Privacy: Why Apple Pay will be Better than Google Wallet

Ryan Olson


Category: Mobility, Unit 42

On September 9, Apple announced that the latest iPhone models would come with a new technology called Apple Pay which allows people to purchase items with their phones, both in stores and online. Many smug Android users looked at the announcement and thought “Sounds like Google Wallet. Welcome to 2011 Apple.” As an individual who is well entrenched in the Google ecosystem, (I have a Nexus 5 on in my pocket and a Moto 360 on my wrist) I initially had the same reaction. But, after looking at the two systems more closely, I think Apple Pay will be the better platform for users, and the reason for that is privacy.

apple pay v google wallet

Whether they realize it or not, nearly every Android user has a Google Wallet account, as they are required to use the system to purchase applications from Google Play (Google’s App store). Only a fraction of those users have made a purchase using Google Wallet’s Near Field Communications (NFC) system in stores. I have, and it’s nearly as seamless as the Apple Pay system that CEO Tim Cook demonstrated earlier this month.

The systems have very similar functionalities. Both use NFC to securely enable in-store transactions. Both require additional authentication to access the wallet, a 4-digit code for Google Wallet and a TouchID fingerprint for Apple Pay. The biggest difference between them is how they technically enable the transactions and the impact that has on the user’s privacy.

At their core, both systems allow users to take their existing credit and debit cards, enter them into their mobile phone and then use them to make purchases. For both systems this can occur through direct entry on the keyboard or by taking a photo of your card. The iPhone 6 contains a physical Secure Element that is responsible for conducting secure transactions with your card issuer. Your card number may transit an Apple server during the initial enrollment, but Apple doesn’t store it. Google uses “Host Card Emulation”(HCE) in place of a physical Secure Element. In other words, Google’s servers store your card number and are involved with every transaction you make.

When I make a payment using my Nexus 5 and Google Wallet, the app interacts with the card reader over NFC and then sends the details of the transaction to Google’s server. In a fraction of a second, a temporary MasterCard number is generated for my single purchase and sent to the stores payment processor. My actual card number never passes through the merchant’s point-of-sale system, which is great for anyone worried about the slew of POS breaches announced in the last 12 months.

Apple Pay is similar, but because the iPhone contains a Secure Element, there is no need for Apple to be involved with the purchase. Instead, the Secure Element generates a unique transaction ID and passes it and the transaction details encrypted to the payment processor. Apple’s documentation on how to use Apple Pay in iOS apps shows how this works.

phone payment

This difference in process flow is invisible to the user, but it’s significant. Google collects data on every transaction I make with Google Wallet and can use it according to their privacy policy. I know Google works very hard to keep my data safe, but by storing all of these details I’m open to potential exposure, either through a data breach, a subpoena or maybe just an accident.

Apple’s public comments on privacy make it clear that Tim Cook is extremely aware of this difference between Apple Pay and Google Wallet, just take a look at this interview from Monday.

Yesterday, Tim Cook also posted a public letter to the Apple website detailing the company’s commitment to protecting their user’s privacy. Here’s an excerpt that really drives home the point he’s trying to make:

“A few years ago, users of Internet services began to realize that when an online service is free, you’re not the customer. You’re the product. But at Apple, we believe a great customer experience shouldn’t come at the expense of your privacy.

Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.”

I don’t plan on unloading all of my Google-driven services and devices. Google’s data collection allows them to build some amazing products and Apple Pay isn’t enough for me to jump ship. However, I also don’t plan to begin using an electronic wallet unless it offers me the same level of privacy Apple Pay will when it’s released in October.

1 Reader Comment

  1. The data breach concern is valid. Not so sure about the subpoena. Easy enough to direct that to your banking and credit companies, who also have the transactions (as would be the case with Apple).

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.


© 2018 Palo Alto Networks, Inc. All rights reserved.