Why do banks need a hardware attestation, out of curiosity? I’d assume that banking apps are just clients so all that matters is if they have creds or not.
The banks don’t want their payment systems being accessed by devices that are compromised by malicious actors.
The attestation chain allows for Google to tell the apps ‘Yep, this system is running a known safe image that has been crytographically verified using the secure hardware on the device’. The apps will only allow their payment systems to be accessed (like, to send an NFC payment).
They don’t NEED it for NFC payments to work, this is a way of limiting attack vectors on their payment infrastructure (or, cynically, a way for Google to ensure that no competing OS can exist because people would rather give Google all of their privacy so they can pull a phone out of their pocket rather than a credit card.
Why do banks need a hardware attestation, out of curiosity? I’d assume that banking apps are just clients so all that matters is if they have creds or not.
The banks don’t want their payment systems being accessed by devices that are compromised by malicious actors.
The attestation chain allows for Google to tell the apps ‘Yep, this system is running a known safe image that has been crytographically verified using the secure hardware on the device’. The apps will only allow their payment systems to be accessed (like, to send an NFC payment).
If you want technical details: https://developers.home.google.com/matter/primer/attestation
They don’t NEED it for NFC payments to work, this is a way of limiting attack vectors on their payment infrastructure (or, cynically, a way for Google to ensure that no competing OS can exist because people would rather give Google all of their privacy so they can pull a phone out of their pocket rather than a credit card.