In recent projects, we are often asked: Is HCE safe?
My answer is: relatively safe.
After hearing my answer, many people may start to say, a certain bank has launched HCE application, why is it unsafe?
In fact, there are two HCE application scenarios: online mode and offline mode.
Online mode:
Even if there are security issues, the processes involving related keys and calculations are completed in the background, so it falls within the scope of network security. However, large-scale key leakage will not occur. Currently, all HCE applications launched by banks are in online mode.
Offline mode:
Relevant keys, sensitive data, amounts and other information will be stored inside the phone. Android phones can be easily rooted, which can cause data to be read and copied, so things can get tricky.
Pure HCE security solution:
Transaction key: protected by session key. The session key will change each time you log in, and the transaction key will be modified. Convert encryption.
Sensitive data and amount: protected by session key, encrypt all 0s with data plaintext, and generate check value; when verifying sensitive data and amount, decrypt first, Then compare the check values.
Security level: Algorithm hidden
Disadvantages: Unable to prevent copying.
HCE TEE security solution:
HCE application implements simulated industry applications.
-
TEE stores keys, sensitive data, amounts, etc.
Security level: Kernel security
Disadvantages: TEE adaptation rate is low, and Need to restart the phone.
The above is the detailed content of How to answer HCE security questions. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SublimeText3 Linux new version
SublimeText3 Linux latest version
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
Dreamweaver Mac version
Visual web development tools
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
