![Android Phones Aren’t at Risk of Long-Standing iPhone Tap-to-Pay Vulnerability [Video]](/cdn-cgi/image/width=1200,quality=75,format=auto,fit=cover/https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2026/04/iphone-tap-to-pay-vulnerability-veritasium.webp?resize=1200%2C628&quality=82&strip=all&ssl=1)
Android Phones Aren’t at Risk of Long-Standing iPhone Tap-to-Pay Vulnerability [Video]
Companies Mentioned
Why It Matters
The flaw exposes iPhone users to unauthorized high‑value purchases, raising concerns for mobile payment security and prompting tighter controls from Android manufacturers and payment processors.
Key Takeaways
- •iPhone Express mode lets large transit purchases bypass lockscreen
- •Apple and Visa have known the flaw since 2021
- •Android phones remain safe; Samsung flags big transit transactions
- •Google Wallet requires screen on and adds biometric checks
- •Attack needs rooted Android device to emulate card, making it unlikely
Pulse Analysis
Contactless payments have become ubiquitous, yet the security assumptions behind tap‑to‑pay often go unquestioned. Apple’s Express mode, designed for seamless transit fare collection, inadvertently allows the device to process sizable purchases without unlocking the screen. This exception, intended for offline transit environments, creates a narrow attack surface that can be abused when a malicious actor presents a counterfeit terminal. While the vulnerability has existed for half a decade, its public exposure through a Veritasium deep‑dive underscores the need for continuous scrutiny of mobile wallet protocols.
The exploit hinges on two factors: a flaw in Visa’s handling of large transactions in Express mode and the ability to trick the iPhone into believing it is communicating with a legitimate transit system. By using a rooted Android phone as a card emulator, an attacker could initiate a high‑value purchase that bypasses the usual fraud‑detection thresholds. Apple points to Visa’s Zero Liability Policy as a safety net, but the partnership’s awareness since 2021 suggests a shared responsibility to patch the weakness. Industry observers note that such a scenario remains unlikely in the wild, yet the mere existence of the vector raises questions about the robustness of proprietary payment stacks.
Android manufacturers have responded proactively. Samsung’s wallet flags unusually large transit transactions, while Google Wallet enforces a screen‑on requirement and layers biometric verification even for offline payments. These measures mitigate the risk of unauthorized spending and illustrate a broader trend toward multi‑factor authentication in mobile payments. As contactless commerce expands, the contrast between iOS and Android defenses highlights the competitive pressure on Apple to tighten its Express mode controls, while regulators and consumers alike will watch how payment processors adapt to safeguard the growing ecosystem of digital wallets.
Android phones aren’t at risk of long-standing iPhone tap-to-pay vulnerability [Video]
Comments
Want to join the conversation?
Loading comments...