Hello IcIc_,
We have built HeliosCard with as many anti-malware features as possible, but ultimately these are all best-effort solutions and trust in the phone is still required. 1) When the HeliosCard smartphone app first connects to the HeliosCard, a secure pairing key is generated which the app stores in secure private storage, and uses to authenticate later connections to the card. In order to switch phones/apps, a number from the back of the card must be re-entered. 2) When the HeliosCard application is in the foreground, it locks other applications out from using the NFC radio. 3) Given the relatively few apps that use NFC, as a user, you can be especially scrutinizing of installing applications that use NFC permissions (or even not install such apps altogether), thus preventing giving other apps permissions to use the NFC radio and potentially talk to the HeliosCard.
These are all best efforts, and trust in the phone will ultimately be needed. However, we believe benefits of HeliosCard, including 1) payment-industry standard physical resistance to attack 2) the wonderful user experience of simply tapping your HeliosCard to your phone and have your phone instantly becoming your new wallet 3) its relatively low price point at $20-$30 USD 4) Its extreme portability, requiring no battery and charging as a result of its having no display
Give HeliosCard truly compelling use cases as a cold storage or even day-to-day use. A user might use multiple HeliosCards to use as cold storage and at its current price point, that would be a great way to use it. Given that a user does not touch their cold storage solutions that often, putting a keyboard/display on such a device would increase the cost and make it less compelling.
We are also investigating the possibility of offering a stripped down, low-cost Android device for those users who are worried about malware. The user would use this low-cost phone only for talking to their HeliosCard, and not install other software on it.
--The HeliosCard Team