You can program NFC in different modes. The mission is to send bi-directional messages. In NFC there are multiple combined operation modes you can use to accomplish this:
Option 1
Phone > reader/writer mode
Card reader > card-emulation mode
This option is using the ISO-DEP (ISO/IEC 7816-4) protocol
Option 2
Phone > peer-to-peer
Card reader > peer to-peer
This option can use multiple P2P protocols e.g. SNEP
Option 3
Phone > Card emulation
Card reader > reader/writer mode
This option is using the ISO-DEP (ISO/IEC 7816-4) protocol
I have two questions in different aspects:
Usage aspect
With all three options you have bi-directional communication and you can send basically whatever you want. Why wouldn't you use one option above the others?
Security aspect
Security in the sense of vulnerability for abusing like eavesdropping, data destruction, data modification and man-in-the-middle-attacks.
I read option 3 (HCE) is also used for e.g. mobile payment. Is this the safe option, or is option 1 also safe, when you use additional measures like data encryption?
Thanks!
Why are there different operating modes?
The initial idea behind NFC is to combine existing standards (specifically ISO/IEC 14443 contactless smartcard technology and FeliCa/JIS X 6319-4) into a system that can both communicate with existing transponders/smartcards/tags, with existing reader infrastructure and that can be used to easily communicate with dedicated NFC devices.
The initial NFC standard (ISO/IEC 18092) therefore defines the peer-to-peer communication mode based on those existing protocols. In addition to being backwards compatible, the NFC standard allows two NFC devices to (automatically) handshake a connection between two NFC devices. This is not possible in a reader+card setup: neither two readers nor two cards can communicate with each other, so roles have to be predefined in a reader/card scenario.
Therefore, initially, reader writer mode was only intended to access NFC tags (passive data storage devices) and possibly contactless smartcards. Card emulation mode (HCE or SE based) was intended for interaction with existing ISO/IEC 14443 (or FeliCa) infrastructure (e.g. readers that were already in place before the evolution into NFC). And peer-to-peer mode was introdcued specifically for the communication between NFC devices.
Why can all modes nowadays be used for pretty much any scenario?
I guess that one of the driving factors for this development was that peer-to-peer mode on Android lacks API support. On Android peer-to-peer mode is only accessible through Android Beam and consequently not really usable for bidirectional communication. Another factor might be that the peer-to-peer mode protocol stack is more complex than that of reader writer mode (NFC-DEP + LLCP (+ SNEP) + application protocol vs. ISO-DEP + application protocol).
So option 1 is mainly used because it was (before Android 4.4) the only option to implement bidirectional communication over NFC. Since Android 4.4 also option 3 could be used to build similar scenarios.
Is option 3 more secure than the other options?
No, not at all. In all three scenarios, security must be handled by the application layer. The underlying communication protocols do not employ any encryption/integrity protection/etc. mechanisms.
The reason why option 3 is prefered for mobile payment is simply the backwards compatibility aspect: Using HCE you could implement an application that interacts with existing contactless smartcard readers (e.g. as they are used in EMV payment systems).
Related
I have researched Mifare and other card emulation I have very good knowledge in programming (not Android, but C/C++). I have proxmark and I have made multiple emulation codes for proxmark, so I know how the cards communicate.
I don't understand currently, does android enable full card emulation.
I have researched this for about 3 days now, and the conclusion is there is no one constant pattern. Some people say it is possible, some say it is not. I looked through android API and the Host-based card emulation seems to be able to do the trick, but as I understand it is new thing in 4.4 Kitkat, does anyone have any experience with that?
To make things simple, currently I'm investigating the basic most simple emulation for Mifare Ultralight. This card is a security nightmare, there is no encryption and only about 10 functions it does. So I'm interested in starting research with this card, because it is the easiest one to reproduce.
So does anyone have any knowledge in card emulation on android. Maybe not using the stock OS. Any thing that is worth knowing would be very appreciated.
Thanks.
With host-based card emulation (HCE) in Android 4.4 you can only emulate the ISO/IEC 14443-4 protocol. More specifically you can only emulate application structures according to ISO/IEC 7816-4 (thus card emulation applications need to be selected though an AID). Moreover, the API doesn't give you any means to specify if card emulation should be done using Type A or Type B protocol.
So regarding emulation of various MIFARE protocols:
MIFARE Ultralight (and derivates) protocol operates on top of ISO/IEC 14443-3. It is not possible to emulate cards using such low layer protocols using Android HCE.
MIFARE Classic protocol partially operates on top of ISO/IEC 14443-3 (with some different framing). Thus, its also not possible to emulate MIFARE Classic using Android HCE.
MIFARE DESFire protocols operate on top of ISO/IEC 14443-4. There are three variants of the DESFire protocol:
native protocol: As this protocol does not use APDUs according to ISO/IEC 7816-4 its not possible to emulate it using Android HCE.
wrapped native protocol: This protocol uses APDUs according to ISO/IEC 7816-4, however, readers will typically not issue a SELECT command using the DESFire AID when starting to communicate with a card in wrapped native command mode. (Note: Newer reader implementations are more likely to issue a SELECT command that is compatible with Android HCE as this is also required for some of NXP's newer smartcard products with DESFire protocol emulation.)
ISO protocol: This protocol is based on ISO/IEC 7816-4 and uses application selection by AID. Thus, it may be possible to emulate this protocol using Android HCE.
Some readers may require certain parameter values in lower protocol layers (such as a specific UID cascade-level, a certain ATQA value, a certain SAK value, or a certain ATS). Android HCE does not have any means to set these values. See Editing Functionality of Host Card Emulation in Android for a possible approach to modify those values on certain rooted devices and my answer to Host-based Card Emulation with Fixed Card ID for a strategy to programatically change those values in a custom ROM.
A note on the HCE feature available in CyanogenMod from version 9.1 to version 10.2: This will emulate any ISO/IEC 14443-4 based protocol without the requirement for an application structure according to ISO/IEC 7816-4. You can even choose if you want to emulate Type A or Type B protocol. So it should be possible (though I haven't tested) to emulate any of the three DESFire protocols. However, even with the HCE feature of CyanogenMod it is not possible to emulate MIFARE Ultralight or Classic protocols. Moreover, it's also not possible to influence low-level protocol parameters such as a UID, ATQA, SAK, or ATS.
I have spent weeks researching this topic a year ago and my conclusion based on the current implementation was:
The emulation of MIFARE Classic is possible, but only through the Embedded Secure Element, this element is embedded within NXP's NFC chip (PN65 chip built in for example the Samsung I9300).
I have been able to fully emulate a Mifare Classic card using hidden functions in the android_external_libnfc-nxp library. Though i could only read the card and for it to be useful you need access to the Secure Element where a applet by NXP exists in most cases, this applet servers as front-end for managing the emulated cards.
A good way to continue this search would be by reverse engineering Google's wallet application.
The short answer is YES. However depends on many factors such as android version, phone's NFC chip, etc.
To know if your device support it just download some app such as "NFC Check" by Tapkey, and it will inform you if MiFare Classic & Mifare Ultralight are supported. There is also a list up-to-date but apparently there might be some mismatch: https://www.shopnfc.com/en/content/7-nfc-compatibility
Now the question is "how". I have not found an app yet to use the new Android's host-based card emulation (HCE) for this purpose (see here): How well does the Android NFC API support Mifare Desfire?
In fact it is suggested recently by MiFare that you should use the "secure element" method instead: https://www.mifare.net/support/forum/topic/emulate-mifare-classic-1k/
Back to your question of the Ultralight, the main difficulty is that Android API defines as-today sending a random UID on each tap, as suggested by a previous user nCypher: https://developer.android.com/guide/topics/connectivity/nfc/hce
As an alternative root access (or custom cyanogen ROMs) might help to modify the UID such as in this example:
http://osgt7405i.bkt.clouddn.com/help/en/index.html?t=1536931682474
However the newest Android API refers directly to the Ultralight object: https://developer.android.com/reference/android/nfc/tech/MifareUltralight
I know some companies that are emulating this by the SIM storage. For using your phone as RFID card of these MIFARE types, MiFare has already made one solution where business can load cards in the cloud https://www.mifare4mobile.org/ associated to their carrier SIM. There is a list of the officially certified NFC chips which work, most of them NPX which are broadly included in smartphones.
However their solution is an SDK API (namely TapLinx). There is no pure software product from NXP available like any phone emulation software or a cloud base solution.
What's more, the MiFare forum speaks about this:
https://www.mifare.net/support/forum/topic/creating-nfc-android-app-to-act-as-mifare-card-to-interact-with-mifare-readers/
The MIFARE Ultralight chip MF0ICU1 (16 pages x 4 bytes each) is indeed a nightmare, but cannot be emulated on any NXP interfaces including PN53x, because they hardwired the first UID byte (UID0) to 0x08, so it means the tag has a random UID (according to NXP standards). You need UID0 = 0x04 to emulate MIFARE Ultralight.
There exists a standalone MIFARE Ultralight emulator which allows any value for UID0, has resettable OTP, lock, and block-locking bits. See the manual for more information.
There are multiple solutions for paying a merchant using NFC in your phone. Is it possible to, as a merchant, receive a contactless payment using only a mobile phone as a terminal?
It seems that additional reader is required (such as Square), why is that? Should a reader in the phone not be able to receive enough data to process the payment using PayPal, Google Wallet, etc?
From a technical perspective there's nothing that would prevent you to implement a payment terminal using the built-in NFC reader capabilities. All Android NFC devices are capable of speaking the reader-side of the ISO/IEC 14443 contactless smartcard protocol (as used by EMV payment cards).
However, there are a few other things that may inhibt such efforts:
If you want to use a ready-made (and certified) EMV kernel (i.e. the reader application), you might not be able to get one (either because manufacturers do not target Android, or because manufacturers fear the risk that their proprietary software is extracted from the device).
It's unlikey that an Android device (unless its sole purpose is being a payment terminal) would get certifications necessary for payment terminals (mainly because other software could bring transaction data, typed PINs, etc. at risk but also because many Android devices lack suitable protection features on the hardware level). Without those certifications, it's unlikely that you would be able to enrol your terminal with an acquirer that would process payment transactions received through the mobile phone.
Eventhough the NFC hardware supports reading ISO/IEC 14443 contactless smartcards, many Android devices are not too good at that. This is mainly due to bad* antenna design. (* actually not necessarily bad design but design goals targeting simple NFC tags and no contactless smartcards.)
I personally think that the latter two were the main reasons for Square to provide their own device. Though this is just pure speculation and not quoting from any official sources.
In Android,
Is it possible to get a list of all nearby NFC devices and choose one to connect to (in peer-to-peer mode)? Or poll through all of them one after another?
Thanks in advance,
Cheers.
That's not how NFC works.
The NFC radio interface is designed for very short distances only. Typically, two devices need to (almost) touch each other (with their NFC inductive loop antennas stacked on top of each other) to discover each other.
While NFC controllers technically support handling of multiple passive targets (e.g. NFC tags and other peer-to-peer devices in passive target mode), the Android system is currently designed to enumerate and handle only one target device.
I am trying to develop an Android application for a hospital. In this system there is a need to get the patient information stored in the database in the android phone into the desktop computer using NFC technology. Is there anyway where I could use a NFC USB Reading device (ACR122U NFC Smart Card Reader RFID Writer 5 Mifare USB) to transfer the data from the mobile phone to my desktop computer?
The real scenario for this would be, in a hospital when a person wants to take some test results he will reach to the counter and place the mobile device on the NFC reader device installed at the counter when this is done all the details about the patient should be transferred to the desktop machine at the counter.
I don't want to transfer a lot of information if there is any way in which I could transfer the patient id stored in the mobile database into the desktop using NFC that would be enough.
Depending on what NFC devices you want to use in combination with the ACR122U NFC reader you multiple options:
If you only need to exchange a single message (data packet) in a single direction, you could use peer-to-peer mode. However, the peer-to-peer protocol stack is relatively complex (in comparison to the other alternatives). Moreover, Android's built in Beam functionality will request user confirmation (Beam UI) for every message transfer.
If you only need to support Android devices with Android 4.4 or later (and even then not all Android NFC devices are supported, see this), you could use the ACR122U in reader/writer mode. In reader/writer mode, the ACR122U can communicate with contactless smartcards. See the reader's manual on how to access such ISO/IEC 14443-4 contactless smartcards. On the Android side, you would use the host-based card emulation (HCE) mode. See the Android documentation on how that works on Android 4.4 and later.
In my opinion the best option would be to use the ACR122U in card emulation mode. In card emulation mode the ACR122U can be used to emulate a tag/contactless smartcard that can be detected by an Android device just like any other NFC tag/contactless smartcard. You can find examples, for instance, with libnfc. Also see this answer on how to bring the ACR122U into card emulation mode. This option can be used across all Android versions (and on BlackBerry and with some additional effort to some extent even on Windows Phone). With this scenario, the phone would take the reader (interrogator) part in the communication and the ACR122U (and the connected PC) would be the card (controlled component). Using techniques like inverse reader mode you could reverse that relationship.
You could use the host based card emulation for exchanging the data: http://developer.android.com/guide/topics/connectivity/nfc/hce.html
Or alternatively the p2p communication:
http://developer.android.com/guide/topics/connectivity/nfc/nfc.html#p2p
Apart from what is shown in the NXP websites regarding mifare plus and mifare desfire, considering the following factors:
Security
Speed of Readability
When stuck with a ferrite layer so that it can be stuck on a phone, which is better?
In the future if we want to get into payments, what is preferred?
The size of the nfc tag stickers are going to be 35mm diameter, does it make a difference what is the tag that is used?
The tags are going to be interacting with an nfc reader which is plugged in to an Android device. From an android POV, which is better? For ease of development and for more functionality which is more appropriate?
Thanks
MIFARE Plus is really meant as an upgrade for existing MIFARE Classic-based systems. It has a mode which is backward compatible with MIAFRE CLassic. It has the same fixed memory structure as MIFARE Classic: sectors with 3 blocks of 16 bytes of data and a block for the 2 access control keys. It is not ISO 14443-4 compliant.
MIFARE DESFire has a flexible memory structure: up to 28 "applications" (a kind op directories) with up to 32 files each. Access control is very flexible, too. It is ISO 14443-4 compliant and it can communicate in an ISO 7816-4 compliant mode. It can be configured as an NFC Forum Type 4 Tag, so that compliant systems (such as Android devices with NFC) will automatically read out the NDEF message. It is used in some payment systems.
EDIT:
The 2 products strive for somewhat different security goals, I would say. DESFire offers AES and 3DES for maximum flexibility, with encrypted, MACed or plain communication: your choice. Each application and file can be configured with its own access control keys. While MIFARE Plus aims to improve the security of MIFARE Classic, but its functionality is for the rest very similar to it. In addition, MIFARE Plus has a proximity check feature, while DESFire has no such thing.
They both support the same reading speeds (check the specs!). They will both perform OK on a ferrite layer and an antenna size of 35mm sounds OK. I have such DESfire tags, with and without ferrite, that work fine with an Android phone.
For ease of development, my preference is with DESFire. It is more flexible, both in communication options and data storage configuration. If you have an Android device with NFC capability, you can even configure DESFire as Type 4 Tag, which means that Android will read out any NDEF data automatically and deliver it to your app in an intent.
You seem to have an awful lot of questions here, some of which may not actually be relevant, but here goes:
Security - the DESFire has greater security functionality, gaining Common Criteria EAL 4+
Speed of Readability - They both can handle 848 kbit/sec
When stuck with a ferrite layer so that it can be stuck on a phone, which is better? - not really a question. They both cope with it, but I'd recommend glue as it is a better physical solution to prevent accidental loss.
In the future if we want to get into payments, what is preferred? - the DESFire has greater security functionality, so I would recommend it over the Plus
The size of the nfc tag stickers are going to be 35mm diameter, does it make a difference what is the tag that is used? - Form factor looks identical, so no.
The tags are going to be interacting with an nfc reader which is plugged in to an Android device. From an android POV, which is better? For ease of development and for more functionality which is more appropriate? - The command sets are similar, with the DESFire having an extra set of commands and the capability to run more applications, so based on your comment regarding functionality the DESFire offers more options.