How NFC secure contactless transactions work in iOS 18

This system combines the on-device Secure Enclave, Secure Element, and NFC hardware to allow secure payments using NFC-based contact terminal devices which are used both for payment and verification.

Apple calls this system the “NFC&SE Platform” (NFCSEP).

Starting in iOS 18.1 Apple will provide a restricted API for accessing the NFC&SE Platform. That includes availability, as NFCSEP will only initially be available in certain countries.

NFC is not a magical new technology. It’s actually just a newer form of Radio Frequency Identification (RFID) which has been around for decades.

RFID is commonly used for asset tracking such as RFID stickers attached to store inventory. If you’ve ever mistakenly walked out of a store with an error in your checkout, you’ve probably set off RFID alarms near the store exits that read the RFID tag on merchandise.

NFC is similar to RFID except that it has a much shorter range – mainly so that transactions can only be made when a consumer is near a payment or reader terminal.

NFC devices work on the electronics principle of inductive coupling. In Inductive coupling, an electromagnetic coil (an inductor) is embedded in devices that generates an electromagnetic field.

When another device containing an inductor enters one of these fields, the field induces a current in the second device. This inductance can be used for communication in NFC.

In smartphones, payment cards, POS terminals, door locks, and other NFC readers, this communication is used both for authorization and payment transactions.

NFC is a standard, although some countries require region-specific variants of NFC (such as NFC-J in Japan) in order to work with local NFC terminals.

NFC transactions promise to both provide security and speed authorization and payment from user devices. There’s also no physical interaction is required – other than the two devices being in range of each other.

Several secure contactless card systems are already in use around the world such as credit and payment cards, digital card keys, digital IDs, and transit cards. These cards use NFC to perform transactions wirelessly at point-of-sale (POS) terminals, transit ticketing systems and NFC-enabled turnstiles, and digital door locks.

What NFCSEP promises to do is unify and provide on-device what current NFC payment and ID cards do now – but all in one place.

According to Apple, NFCSEP will provide NFC transactions for:

1. In-store payments
2. Home, hotel, and car keys
3. Closed-loop transit
4. Merchant loyalty and rewards
5. Event tickets
6. Student IDs

While not at first, government IDs will be supported by NFCSEP at some point in the future.

Japan’s Suica NFC rail payment card.

The upshot of all this is that, with NFCSEP, you will be able to store all the required ID, authorization, and payment info on your Apple iOS device and use it for all of the above purposes.

Apple’s NFCSPE documentation says “The NFC and Secure Enclave APIs will be available to developers in Australia, Brazil, Canada, Japan, New Zealand, the UK, and the U.S. in an upcoming developer seed for iOS 18.1, with more regions to follow”.

Most late-model iOS devices contain NFC wireless hardware, as well as a Secure Enclave and Secure Element.

Secure Enclave is a special chip and integrated RAM that stores device and user info, and Apple Account info, and has the ability to verify that data across networks with Apple servers. It’s also used to login to Apple iOS devices.

Secure Enclave uses encryption, hardware public key infrastructure (PKI), device verification, and several other technologies to ensure each Apple device is authentic and hasn’t been tampered with.

Secure Element is a special hardware feature that allows iOS devices to store user, account, and app data in a secure, encrypted, walled-off area of RAM. This area is protected from the rest of the device and iOS.

Most of Secure Element uses its own firmware to access data so it can be verified as authentic.

Secure Enclave and Secure Element prevent impostor and man-in-the-middle attacks. They are virtually uncrackable because they use Apple’s own servers for verification.

NFCSPE uses Secure Element to store and authorize transactions and their associated data and users.

NFC-enabled access gates at a newly renovated train station in Japan.

Apple will provide secure NFCSPE APIs in iOS 18.1, which allows apps to conduct secure NFC transactions, and onboard and store contactless account info.

NFCSPE APIs will initially only be available in limited regions, and only to apps that have been approved and authorized by Apple and Payment Card Industry Data Security Standard (PCIDSS) compliant third parties.

In order for your NFCSPE-based app to work it must be approved on Apple’s App Store or an approved third-party app marketplace. NFCSPE-based apps will only work in regions in which Apple has approved NFCSPE.

Once approved and released, your app can use the NFCSPE APIs and Apple’s security platforms to conduct secure NFC transactions.

The NFCSPE APIs are not entirely open and free to use.

In particular, any business wishing to use the APIs and be approved by Apple must:

1. Be an approved Apple developer
2. Have the business listed in the Apple Business Register
3. Sign and submit an updated Apple Developer Agreement to include NFCSPE
4. Support iPhone XS or later running iOS18.1 or later
5. Be established in one of the eligible territories
6. Meet all of the security standards and privacy requirements
7. Have stringent incident resolution policies in place
8. Guarantee secure processing of user data
9. Disclose potential vulnerabilities in NFCSPE apps
10. Perform a security review through a designated testing lab

Apple NFCSPE apps are restricted initially in what kind of transactions they can initiate. All apps will initially have to support one or more of the following types of transactions:

1. In-store NFC payments
2. Car, home, or hotel keys
3. Closed-loop transit
4. Corporate Badges
5. Student IDs
6. Merchant Loyalty or Reward programs
7. Event tickets
8. Government ID (at a later date)

Each business will be required to specify a “default app” which, when the user taps to pay, will launch and present the authorization/transaction interface on the iOS device. On each iOS device, one NFCSPE app will be designated as the default app.

All NFCSPE apps running on iOS devices must support both Face ID and Touch ID for user authentication. In the event those two methods can’t be used, the device’s unlock password must be used.

Currently, these are the only three hardware-based user authentication methods allowed. Apple may or may not allow other hardware authorization in the future.

Most NFC terminals use ISO 7816-4 commands for communication. All NFCSPE apps must support this command set.

As if all this wasn’t complex enough, there’s more.

In order to create and distribute an iOS NFCSPE-enabled app, you must apply to Apple to do so, be approved, and you must be granted two additional app entitlements from Apple to include in your app’s entitlements plist file in Xcode.

These two entitlements are:

1. com.developer.apple.secure-element-credential
2. com.developer.apple.secure-element.default-contactless-app

Both settings in Xcode are Booleans and the first must be set to Yes. If the app you are developing is to be defined as the default contactless transaction app for that device, the second entitlement must also be set to Yes.

You can add and set both of these entitlements in Xcode by clicking on the entitlements file in the Xcode project navigator, then pasting the values in, setting them, and saving the file.

If your business and app haven’t yet been approved by Apple for NFCSPE, the app still won’t work for NFC transactions, unless Apple has actually granted you these entitlements.

One additional new step in NFCSPE app production is that once your app is finished and ready to be released, Apple now requires that an independent test lab test and verify the app.

That’s right. And this isn’t optional. You can’t just build your app, release it, and have it appear on the App Store. Without third-party lab testing, your NFCSPE app will never be approved by Apple for release.

This may seem like an onerous requirement, and it is, but Apple is doing this to ensure every NFCSPE app is absolutely bulletproof before it goes out to customers.

Because most of the functionality of NFCSPE apps is centered around payments, user info, and transactions, Apple wants to be sure the system is totally secure before it goes mainstream.

The upside of this is that we probably won’t see the kind of hacking and security breaches with NFCSPE that we see almost daily now with ordinary banking and credit card systems. And that is what Apple is aiming to achieve.

For some indie devs, NFCSPE will work, but for some, it won’t. In particular, one-person development shops or companies with limited budgets simply may not be able to afford to do NFCSPE development.

But since most financial transactions or ID systems are handled by large organizations anyway, this may not be that big of an issue.

Also, because these apps have to work with all physical NFC terminal hardware, developers will need to have access to at least one such terminal for testing. Testing must also be performed in the eligible markets, which may mean having a physical presence there.

There are also some new strict Apple UI guidelines that developers must follow in NFCSPE apps.

NFCSPE is a new class of development – one with much more complex and stringent requirements. Only those capable of meeting all the requirements will succeed.

Apple has a huge page about all the details of the program.

Apple has made it clear it’s serious about becoming a leader in contactless payments. Many of these systems are already in widespread use in many places outside the US.

We’ll have to wait and see how this new initiative from Apple pans out, but from the looks of it NFCSPE will be here to stay.