Android users who root their devices are among our most ardent fans and when this group speaks, we listen. A few of us around Google have been listening to threads like this one and we know that you’re disappointed in us. I’m a security engineer who works on Android Pay and so this thread struck me particularly hard. I wanted to reach out to you all and tell you that we hear you.
Google is absolutely committed to keeping Android open and that means encouraging developer builds. While the platform can and should continue to thrive as a developer-friendly environment, there are a handful of applications (that are not part of the platform) where we have to ensure that the security model of Android is intact.
That “ensuring” is done by Android Pay and even third-party applications through the SafetyNet API. As you all might imagine, when payment credentials and–by proxy–real money are involved, security people like me get extra nervous. I and my counterparts in the payments industry took a long, hard look at how to make sure that Android Pay is running on a device that has a well documented set of API’s and a well understood security model.
We concluded that the only way to do this for Android Pay was to ensure that the Android device passes the compatibility test suite–which includes checks for the security model. The earlier Google Wallet tap-and-pay service was structured differently and gave Wallet the ability to independently evaluate the risk of every transaction before payment authorization. In contrast, in Android Pay, we work with payment networks and banks to tokenize your actual card information and only pass this token info to the merchant. The merchant then clears these transactions like traditional card purchases. I know that many of you are experts and power users but it is important to note that we don’t really have a good way to articulate the security nuances of a particular developer device to the entire payments ecosystem or to determine whether you personally might have taken particular countermeasures against attacks–indeed many would not have.