I tried to debug a google pay issue with a Bank once:
- Bank told me to go to Google.
- Google support told me to go to the Bank.
- (... few emails later...)
- Google support told me to make screenshots of the banking app and google pay.
So have a second phone ready, or stop complaining :) A few years later and 3 phones later... it works again!
Google Pay requires SafetyNet verification, which means it only works with a Google-approved hard & software combination, so not with GrapheneOS for example...
I hate that banks use this proprietary "standard" for NFC payments
Netherland used to have its own system for NFC payments, and it worked perfectly. Last year, all banks suddenly abandoned it and forced people to use Google Wallet instead. Of course I refused, because I don't want to share my financial transactions with an advertising company, so no NFC payments for me.
It's ridiculous the EU allows this.
SafetyNet works in GrapheneOS. What Google Pay requires is that the attested signature is trusted by them, a lot of apps, including many banking apps (at least in the UK) use safetynet but do not require the signature is trusted.
I get where that one is coming from though - tap-to-pay is considered second-factor-authenticated, aka no PIN entry is necessary at the PoS terminal because the user already entered their PIN or presented biometric credentials to the smartphone.
If a malware were able to snatch the key material that represents the credit card outright or it could (by running as root) act to the TEE like it were Google Pay's NFC controller app, it would enable the actor controlling the malware to spoof the credit card on their own phone... and since tap-to-pay is considered authenticated, chances are next to zero you can dispute the payment.
There's already a better way to check whether an Android phone is secure enough and it is independent of any proprietary OS certification: basicIntegrity [1].
Most banking apps in Germany use this API and thus work on GrapheneOS and other non-Google controlled ROMs with a locked bootloader.
PlayIntegrity is unnecessary and mostly offers vendor lock in to Google's ecosystem.
[1] https://grapheneos.org/usage#banking-apps
>If a malware were able to snatch the key material that represents the credit card
I'm pretty sure that data is stored in the secure enclave, which is impossible to access by design, root, no root, bootloader unlocked, google approved or not.