Re: Maybe I just don't get it
Apple uses a secure element in the iPhone, no security exploit against iOS can access it so it remains secure. And it doesn't store the actual card number in any case, but a special substitute number that is only valid for use with Apple Pay from that one phone, so even if you got it it would be useless to you. The only "exploit" anyone has found against Apple Pay is to use social engineering to get a bank to allow you to enable someone else's card on an iPhone - which is really no different than simply stealing their card number and either using it online or making a counterfeit card using that number to use in a store.
Google doesn't use a secure element for Android Pay - they use host card emulation. That's a software based solution so they can't allow rooted devices to use it because it would defeat the security - it also means compromising the security of Android compromises its security. Google made that choice because requiring a secure element would lock out the lower end Android phones that choose not to include it for cost reasons. They care less about security and more on getting their hands on as much juicy purchase data as possible to help their advertising business. Knowing what people end up actually buying and how much they spend is the crown jewel for online advertising - it is so valuable I wouldn't be shocked if Google starts paying people to use Android Pay (at least for certain people with lots of disposal income who are the most valuable to advertisers)
Biting the hand that feeds IT
