Skip to main content

Android phones aren’t at risk of long-standing iPhone tap-to-pay vulnerability [Video]

Avatar for Ben Schoon  | Apr 15 2026 - 1:55 pm PT
0 Comments

For the past five years, a tap-to-pay vulnerability on iPhone has been known and has now been highlighted in an in-depth video, but your Android phone is not at risk for this.

Tap-to-pay is basically everywhere now and, generally, is considered quite secure. In a new Veritasium video, a long-standing vulnerability that allows very large purchases without even unlocking the phone is detailed.

The sophisticated “hack” works by tricking the phone into thinking it is talking to a transit system, as special modes on both Android phones and iPhones will bypass the usual requirement for unlocking your device in this particular instance, while also working offline for the sake of underground transit systems where network connections may be spotty.

But iPhones are the only ones vulnerable here.

Advertisement - scroll for more content

“Express mode,” as it is called on iPhone, allows transit systems to bypass the lockscreen, while a flaw in how Visa handles big purchases will allow for those larger purchases not to be flagged when used in a transit setting like this – it doesn’t happen with other processors. The process involves some special hardware (pictured above, as seen in the video), as well as a rooted Android phone to act as a card emulator. Apple pointed to Visa as the root of the problem, where the payment processor believes this is unlikely to happen in a real-world setting, and says such an attack would be covered under the Visa Zero Liability Policy. Apple and Visa have both been aware of this vulnerability since 2021. Visa, at one point, called rooting an Android phone a “difficult” process as one reason this is unlikely to happen – take that as you will.

The entire video is well worth a watch, but what we wanted to highlight here is that, as it stands today, Android phones are not vulnerable to this specific attack.

As the video points out, Samsung will flag large purchases made through transit modes. Google meanwhile, has an additional layer of security. Google Wallet will allow for payments with a locked device, but does require the screen to be turned on. Google has been further locking down the Wallet app with biometrics, even outside of payments.

More on Google Wallet:

Follow Ben: Twitter/XThreads, Bluesky, and Instagram

Add 9to5Google as a preferred source on Google Add 9to5Google as a preferred source on Google

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Google on YouTube for more news:

Comments

Guides

Android

Android

Breaking news for Android. Get the latest on app…
Google Wallet

Google Wallet

Author

Avatar for Ben Schoon Ben Schoon

Ben is a Senior Editor for 9to5Google.

Find him on Twitter @NexusBen. Send tips to schoon@9to5g.com or encrypted to benschoon@protonmail.com.