-
Notifications
You must be signed in to change notification settings - Fork 71
Emulating cards
We often receive questions like: "can I use my phone instead of my transit card?"
The answer is always "no" but exact details differ by card.
Neither Android nor iOS (including iOS 13) have any API to emulate the cards that don't follow ISO 14443 or FeliCa protocols.
Some chipsets have support for emulating these cards, but these APIs are not exposed in the platform.
All these cards have additional private keys that can't be retrieved, even if the usual transit data is readable. Without these keys, it is impossible to emulate the card.
Metrodroid is not affiliated with any transit agency, or in any such partnership, so cannot provide this emulation.
MIFARE2GO is used in Google Pay to set up virtual Myki and Las Vegas Monorail cards that nearly emulate a DESFire card on a device. This uses the device's secure element and a provisioning facility to "install" a card.
This also requires that readers explicitly request a ISO 7816-4 AID (to start the HCE process) and use ISO 7816-wrapped DESFire APDUs for communication, rather than bare DESFire APDUs.
As a result, in addition to requiring private keys, this requires that a transit agency explicitly implement support for communicating with virtual DESFire cards.
Apple Pay, Google Pay, and others implement this for EMV is through partnerships with card issuers. This gives them lets them set up a virtual card associated with a bank account, and get valid private keys. These keys are stored in a secure element on your device.
In addition to using private keys, FeliCa restricts the system codes that may be used for host card emulation to 0x4000 - 0x4ffe (except 0x4_ff). Suica and Octopus use system codes 0x0003 and 0x8008 respectively so you can't "just emulate that" with your phone.
Osaifu-Keitai (おサイフケータイ) is an applet-based system developed by NTT/FeliCa Networks that is loaded into a secure element paired with the NFC controller. Communications with a FeliCa reader entirely bypass the phone's software stack.
It requires device certification, software certification and royalty payments in order to get the applet installed on a phone, and is generally only available on devices purchased in Japan. Foreign imports generally lack this feature (due to extra licensing costs) -- with the exception of Apple Watch Series 3 and iPhone 8 (and later).
Google Pay acts as a wrapper around an Osaifu-Keitai system service. It allows you to have Suica and Waon cards virtually re-issued.