Skip to main content

Android Pay no longer works if you unlock your bootloader, and that's a good thing

Quietly and without any fanfare, Google disabled the ability for Android Pay to make payments on phones with unlocked bootloaders; landing in line with its previously held policy of not allowing rooted phones to access the payment system. It's frustrating to some, but it's the right move and it's in line with Google's vision for the security of its platform and services.

Android, as built by Google and not modified or having native security features disabled, is really secure. Security chief Adrian Ludwig speculates that one day we'll see U.S. presidents use Android (thanks, Obama) because it's safe and you have complete control over where and how your data is shared. But all that goes away once you start changing settings, enable USB communication or unlock your bootloader.

An unlocked bootloader is not secure, and when money is involved security is paramount.

It can be frustrating for a power user or enthusiast, but it's time we realize that Android is not built just for us. It's built for everyone — including people who may have unlocked their bootloader without understanding the implications of it all. These are the people who need to be protected from something on their phone that might be able to get access to their bank account or credit card information.

This doesn't just protect the person with the unlocked bootloader, either. When a bank or card issuer has to eat the cost of a fraudulent charge, it doesn't happily consider it a fact of doing business — it wants to limit these instances as much as possible. Interest rates and service fees are how the banks and card issuers make money from us, and raising one or the other (or both) is what happens when the expenditures column get's bigger due to fraudulent charges from insecure systems. In some cases, the banks and card issuers just skip payment methods like Android Pay altogether before they get to that point. By keeping Android Pay from running on potentially compromised phones, it helps Google get more companies on board. For example, Chase took forever to join Android Pay — and there are plenty of other banks yet to join. Not doing everything possible to make the service secure would be a great way to scare them off and keep it from happening.

Thankfully, you don't have to unlock your bootloader to manually update your phone since you can sideload update packages if you're impatient. Maybe one day developers will make use of Android's native app data backup service so we won't have to use Titanium or something similar to keep our app data in place. In the meantime, if we unlock the bootloader we lose Android Pay. It's that simple.

Google's not trying to stop anyone from unlocking their phone's bootloader, nor is it trying to turn Android into something that's not "hacker friendly" (the good kind of hacker). We can still unlock the bootloader to root or to run a different version of Android or just because we want to, but we can't use Android Pay — a service owned by Google and never intended to be open — if we do it.

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

186 Comments
  • Thanks for the info!
  • Ugh. Coming up next: no Pokémon GO on phones with an unlocked bootloader. A lot of what I liked about android seems to be eroding... It's a shame there isn't a viable alternative.
  • Android Pay is in no way part of Android. Not any more than google Play Newsstand is.
  • And I don't really care about android pay anyway, it's the knock-on effect that bothers me... There seems to be a war of attrition going on against customisability.
  • This has nothing to do with customizability. It has to do with keeping people's banking/credit card information safe, and making sure banks feel Android is secure enough to partner with Google for things like Android Pay.
  • Lol like Pokémon and banking/payment are remotely close to the same thing /smh
  • Was that aimed at my original comment? Because you'd be surprised.
  • It wasn't obvious, but Pokémon GO was mentioned (and deservingly so) because Android Pay is backed by SafetyNet, and Niantic decided to use SafetyNet to block "insecure devices" from accessing PoGo. There's been an constant back-and-forth of people trying to just play the game legit on rooted devices and now simply unlocked bootloaders, but can't.
  • Snapchat isn't either yet they don't allow rooted devices to log in. Its not about security, its about a lack of understanding on the vendor and customers part. That said, we had workarounds before and I'm sure we will again. I won't be using android pay or Snapchat or whatever other app decides to do stupid crap like this. Google should be embracing the power user community yet they seem to want to go the way of apple. They even made the new pixel look like one.
  • Why should they be embracing the power user community? I guarantee you that the majority of sales of Android devices are not to power users. Really, there is very little incentive for Google to focus on a small group of people - even if they are the most vocal on message boards when a feature they love gets removed because they chose to root/modify their phone.
  • Snapchat can't track of you screenshot on rooted phones sometimes so it is about security get off the high horse.
  • I understand that, but it's another feature that is lost if you want to customise your phone... And as I said, it's the knock-on that bothers me. I'm not just looking at this particular action, I'm looking at and speculating on a bigger picture. Plus, although it allays fears from the banks, it seems a bit silly for them to be so worried while still allowing me to carry a physical credit card. Like I said, I don't really care about android pay, but will it stop there?
  • Quit your whining
  • I can customize my phone without an unlocked bootloader.
  • To a point, can't darken the notifications or any system apps though. Honestly if they just included a full theme engine and a half decent backup solution I'd probably not need root or to unlock my bootloader. But I need my dark theme, and like having backups.
  • Can't you just relock the bootloader after you finish flashing? I usually did that anyways.
  • They need to take cues from the various launchers like Nova and allow the same kind if modifications. In developer options, allow the user to add features like changing whatvmenus the power button brings up or allowing you to make it turn on torch from the lock screen etc. Until those type of features are available custom ROMs will be needed. Not to mention my phone runs way better on a lighter kernal than what google puts out.
  • Both Sony and Samsung have full theming engines built into their phones, and Helium backup does a pretty fair job at what you really need to back up, aside from most of your data being backed up in the cloud already (contacts, calendar, email/gmail, pictures via various apps, etc.). Well written apps have settings and data backup/export/import built in as well, and Sony has a complete backup solution on their phones, where you could basically wipe the phone, restore from backup, and have everything exactly as you had it when you backed it up. Point is, there are options out there.
  • This is different though. If they didn't do this then banks wouldn't support android pay at all because they wouldn't have confidence in it. In this case there are very compelling, concrete reasons to do what they have.
  • Exactly, this isn't five years ago. Security should take precedent over everything else.
  • 100% Anyone arguing over customizations over security is clearly has their priorities messed up. More is going to be sandboxed. This is why malware and other security holes are exploited... Customizations and lack of perspective. All things open usually tightens up as popularity increases. This is not going limited the power user. This Google protectingbusers and their interests... ,Which is why the iPhone is right in the list... For things I hate. Not expandable storage, locked down... It's a pain, but it is secure.
  • You might want to give Apple products another look if security is absolutely your #1 priority. With limited devices to maintain and a walled garden ecosystem, security tramples over everything else.
  • Right, because banks are so concerned about credit not being compromised that they will send a credit card to any address, from those credit card solicitation mailers, that we all get every day.
    (eyes looking up)
  • +1 exactly, enough baby steps and we have a At&t or Verizon based Samsung phone.
  • Hey fuzzy maybe these guys still believe in WMD's too, smdh
  • The only problem with that statement is that you can't exactly use Android Pay or Google Play Newstand on iPhone or Windows Mobile. Google made those apps and Google makes Android, or so people believe. I get the point of it, but it does remove any ability for me to fix the flaws that AT&T and the oem have introduced.
  • But, but, but......unlocked bootloader! Oh nooooo! LMAO.
  • unlock your bootloader all you want; just don't expect an app called Android Pay to work. Android Pay is about security as much as it's about convenience. Unlocking your bootloader (making your device less secure) undermines what Android Pay is all about. Regarding, Pokemon Go..the less people playing it the better..so no comment :)
  • I'm curious - if you unlock your bootloader can you then relock it to regain android pay?
  • yes
  • Don't Samsung phones have a hardware switch that is permamnently set when it's unlocked?
  • It's as easy to relock the bootloader as it is to unlock it. Unfortunately once it's locked you have to factory reset to unlock it again, a feature I've never liked.
  • It's the exact same process, you just type "fastboot oem lock" instead of "fastboot oem unlock", but it does factory reset again to lock it after it is unlocked.
  • Yes, that is exactly what I just said.
  • Not really. You failed to mention that locking the device will wipe user data.....
  • That's what a factor reset does.
  • It's fastboot flashing unlock and fastboot flashing lock now. I had a hard time the other night because I forgot this. Both locking and unlocking wipe the phone now (Nexus phones)
  • Nexus 6 here--this is one of the rare Nexus devices that also wipes when you re-lock, not only when you unlock. grr...
  • So you lock it before you log in and set it up.
  • A feature that, if it was not there, Nexus devices would be the easiest devices to get unauthorized access to.
    Unlock bootloader, change system files to bypass security, boot device into user data without any protection.
    No thanks! The feature is exactly where it had to be!!!
  • Don't piss on my leg and tell me it's raining.
  • Indeed.
  • Sorry but you haven't been here long enough to know the rules of the Empire known as Mobile Nation's 1. Shut the f$&k up and deal with it.
    2. Pokémon Go articles? See 1.
    3. Jerry is *always* right.
    4. Clicks are king. They couldn't care less about what we think. In fact they told us that they don't need support of the long time members to survive anymore. AC has clearly and officially become too big for its britches.
  • I like #3. Wish it were true.
  • Honestly curious, why are you still visiting the site then? No one is forcing you to continue to read, so from an outside perspective it looks like you're either insincere or get your jollies off being a malcontent troll.
  • Sad but a little true
  • Wow this is a dumb comment. This is not about Jerry being right. This is about explaining to people who don't understand the real implications of unlocking a bootloader and/or rooting. So do you think Android pay SHOULD work once the bootloader is unlocked? I would love to see you defend that position.
  • Should I interpret that as "Don't have an opinion then explain your reasoning behind it while letting me also have my own opinion?" Tone is difficult to judge in a comment thread :) Lock Android Pay out of every phone with a security hole and I'll be happy. I'm allowed to place a high importance on security, and I'm paid to write news, information, and opinion. I just try to do a good job at it.
  • My peener rains
  • At least I can concentrate on using my banks payment system..
  • You ignorant mother ******* **** reading piece of human GARBAGE!! A GOOD thing!? God you are so ******* stupid. So stupid that it infuriates me beyond all reason! Let me ******* tell you something. An unlocked bootloader IS SECURE AND FINE!!! Hell, even root is fine. I've been using Android pay with an unlocked boot loader forever and have had ZERO ******* problems. And those that were able to make root work ALSO had zero ******* problems. This is MY ******* phone that I ******* paid for and this kind of bullshit is UNACCEPTABLE!! you don't ******* tell me what I can or can't do with my own ******* property! So you can take your "it's a good thing" horse **** and shove it down your ******* throat!
  • Boot him Jerry ..do it do it !
  • LOL. Hell no. He's my new favorite commenter.
  • Lol you did notice he created the account just to post that...gotta start somewhere might as well be a good one huh lmao
  • Agreed. His comment looks like an obscene MadLib. It's hilarious.
  • I like this guy. He seems fun. Easy going, heck, charming even
  • +1
  • LOLOLOL
  • Wow. Good thing it's Friday. Do yourself a favor. Call up some friends, go out, grab a drink, and please try to relax. It'll be okay...
  • Yeah and I bought a car. I'll drive it as fast as I want, anywhere I want and it'll be in a dangerous condition if I want because it's MY car! How dare anyone decide how I use MY car that I paid for.
  • If it's a self driving car that can be hacked to go out and kill people, then rooting the car/unlocking the ignition start button should disable self driving mode. It doesn't matter if it's your car. If you want to use it on our roads, you must obey our rules.
  • Always love the unrealistic car comparisons. Not sure how this is comparable at all, you technically can drive as fast as the car is capable. The manufacturer isn't preventing you from doing this. If you insist on using this type of comparison, it would be more similar to the manufacturer insisting you keep the doors locked at all times... And if you don't, you can't use the navigation, hot spot or some other interior convenience feature.
  • Since when is Android Pay your property? Reading will do you a world of good.
  • Dude not cool. It's one thing to disagree and argue, it's another to be outright insulting. I agree it's not a good thing from my perspective, but it's it's Googles app and their service, and there's nothing to prevent them from discriminating. Dunno why I bothered typing this as your comment will be (rightly) deleted possibly before I post... Also, have you considered running for president?
  • President? Nah, he's too much of a straight shooter.
  • "I agree it's not a good thing from my perspective, but it's it's Google's app and their service, and there's nothing to prevent them from setting the rules for the use of that service and app" FTFY. Because it's not discriminating to make sure that the phone runs as secure as possible for folks to avail themselves of a service. They aren't saying if you are a Jew or if you are black then you can't use this. They are saying the environment must be as secure as we can make it.
  • dayum.
  • Cringe levels over 9000!!!!!!!!
  • +1 Looks like a drunken rage-post lol Stay away from Canadian Club whiskey... it's guaranteed to cause a rage-out lol
  • Please educate us on how unlocking your bootloader and enabling root access doesn't open up your phone to security risks.
  • Your phone...your property. Android Pay...not your property. This is easy to understand. Do whatever you want with your property as long it does not infringe upon other's property. I am impressed by the temper tantrum, though.
  • How does one person endangering their own Android Pay account, have any effect on your Android Pay account?
  • My post does not say it would affect my Android Pay, but.... Because you ALSO open liability to the banks. I know my bank will credit me any unauthorized charges. If the bank sees a security issue, they are less likely to allow Android Pay on MY device (or anyone else) and increases costs for all. I hope that answers, but by "others property" I was referring to Android Pay itself, which is the property of Google. Having Android Pay on a phone is not a Right.
  • Alrighty then!
  • This comment drives home the point.
  • Well done, you've done a splendid job of embarrassing yourself. I'd suggest decaf or laying off the cocaine for a while.
  • If you're that worked up over this I'd hate to be within a 100 mile radius of you when something that actually matters goes wrong in your life
  • Lol. Take a chill pill. Move on. In fact while you're at it, install a home alarm system with a password but leave an unlock key that shuts the alarm off somewhere on your porch. I'm sure no one will find it. You're still very secure.
  • Try getting laid buddy, you are way too uptight about a phone. I feel sorry for your dogs, hope you don't have any.
  • You must be fun at parties, son.
  • @bloodboilinginfuriated- shut up meg!!
  • That's has to be Jerry's ghost account. Brilliant. That's exactly how some of you "power users" sound. 'It's my party and I can cry if it want to... " Yeah it's your phone and you can use it however you want to. You just can't use any of the software however you want to. I believe it's part of the user agreement you accepted when you accepted use of the app.
  • Make your own phone then.
  • I made my own phone once. True story. Bought a main circuit board and radio board of a Treo 650. Went to work and rummaged through the parts bin and added the back housing, a battery, battery door, LCD screen and front housing plus keyboard circuit board. Thing was awesome! Used it until the 700 series Treos came out and upgraded the phone.
  • Do you have a link proving it is permanent? I heard it still works for some people with unlocked bootloaders.
  • Google do love their staged roll outs... Give them three months and it'll be blocked for everyone who's unlocked.
  • ^^^ this. SafetyNet is updated via Google Play Services. If you haven't got the update then it will soon land.
  • After seeing this article, I fired up Android Pay on my Nexus 6P with an unlocked bootloader. When I went to add a credit card, it said that because it couldn't verify the security of my software (the same message I get when booting the phone) I couldn't use Android Pay. No big loss for me - the only time I used it was when they gave a $10 Best Buy gift card for using it to pay for something. Used it that time, got the card, promptly forgot about it.
  • Damn. I guess I am going to lock my bootloader :-/
  • Fear mongering is unbelievable. Anyone ever bought anything using a PC? Or Linux? I have root access on those devices and buy stuff all the time. I carry a credit card that could fall out of my pocket and someone could use it without my consent. They couldn't do that with my rooted phone yet it's somehow not secure. Bull ****. Why don't you tell us how it makes the credit card less secure. Convince us why we should believe this.
  • Carrying around cash is not secure either. Does that mean we should stop using a CVC number on our credit cards? I mean if one thing is unsecured then all things should be, right? There's nothing wrong with trying to make a new method better. Look at that crazy dude above. Do you want to end up paying for his judgment? I don't. If I want to use Android Pay I understand that I can;t turn off all of the security measures of my phone. If I want something different, I can write my own NFC pay client and try to convince a bank to work with me.
  • What I'd like is the ability to lock and unlock my bootloader on the fly without wiping my data. If the "allow OEM unlocking" toggle in developer options required my pin, I can't see how it would be a security risk...
  • That would put all the security on the strength of the encryption and passcode. That's probably good enough. I don't think Google would think it's good enough, though.
  • They should focus more on security updates and fixing holes in there services rather than bullshiting on unlocking bootloader. My PC is unlocked but Valve doesn't bother that when purchasing games on Steam.
  • Yeah, makes little sense... If someone got my phone the fact it's bootloader is unlocked means they'd be able to pull the encrypted system image and spend an incredibly long time trying to decrypt it, if someone gets my wallet my cards have numbers printed on them and NFC chips embedded in them that can be used freely.
  • I think what you're saying is you should be more secure with how you carry and store your wallet. This is a hilarious argument. Just because your wallet is inherently insecure doesn't mean you should make your phone's contactless payment app less secure, too.
  • No, what I'm saying is that my phone is already infinitely more secure than my wallet WITH the bootloader unlocked... And given that I carry my wallet in my left pocket and my phone in my right, physically speaking they're as secure as each other. If someone stole my wallet they'd have instant access, on the other hand how long would it take you to get access to my credit card data on my unlocked phone? Bearing in mind while unlocked, it is encrypted with a 13 digit pin code. Be dismissive if you like, I think it's a fair point. But then I would, it's mine.
  • Two words ... remote exploit. Nuff said.
  • And just like with physical cards, if someone stole my phone I would immediately call my credit card companies to get new cards/numbers issued because they're on my phone. It's insane that an unlocked phone is considered to be less secure than a card. Rooted, I understand. Unlocked bootloader with an encrypted? No excuse.
  • Again, you're making a false argument. Google isn't saying that a rooted/unlocked phone is less secure than a card, Google's saying that a rooted/unlocked phone is less secure than a locked/unrooted phone. Which it is.
  • Fair point, except that Google didn't create, sell, or have any responsibility for your wallet.... you lose it, that's on you. Android Pay is theirs, and they are responsible for it. Their product on their terms.
  • How do they do that? How can they interact with the phone? It's not like it would be unlocked. Android Pay requires a secure lock screen and USB debugging is typically off or if you choose to leave it on requires you to allow interaction, which requires your phone to be password unlocked before you can do anything.
  • All they are telling us is WHY Google did what it did. They are not telling you how to live your life.
  • What about devices that ship/shipped without the bootloader locked to begin with? Like say the LG G3 from T-Mobile. It had an unlocked bootloader from the factory. Does this mean it can't use Android Pay anymore?
  • The G3 didn't come with an unlocked bootloader. I don't know anything about the G3, but I can guarantee the bootloader was not unlocked from the factory. Unencrypted maybe.
  • If you don't know anything about the G3, then you clearly lack the expertise to make any claims about the device's bootloader. I can GUARANTEE you're wrong. All G3 variants with the sole exception being the T-Mobile version of the G3, the d851, have locked and encrypted bootloaders. The d851 came, from the factory and T-Mobile with an unlocked bootloader. All other variants have to be unlocked or hacked. But just that one G3 came unlocked. I know. I've owned it for 2.5years. It just recently broke, or I'd just test Android Pay myself. My question still applies, as there are plenty of other bootloader unlocked devices that come that way.
  • That is weird. Why would not have the bootloader locked and unencrypted? I assumed you would at least need to enter the OEM Unlock command. I was wrong! Can you still lock it?
  • Nope, can't lock it either. Fastboot is disabled on all non-Nexus LG phones. I have no idea why just this model got the unlocked bootloader, but it did. It's also somewhat common even now on budget devices especially from smaller manufacturers, though some do go the locked but unencrypted method.
  • Thank you Jerry. This is the right thing.
  • Completely understandable and justified. However, if Google wants me use Android Pay more, they can suck a railroad spike.
  • Which is also my take. I just disabled/uninstalled android pay and keep my bootloader unlocked.
  • Debatable
  • I gave up on tap to pay mobile payments after I returned my Note 7. Nothing works as consistently as the samsung phones sadly
  • I discovered this new 'feature' this morning. Have had my Nexus 6 bootloader unlocked since I purchased it. The Nexus 6 is one of the lucky few Nexus devices that wipes your phone when you re-lock the bootloader, so I'm stuck wondering whether it is worth wiping just to be able to use android pay at the few stores around me that accept it...
  • Well guess I will no longer be using Android pay.....As I am not willing to re-lock my bootloader, I like being able to update via factory image and not have to wait for an update to be pushed. And if I have to lock and unlock my bootloader everytime after a update since I do them manually (which means a wipe every unlock) I'd rather just do away with android pay all together. Bye Android pay was nice knowing ya....
  • Flashing a factory image already wipes the phone, so I'm not seeing how locking and unlocking makes any difference. Also, you do realize Google posts the OTA files to side load right? No unlocked boot loader is required to side load an ota.
  • Flashing a factory image only wipes your phone if you don't know how to modify the batch file or flash the components manually.
  • If you flash an image already how hard is it to unlock and relock your bootloader? Also, their new beta program updates your phone without needing unlocked bootloader and it's faster.
  • Google now posts flashable .zip images for their devices. If you unlocked only to be able to update quicker (like me) then you can lock the phone and still do it. Shame about the wiping though, I love Android Pay but I'm not sure I can be bothered to set everything up again just for one app.
  • If you're one who flashes factory images, and that's the ONLY reason why you have an unlocked bootloader, then you should keep your bootloader locked and just flash OTA images. Google provides OTA update images now directly from its Android Developers website.
  • Sounds fair to me. Thanks for the writeup!
  • I understand blocking devices with modified system images, sure. Blocking devices with unlocked bootloaders alone don't make sense to me. What is the EXACT path that someone could take to go from unlocked bootloader to compromised payment information? I don't think one exists, and if it does, it still has several barriers before anyone with ill intent can compromise any sensitive information.
  • Just in time for pixel release, coincidence...... Like someone said, Google just wants more banks on board so they can get more monies. Sucks for us enthusiasts but in the end we can vote with our wallets and not agreeing with all the google services that make them money.
  • What I don't think people realize is that this pattern of relying on SafetyNet is going to drop the resale value of every Android device, including that shiny new one you just bought. As soon as you stop getting security updates from the manufacturer (which is typically 12 months or MUCH less), you aren't going to be able to go to XDA and install something that is being kept current with security on a phone that has an unlocked bootloader. Who is going to want to buy a used phone that either has an outdated and insecure factory OS, or a current custom ROM that is actually more secure, yet can't pass SafetyNet and the apps that use it (like SnapChat). Who is to say that tomorrow Google won't lock the Play Store or Google Maps to only run on phones that pass SafetyNet? And MDM software that won't let you access work email without SafetyNet? You should be screaming that you are paying lots for a phone that will have little to no value in a year. Google is going to kill XDA and the free support that comes once the manufacturer stops supporting the device. The life of your phone is now directly related to how long the manufacturer supports it. Google (intentionally?) just cornered the market with 2 years of updates and 3 years of security updates on Pixel devices... Sorry other android manufacturers. Step up or become obsolete...
  • After I waded through the vitriol, it is not my turn to comment. I know for who Jerry is voting for this November. Sorry, but I don't need to be "protected from myself," but we are talking about Google and they are not yet a branch of the government so they can do what they want with their software. I totally disagree with you Jerry. If I follow your logic, then payments on all computers because we all know that macOS, Windows, and even our beloved Linux is can be compromised. Hackers can take advantage of exploits in the Linux kernel like the one I'm just patching that has existed for 9 years. There is no such thing as a totally secure system. What you suggest would be similar to saying that PC manufacturers should lock down their bios and not allow users root or administrator access because one of us dullards could install some malicious software like what is done hundreds of thousands of times a day on PC even buy supposedly knowledgeable administrators. Today's systems are fully open so someone theoretically could compromise a browser, SSL, and other security mechanisms because they have root access to an open BIOS computer. Under Google's and Jerry's assumptions, all payment mechanisms should be disabled on PC. I haven't even mentioned POS machines that run on these OS. What the developers are saying is that Android Pay is not secure and they are afraid of people finding exploits in their software and Jerry is agreeing with them. Android Pay should be secure itself and only play in its own sandbox like Android was designed to do. Android's security module and NFC devices can be securely used. SELinux makes Android Pay even more secure. As long as Android Pay plays by the security rules and has no holes, then an unlocked and rooted phone should not be able to compromise the application or at least the application should be able to detect a compromised system and prevent the program from operating. Personally I think the developers are being either paranoid or lazy. Your assertion that the banks would not support Android Pay for these reasons is absurd as well. Most on-line banking and POS transaction systems have more holes in them than Android. What Google is losing are the early adopters that could make Android Pay a success. It is the rooters and unlockers that are among the first ones to jump on Android Pay. I used Android Pay for a few years on my LG G3 and Nexus 7 until I bumped into a limitation that required me to root my phone and tablet. Now my Nexus 7 is no longer supported by Google so I have to use a 3rd party ROM to get Nougat and the latest security updates. Before that my bootloader was unlocked almost from day one. Android Pay isn't even installed on my Nexus 7 and I don't use it on my Samsung Galaxy Note 5; I use Samsung Pay instead. True my Note 5 is stock because I haven't had to do anything out of the ordinary with their Android implementation. Frankly Jerry, I'm surprised at your position. I would have thought that you would have brought up the arguments I mentioned. Android Pay can make sure that the phone and their application is secure even though it is rooted and unlocked. They can enforce certainly security restrictions such as a secure locking mechanism, and they should play by their own security rules which would do more to secure the application than just restricting it from unlocked and rooted phones. Also check for SELinux violations and what applications and services have been granted root. Your scare tactics about huge fraudulent transactions are just as unfounded. A very small percentage of us unlock and root our phones, and most of us know what we are doing. It is not a simple procedure as you know so it is not for the faint of heart. Your everyday Joe would not unlock or root their phone so the possible exposure is minimal. It goes without saying that some creeps will try to find exploits with Android Pay just as they do with most any other system out there as we've seen today. The way to combat it is by developing a secure application utilizing the Android Security Framework. I think Android Pay is taking the easy way out instead of tightening up security in their own application. Restricting root was done because it was an easy workaround for another issue that they found with the secure element. I love contactless payments because of the ease of use and security over even a chip and PIN method, but I don't believe disallowing it on a rooted and unlocked phone will make much of a difference although I will admit that it offers some security. I am more confident of the security of Apple Pay, Android Pay, and Samsung Pay over what Google stores in Chrome that I use regularly as well. Google needs to implement their security measures constantly across all platforms, and Jerry should not be so quick as to jump on their bandwagon.
  • Completely 100% agree, and your points were explained very well. Much better than Jerry's I might add
  • I have to say, your comment had some very valid points. I'm sure Google is doing this for a reason and part of that reason is pixel and taking more control over hardware and software.
  • I don't need to be protected from myself either. But I'm not a bank or credit card company or someone trying to convince them to use a service I developed. Also, it's not my assertion that the banks require a secure system. It's theirs. An unlocked bootloader gives me or anyone else instant access to every byte of data on your phone, with nothing but software based encryption keeping me from rifling through it. That may be enough for you. I'm not sure if it's enough for me just yet. But it's not enough for Google or the banks. It's fine to have an air of superiority, but know that it's not shared. Android's open nature has kept corporations from building applications for the platform or extending their services. Netflix is a wonderful example because once they decided to go forwards their fears (unfounded or not) were immediately proven valid and a Netflix application reverse-engineered to work on any Android device appeared on the internet. Then the exact same thing happened when they finally allowed a version that could stream in HD. While I would think that Netflix would be happy to have their service more widely available, that's still theft. Netflix worried that thieves would find a way to circumvent their rules on an open platform, and we did exactly that. Twice. Open is wonderful, but also quickly abused by people without a care for the platform or the people developing for it. As a result, corporations need convincing. Can you blame them? For the record, I'll probably vote McMullin. I think he would feel the same way about security as I do. Will you be voting for someone who is quick to make assumptions and act smugly?
  • McMullin, wow didn't see that coming. I might be heading in that direction myself.
  • Because I find one of the candidates absolutely hilarious doesn't mean I'm automatically voting for anyone else :) People like to assume too much. McMullin and I disagree on many things. We agree on many others. I think that everything he does is done only to make the country better and not for any personal vendetta or advantage. That's more important that not seeing eye-to-eye on all things.
  • Do we know if the v20 will be compatible with android pay at all?
  • Yes, almost every new phone that has nfc is android pay compatible.
  • Of course it is. Modern version of Android, NFC, HCE — Android Pay works fine :) Used it yesterday.
  • Compatible, yes. Helps when there are more places to use it at.
  • Are you serious? I like android as much as anyone but ac you don't have to agree with everything Google does you know. Soon they'll probably completely remove the ability to unlock the bootloader.
  • The simple fact that you will equate withholding a service from devices that have been intentionally made less secure with closing both the hardware and software platform makes me think they are right to worry.
  • Let's be honest here, what percentage actually unlock bootloaders and root. I highly doubt its anywhere over 5%. Negligible at best.... Security concern for Android pay, not likely. More of a financial reason somewhere. Its not Armageddon here with all these unlocked bootloaders and hasn't been in the past. There WILL be ways around it shortly after.
  • But Google can completely eliminate that attack vector by not allowing Android Pay to be used with unlocked bootloaders. It doesn't matter if it's only 5% of people ... it can be 0% of people if they enact a policy like this. That's a win for security in their eyes.
  • This didn't suddenly become a problem after all these years. Like I said there's a monetary reason for it somewhere enough to make it an issue now. (probably has to do with pixel release and having a more locked down apple approach) Those who unlock bootloaders and root now the risk. Average population doesn't even have a clue. Meh never used Android pay except when they had the 10 dollar promotion so its not a big deal to me. Stop with all the security nonsense and call it what it is, a step needed to make more money. Like someone else said, "Don't piss on me and tell me it's raining.
  • Still rather disappointing to me because of what it could mean going forward. Some phones out there already have unlocked bootloaders. Would those be affected even though they're unlocked out of the box? Another reason why I keep my old devices for the likes of XDA.
  • AFAIK the only phone that legitimately shipped with a fully unlocked bootloader was the LG G3 from T-Mobile, and that was an accident.
  • I thought the international Galaxy S7 had one?
  • So is this new? I know that phones with root have had issues but my unroot 6P bootloader is unlocked and my Android Pay still works.
  • My 5 day old OnePlus 3 has an unlocked bootloader, but still has the factory installed recovery and OS, no root, no modifications of any kind except the unlocked bootloader. I only unlocked it so that I wouldn't have to wipe the device when the day comes that OnePlus stops sending updates and I switch to the community ROM that keeps getting security updates. I setup Android Pay with no issues last Monday. I went to use it for the first time on Friday. It failed. I have a choice - return the OP3 (still within the 15 day return window) or relock the boot loader and have it wipe everything and start over. Expect AP and any SafetyNet app to stop working for you soon.
  • Yep, failed yesterday, which was my first time using Android Pay after seeing this post. Oh well, guess I should just go all the way and root it now.
  • Thanks Obama? (rolls eyes) I don't even waste my time with government crap but he sure does get blamed for EVERYTHING as if he was the first in his family bloodline to be in the black house
  • ALL Android phones should be rooted by default. They should come out from the factory as rooted.
  • Yeah, ALL Android phones should have the equivalent of putting sixteen double bolt locks on the front door but leaving the back door wide open or held together by goddamn string. TOTALLY safe and secure for your private information, right?
  • Private Information ?? It's a ******* phone. Get over yourself ****.
  • You really think people don't store private information on their phone? Oh man.........
  • Maybe you secure the apps, and stop blocking the people exploring the potential of the OS and device? Secure data on an unlocked bootloader device should not be impossible. Wasn't that what the (apparently disappeared) Android at Work data segmentation was for?
  • Apple-Droid. Android has become IOS, fekkin pathetic.
  • You're welcome to develop your own OS. I'D be interested in what you came up with
  • My Solution: 1 rooted phone (6p) and 1 stock phone (s7 edge). Best of both worlds!
  • Same here, I have an unlocked and rooted Galaxy Nexus and a locked, unrooted and stock Nexus 5X.
  • That would be a Good Thing if Google would guarantee you that your device is secure when it's not unlocked. Unfortunately this postulate is false because the Android security model is broken by design. Not trusting the owner and trusting the app developer is plain wrong. Any crapware you install, including Google's own spywares, can quietly harvest your private data and send them to the world without you knowing or being able to stop this on a locked phone. Until stock Android has a decent packet inspecting firewall and a service controller that allows an unprivileged user to stop and start background processes and truly remove permissions of apps, a locked phone will be way more insecure than an unlocked one.
  • The comments here, purportedly from people who claim to be intelligent and rational ... Just, wow ... So much nonsense and misinformation ...
  • Android pay works nowhere anyways. Always disable it. Samsung pay works everywhere!
  • Samsung Pay is almost useless in the UK as all UK banks have deemed MST a security risk.
  • Android Pay works everywhere contactless is accepted, I've had no problems getting it accepted.
  • You want security pay cash or with a credit card. Whats the big deal ? You really believe that your phone is secure?
  • It seems like the only way I'll ever be able to get into NFC payments is to have a stand-alone secure device dedicated to it.
  • I don't like this....
  • I'll just leave this here... http://www.xda-developers.com/sultanxda-bypasses-new-safetynet-unlocked-...
  • Hopefully Google will be straight on this. That article was typical crap by XDA. Google is not stopping you unlocking the bootloader. They are stopping you using their service if you have unlocked your bootloader. The service IS THEIRS THE PHONE IS YOURS.
  • Thank you Google. This is a great day for security. The vast majority of people won't even care.
  • Remember all the problems they had for years with Wallet on rooted devices? Yeah, I don't, either.
  • This is bullshit, and no its not a 'good thing'... "oh your boot loader is unlocked! looks like you can't use this or that!" "oh you're rooted? looks like you can do this or that! sorry that you like customizing your device!" If they want to 'secure' ****, then give developers a means to do so... don't block the entire community. and yes, ENTIRE community. It doesn't matter if you're a power user, or just a sheep consumer. A loss of functionality is still a loss of functionality. What would people do if Google went "Welp, you're running WIndows 10 Pro, so you can't make online purchases with your computer because the Pro version allows for Remote Desktop and other "Remote" apps to function by default. Sooooo to protect you and your bank, we're just going to deny you from any online purchases all together within Chrome... Have a nice day!"... Sure you could use Firefox, but why? Why install two things just to do one thing? Why be FORCED to do it? Simply just give developers access to stuff, and a means of protecting people, and BOOM! Banks are still secure! Give out a standard of what needs to be in place on a ROM for Android Pay to be 'secure', and have some sort of check either online or in the app which makes sure the standards are in place and then unlocks the app to be used... Or, ya know, better yet... Why not just open the OS back up? I mean this as in: we all know there is a thing called "Root"... we all mostly have an idea of what it does for people who 'Root' their devices. Well, why not make it so people don't HAVE TO ROOT? Implement the 'administrator' group alittle more! We can already do this for things like Nova Launcher and Tesla Badges for when you are rockin' Nova Launcher and still want to be able to have those little numbered badges next to your app icons so you know if you have a text or a missed call. That has to be given 'administrator' rights to operate... soooooo WHY NOT EXPAND THIS?! If you gave people a way to do 'Root' like operations WITHOUT having to 'root', then you'd be fully protected and people wouldn't ***** so much about 'omg android pay doesn't work cause i rooted/unlocked my boot loader!'... And I'll admit.. the ONLY thing I truely like about Android, WAS the ability to install custom ROMs on my devices. If I got bored of the stock crap, I'd slap on something that made the device appealing again. Maybe I wanted all the BS bloatware gone? Welp, install a stock debloated ROM and presto! Or root the phone and force uninstall them all! This whole 'rooted/unlocked bootloader' **** isn't just about Android Pay, Its about EVERYTHING. Google has slowly been taking away EVERYTHING that made Android 'fun' and 'awesome'. And its starting to become the last straw for me... No I won't go to iPhone, because that's even more restrictive.
  • Yep. Agreed!
  • You need to get out of your parents basement. Google is not letting you use an app because of your unlocked bootloader. Fundamentally nothing has changed about the way you can modify your Android phone.
  • So now when Google posts a fresh new factory image update, people will stare at it and go through a serious mentally based gymnastics session on if it's worth it to lose AP.
  • It totally does work. Nexus 6p 7.0 rooted. Also imagine if this were windows and everyone limited your use because you are in administrator mode, people would lose their minds. It's not a good thing.
  • Banks are forcing it because they fear liability for fraud on unsecured devices. It's a strong-arm compromise that will only bother true nerds. Nobody else cares at all.
  • True and it's a frikin shame
  • If only Google equated privacy to security, then life could be easier
  • They need to improve Android enough so no one ever wants to root it. Like restore the ability of anyone to use any app they want to write to Micro SD, which was taken away.
  • I had been using Android Pay for years, since the beginning, and now they don't support my bank. The only saving grace is that I currently use a Galaxy S7 so I have Samsung Pay that DOES support my bank. Glad I have options though. That's the beauty of all this. Regarding the bootloader though... I get it.
  • Same frustration here. It doesnt support my bank's card (it is a national bank and a large online baking service card), and the AmEx Serve prepaid that i specifically had just to use with it, it has stopped working with even though it STILL lists on the Android Pay site as being a compatible card..... Samsung pay didnt work with either of them either when I had the Samsung before changing to the Z Force....
  • "Android Pay HAS NEVER WORKED if you unlock your bootloader"
    ....Fixed that for you. Since day one when Android Pay came out I could not use it. I'd get half way through setup and it would stop me.
  • Incorrect. I was able to use Android Pay on my unlocked Nexus 6 until last month.
  • Some might consider it 'a good thing', but the implementation is flawed. My Nexus 7 (2013) tablet, with STOCK android no mods/etc, has taken to telling me 'this device cannot be verified to work', basically telling me its a rooted device that cant be used. it DID work prior, and had until it updated to os 6.0.x... Either the Android pay has a problem detecting that device being unlocked, or something... Android pay has become unusable anyway, even on my Z Force... My primary bank card STILL isnt 'in the program' and the American Express Serve prepaid that I originally got as part of the Android Pay setup has stopped working, with Android pay constantly saying it cannot verify the card details and asking me to reenter all the information (address,name, etc, none of which has changed, I have verified with AmEx that the info I am entering IS what the card record shows).. Android pay was nice, and very convenient when it worked, I used it for quite some time... Maybe someday they will get it straightened out and I can use it again
  • Meh, whatever. It's not like there isn't a new root vulnerability that comes out for Android every month (Drammer, being the latest). Doesn't even matter if you've got the bootloader locked or not. Mobile security is only the thinnest veneer of assurance.
  • Surely if the functionality exists to BLOCK users, the functionality can exist to WARN them. Give us the warning and let us make our own decisions. Please! No one tells me where I can keep my credit card or cash or what kind of wallet I can keep it in. Don't do it with digital currency. This sets a terrible precedent. IMO, if SafetyNet is going to be abused this way, there should be a SafetyNet opt-out option tied to our Google accounts. The setting can be tied up behind a million different captchas and multiple steps of verification for all I care.
  • So, I unrooted my phone because Marshmallow *might* be coming to the original Droid Turbo. I reloaded stock firmware and loaded Android Pay. But, it wouldn't accept any of my cards. (To root, mostly one has to unlock the bootloader, and on the droid Turbo, you can't relock it safely. If you should ever reunlock, it WILL destroy the phone.) So, I'm thinking about all of this. I gave up and uninstalled Android Pay. I found there were traces of AP still on my phone: There was a Device Administrator choice in the Settings | Security | Device Administrator section and there was an AP section in the Google Settings app. Couldn't figure out a way to get rid of them, and there wasn't anything on the web to help. I know how to search. I remembered that Google Play Services updated just as soon as I reloaded the stock firmware and I couldn't do anything else until I had. Got to thinking. I uninstalled Google Play Services in Settings | Apps | All back to the factory version and rebooted. That *did* remove those pesky AP settings. I did have to relogin and resetup all of my Google accounts. (Just remember to login to your desired primary Google account if you have more than one of them (I have three)).
  • My freedom is more important than Android Pay. Taking out my wallet is as easy as taking out my phone. I will always root my phones so that I am admin, I own my phone. So, no Android Pay or any other virtual payment option is worth running unrooted stock ROM where the carrier or manufacturer controls my phone. I own my phone, NOT them or even Google.
  • Android without root is an iPhone. I'd rather have full control over my phone. Personally, I'd rather see them allow it.