntegrity [1]. Most banking apps in Germany use this API and thus work on GrapheneOS and other non-Google controlled ROMs with a locked bootloader. PlayIntegrity is unnecessary and mostly offers vendor lock in to Google's ecosystem. [1] https://grapheneos.org/usage#banking-apps