Android Pay: another big FU from Google

[s44]

Yeah, not only a root check, and an Xposed check, but it requires a full signed ROM. What is this crap?

 

[Artdeco]

"Android is open....."

LOL

 

[openwheel]

Great news. Mobile payment is garbage regardless. I don't know why some are hoping for it to suceed.

 

[kpkp]

Great news. Mobile payment is garbage regardless. I don't know why some are hoping for it to suceed.

Yup, it always amazes me how people talk about being able to pay with a watch is a game changer... Is like they do that 8 hours a day 5 days a week.

 

[dawheat]

Apple Pay, Samsung Pay, and Android Pay all use the same rails which include much stronger cardholder verification, tokenization, and dynamic crytograms which give merchants freedom from liability. Google Wallet transactions did not - they basically were just a different way of giving merchants a card number without any additional protection.

Since these new payment methods actually give fraud protection, that means any weakness in the entire payment chain could compromise it. Mods that let you mimic other device profiles, etc would break security.

So if you want to mod/root/jailbreak, that's fine, but understand why you can't use these new payment apps. It's not Google, the credit card companies and payment networks would refuse to let their cards be used and take liability otherwise.

And honestly will all 3 apps basically the same, I'm still more bullish on Samsung pay after trying it out. I can use it in way more places than the other apps, not just newer stores that accept NFC.

 

[mnewsham]

And honestly will all 3 apps basically the same, I'm still more bullish on Samsung pay after trying it out. I can use it in way more places than the other apps, not just newer stores that accept NFC.

Yeah samsung pay has been pretty solid for me so far too, works literally everywhere I go.


It's also pretty obvious they needed to beef up security, and not allowing root and requiring a signed ROM and such is really the easiest way they could do that. When you're dealing with finger prints and credit cards and wireless transactions, you're gonna want to make sure its secure.

 

[Commodus]

I never quite understand the crowd that is shocked, shocked that security-conscious features (like payments or workplace device management) forbid you from doing things that inherently weaken your phone's security.

It's like arguing that you can be a top athlete while eating a diet consisting solely of pizza and ice cream. Sorry, but the two ideas are mutually incompatible. If you want one, you're going to have to give up the other.

 

[lxskllr]

I never quite understand the crowd that is shocked, shocked that security-conscious features (like payments or workplace device management) forbid you from doing things that inherently weaken your phone's security.

It's like arguing that you can be a top athlete while eating a diet consisting solely of pizza and ice cream. Sorry, but the two ideas are mutually incompatible. If you want one, you're going to have to give up the other.

There's no reason it can't work both ways. Whoever's liable for fraud should dictate the security. If it worked as a prepaid debit, *I* would be liable for fraud, and should be able to use it(anonymously) on any machine I choose. People that choose to be backed by a company can live with restrictions.

 

[gorcorps]

Apple Pay, Samsung Pay, and Android Pay all use the same rails which include much stronger cardholder verification, tokenization, and dynamic crytograms which give merchants freedom from liability. Google Wallet transactions did not - they basically were just a different way of giving merchants a card number without any additional protection.

Since these new payment methods actually give fraud protection, that means any weakness in the entire payment chain could compromise it. Mods that let you mimic other device profiles, etc would break security.

So if you want to mod/root/jailbreak, that's fine, but understand why you can't use these new payment apps. It's not Google, the credit card companies and payment networks would refuse to let their cards be used and take liability otherwise.

And honestly will all 3 apps basically the same, I'm still more bullish on Samsung pay after trying it out. I can use it in way more places than the other apps, not just newer stores that accept NFC.

Bingo

If you can't understand why something like the security of a pay system needs to be maintained, then you're just being purposefully difficult.

 

[shabby]

Yeah, not only a root check, and an Xposed check, but it requires a full signed ROM. What is this crap?

What did you expect? I'll bet that a pin code/pattern is needed too.
If root would be allowed then any lost phone could have its cc info swiped, then panic would ensue and google would be bashed for this "vulnerability".

 

[Commodus]

There's no reason it can't work both ways. Whoever's liable for fraud should dictate the security. If it worked as a prepaid debit, *I* would be liable for fraud, and should be able to use it(anonymously) on any machine I choose. People that choose to be backed by a company can live with restrictions.

It could, but it probably won't, if we're realistic about it.

Most of these systems are built to use conventional credit and debit cards, and those companies will insist that users can't easily compromise the transaction process. The prepaid debit card providers would likely want to go for separate apps to avoid restrictions from other providers, and it's doubtful they'll do that when the audience for that (people with rooted Android phones + prepaid debit cards) is rather small.

 

[lxskllr]

It could, but it probably won't, if we're realistic about it.

Most of these systems are built to use conventional credit and debit cards, and those companies will insist that users can't easily compromise the transaction process. The prepaid debit card providers would likely want to go for separate apps to avoid restrictions from other providers, and it's doubtful they'll do that when the audience for that (people with rooted Android phones + prepaid debit cards) is rather small.

Not sure how prepaid cards are differentiated at the checkout. Seems to me it's all the same to the companies. Do a balance check, and either approve or not. Prepaid companies get their money either way, so offering the service can only help their bottom line.

I never thought about it til I replied to your post, but that's a service I would enjoy using as long as it was as anonymous as cash. There's a lot of fun stuff you could do with a system like that, but then google et al, wouldn't be able to exploit the users for data...

 

[dawheat]

There's no reason it can't work both ways. Whoever's liable for fraud should dictate the security. If it worked as a prepaid debit, *I* would be liable for fraud, and should be able to use it(anonymously) on any machine I choose. People that choose to be backed by a company can live with restrictions.

Umm, you're proposing that consumers themselves be liable for any fraud on that credit card if used on a rooted device? First, practically no consumers would accept that and if you are, you're in a incredibly small minority. Secondly the opt-in and acceptance of those types of terms would be a compliance nightmare (We detect your device is rooted, click Yes to accept liability for all transactions?). I can already see the lawsuits about "I didn't understand what Yes meant, I should get my money back".

Secondly, it still breaks the ecosystem. What if your credentials somehow get copied onto another device and used. Should you also then be liable? How would the company truly distinguish between your rooted devices and a bad actor?

For better or for worse (but certainly better for merchants), this is the future of payments.

 

[lxskllr]

Umm, you're proposing that consumers themselves be liable for any fraud on that credit card if used on a rooted device? First, practically no consumers would accept that and if you are, you're in a incredibly small minority. Secondly the opt-in and acceptance of those types of terms would be a compliance nightmare (We detect your device is rooted, click Yes to accept liability for all transactions?). I can already see the lawsuits about "I didn't understand what Yes meant, I should get my money back".

Secondly, it still breaks the ecosystem. What if your credentials somehow get copied onto another device and used. Should you also then be liable? How would the company truly distinguish between your rooted devices and a bad actor?

For better or for worse (but certainly better for merchants), this is the future of payments.

With prepaid cards, you lose what you have on the cards; usually a couple hundred $. They aren't unlimited like credit, or maybe debit if you foolishly link a card to a well funded account. Some people are willing to take responsibility for their own security, and setting it up should be trivial from a program perspective, and of absolutely no concern from a merchant perspective.

 

[Zodiark1593]

I'll keep my rooted device and just use cards like I've been doing since forever.

Besides, giving up battery life and performance (due to some tweaks via rooting) for the sake of a payment method is quite stupid, in my opinion.

 

[dawheat]

With prepaid cards, you lose what you have on the cards; usually a couple hundred $. They aren't unlimited like credit, or maybe debit if you foolishly link a card to a well funded account. Some people are willing to take responsibility for their own security, and setting it up should be trivial from a program perspective, and of absolutely no concern from a merchant perspective.

Fair enough - though prepaid usage tends to be primarily low income or relatively fringe use cases (gift cards, etc). I think you'd understand companies focusing on the biggest part of the pie - credit and debit cards - where spend is highest. Also that nearly all credit/debit users would not give up their current protection just to use mobile payments.

Fringe not that it's not common, but from an overall spend POV. I agree that it's a use case that can be served - but if I was a giant business, I'd figure that out last.

 

[Eug]

It's like arguing that you can be a top athlete while eating a diet consisting solely of pizza and ice cream. Sorry, but the two ideas are mutually incompatible. If you want one, you're going to have to give up the other.

Time: Usain Bolt Ate 100 Chicken McNuggets a Day in Beijing and Somehow Won Three Gold Medals

In the ten days Bolt spent in Beijing, he downed approximately 1,000 nuggets, averaging 100 a day. At 940 calories per 20-piece box, that means that Usain ate about 4,700 calories worth of Chicken McNuggets a day and 47,000 calories over the course of his stay in China. (And that’s without Sweet ‘N Sour Sauce, which, let’s face it, only a fool would pass up.)

“At first, I ate a box of 20 for lunch, then another for dinner,” Usain writes in his soon-to-be released autobiography Faster than Lightning. “The next day I had two boxes for breakfast, one for lunch and then another couple in the evening. I even grabbed some fries and an apple pie to go with it.”

 

[gus6464]

My bank doesn't support android pay. Is there a way to block the wallet from updating and forcing me to move to the android pay app?

 

[mnewsham]

My bank doesn't support android pay. Is there a way to block the wallet from updating and forcing me to move to the android pay app?

I thought there was a way to bring old cards over if they were from a bank that wasn't supported. I'm not sure about the exact process but I believe there is a way.

 

[poofyhairguy]

Yeah, not only a root check, and an Xposed check, but it requires a full signed ROM. What is this crap?

I will tell you what it is, a HUGE win for the OnePlus Two is what it is. Turns out NFC is useless to the hacking crowd.

 

[sweenish]

Time: Usain Bolt Ate 100 Chicken McNuggets a Day in Beijing and Somehow Won Three Gold Medals

In the ten days Bolt spent in Beijing, he downed approximately 1,000 nuggets, averaging 100 a day. At 940 calories per 20-piece box, that means that Usain ate about 4,700 calories worth of Chicken McNuggets a day and 47,000 calories over the course of his stay in China. (And that’s without Sweet ‘N Sour Sauce, which, let’s face it, only a fool would pass up.)

“At first, I ate a box of 20 for lunch, then another for dinner,” Usain writes in his soon-to-be released autobiography Faster than Lightning. “The next day I had two boxes for breakfast, one for lunch and then another couple in the evening. I even grabbed some fries and an apple pie to go with it.”

Interesting counter, but fails to acknowledge that most top athletes do consume well over 2000 calories a day so they can maintain their training regimen.

We'd have to take a deeper look at the other stuff that comes with a McNugget outside of a calorie count. Saturated fat, sodium, simple sugars, etc. Not just of any McNugget, but those specifically in China. I'm sure there's a difference. Then comes actually knowing what athletes need a lot more of when compared to a "regular" diet, and what they eschew.

Basically, everyone should have got the meaning of what you quoted, and using only a calorie count from a fluff piece to counter the specificity of the words and not their meaning is disingenuous.

 

[sweenish]

I will tell you what it is, a HUGE win for the OnePlus Two is what it is. Turns out NFC is useless to the hacking crowd.

The hacking crowd that wants to tap to pay.

I'll deal with a PIN lock if it equates to an easier checkout. I should have one, anyway.

 

[lothar]

Not sure how I feel about this one, but I understand Google did it because the banks and CC companies probably required it, and Google didn't want to be held liable.
Android pay or AdAway/Cryptfs/GravityBox/Greenify/Lux Dash/Solid Explorer/Tasker/Titanium Backup/XPrivacy/Xposed Framework/Youtube Adaway?
If it's an "all or nothing" scenario, then I'll probably keep my apps and not update the Google Wallet app. Or I just won't use Android pay for a while.

What did you expect? I'll bet that a pin code/pattern is needed too.
If root would be allowed then any lost phone could have its cc info swiped, then panic would ensue and google would be bashed for this "vulnerability".

Umm, you're proposing that consumers themselves be liable for any fraud on that credit card if used on a rooted device? First, practically no consumers would accept that and if you are, you're in a incredibly small minority. Secondly the opt-in and acceptance of those types of terms would be a compliance nightmare (We detect your device is rooted, click Yes to accept liability for all transactions?). I can already see the lawsuits about "I didn't understand what Yes meant, I should get my money back".

Secondly, it still breaks the ecosystem. What if your credentials somehow get copied onto another device and used. Should you also then be liable? How would the company truly distinguish between your rooted devices and a bad actor?

For better or for worse (but certainly better for merchants), this is the future of payments.

My device is encrypted, rooted, and the boot loader is locked.
How likely can it be copied even with the device being encrypted(with a different password from the normal unlock password/pin), boot loader locked, and password/pin on?

https://play.google.com/store/apps/details?id=org.nick.cryptfs.passwdmanager
I use that to change my disk encryption password and make it completely different from the unlock password/pin. Every restart requires one to enter the password to decrypt the device.

https://play.google.com/store/apps/details?id=net.segv11.bootunlocker&hl=en
Most people don't know that one can lock their devices after root. I use this app to lock/unlock boot loader as needed without wiping my data which gives me the best of both worlds (security and features)

 

[lothar]

I thought there was a way to bring old cards over if they were from a bank that wasn't supported. I'm not sure about the exact process but I believe there is a way.

Yup.
http://www.androidpolice.com/2015/0...e-to-android-pay-but-only-for-a-limited-time/

 

[shabby]

My device is encrypted, rooted, and the boot loader is locked.
How likely can it be copied even with the device being encrypted(with a different password from the normal unlock password/pin), boot loader locked, and password/pin on?

In your case none, but google has to look out for the other 99.9% of people who don't do that.
Btw do you use twrp to backup/restore your phone? Does twrp play nice with encrypted phones?