How can I go about doing security testing of an Android NFC application? Is there is any tool or methodology that can be used to do security testing of an Android NFC application which does communication in P2P mode or Card Emulation mode?
Specialized tools to emulate P2P or tag communication exist, but these are generally extremely expensive. But before you go that route, it makes sense to consider against what kind of security threats you want to protect your NFC app. Android takes care of all the low-level NFC communication, so your app does not need to worry about that. Also parsing of NDEF data is done by the Android system. So I would say most things are taken care of for your app by the Android system and your app does not need to worry about it.
Check out this: http://en.wikipedia.org/wiki/Near_field_communication#Security_aspects
In relation to your comment on NFC Guy's post no Android doesn't for the most part, you're expected to deal with most of it yourself:
Eavesdropping is possible on an NFC connection, there's no encryption provided, if you want to keep information sent across an NFC connection secure then do some encryption at the application level. Devices such as the Proxmark3 can eavesdrop NFC communications: http://proxmark3.com/
Data modification is possible but it depends on the encoding of link... See the Wikipedia page for more about this, I don't have much knowledge at this level.
Relay attacks are possible on NFC connections, papers such as this one: http://eprint.iacr.org/2011/618.pdf show a practical implementation of them being carried out, just using a BlackBerry and a Nokia phone. You can try and detect them using distance bounding protocols or location based protocols although are somewhat inexact.
Related
I'm making a project with ESP32 that involves communication with a mobile application. Currently I'm using BluetoothSerial(built on Classic) just for debugging, but I plan to make a dedicated mobile application to have all kinds of data related to the project, and I'll gather this data from the controller through duplex communication, maybe via a command-response interface.
What I want to know is what kind of Bluetooth would be preferable to communicate with an Android application? Things that I want to keep in consideration:
Auto-connection capabilities when in range.
OTA possibility.
Range.
Hardware Requirements (Like timers and such)
Data Security
Port capability to iOS.
I do not care about:
Battery Usage (If the practical difference is minimal)
Transmission Speeds (I'm just transmitting 2-3 kb numerical data once a second)
It doesn't make a huge difference as most of the things you listed above can be achieved via either method, so it comes down to your personal preference and your existing familiarity with the wireless technology. However, I would personally go for BLE because unlike classic Bluetooth, BLE is now a lot more mature in terms of applications and resources for both Android and iOS. You will end up finding a lot more documentation and source code when it comes to BLE when compared to classic Bluetooth. Futhermore, as Michael Kotzjan mentioned, classic Bluetooth is relatively new on iOS and has a few restrictions.
The links below can maybe give you a nudge in the right direction:-
Bluetooth classic vs BLE on Android
Android Bluetooth vs BLE
Bluetooth security and privacy on iOS
Classic Bluetooth, BLE or WiFi direct
I'm new at NFC and I'm trying to look up documentation what is possible and what is not but I have a hard time finding the right ressources.
I'm therefore looking for guidance pointing towards the right ressources.
The problem I have is a lot of the ressources I find require a third party app. E.g. Trigger. With Trigger you could implement more complex logic (e.g. check time, if time falls within a certain range, start google maps pointing to work address, always start Spotify) but it'd only work if you have Trigger installed.
I however am looking for a NFC project that works without requiring installing an extra app. Things that work on any Android device with latest OS are for example:
toggling Bluetooth
connect to WLAN with SSID and password
open an URL
...
I've seen it's possible to write an NFC tag to pair with a Bluetooth device. However when using a different phone, that does not have the NFC writer app installed, will the NFC tag still work? Example
My NFC tags are still shipping so I can't test. Also I prefer reading documentation and implementing according to docs over trial and error.
Newer Bluetooth speakers have NFC. I'm unsure if you can turn NFC-dumb devices into NFC-smart devices. (The NFC-smart devices may be telling the bluetooth speaker to go into pairing mode which is something you cannot do when you create a NFC tag.)
I've been trying to look up documentation what's supported by default but I have a hard time finding these ressources.
For now I want to focus my attention to Android only since I do not own Apple devices. I am aware what may work on Android may not work on Apple.
I'm looking for the API method calls documentation for Android that shows above mentioned bullets points being possible.
What is possible? What are the limitations?
The API for NFC is well documented. You will find that on the android developer site (Android developer documentation).
However, what is supposed to happen once you read a NFC tag is a different story. Your examples have nothing to do with NFC, even so they appear possible. This is what you have to cover with your app.
You are not after the API documentation on Android which is well documented at the low level but poorly documented as a System.
What you are after is the NFC Forum specification and what level of support that your particular version of Android natively supports these specification.
Unfortunately the NFC Forum specification are mostly a paid for resource can cover things like how to write an NDEF message for Bluetooth pairing, Wifi setup, etc.
Though some of these specification can be found hidden on the internet or you can pay to become an NFC Forum member.
You can get an idea of what Android OS natively supports by looking at the source code of the System App that handles this.
(mostly in ) https://android.googlesource.com/platform/packages/apps/Nfc/+/refs/heads/master/src/com/android/nfc/NfcDispatcher.java
But additional support for other message types can be added by any other App include apps installed by OEM vendors like Samsung, etc
Out of curiosity... has anyone ever been able to integrate AirDrop functionality into an Android app?
I really don't care about receiving any information on the Android side, but am hoping I can send information to the iOS side from Android. I'm hoping to find someone with a more in-depth understanding of how it works and if it is physically possible. Also, any direction on whether Apple has proprietary use over the protocol (or if it is just the name and branding) would be awesome!
Trying to build a cross-platform app and getting pretty close, but this would just extremely convenient if it works out :)
Currently, it is not possible as AirDrop uses Bluetooth to create a peer-to-peer Wi-Fi network between the devices. Each device creates a firewall around the connection and files are sent encrypted, which actually makes it safer than transferring via email. AirDrop will automatically detect nearby supported devices, and the devices only need to be close enough to establish a good Wi-Fi connection, making it possible to share files across several rooms.
Some Android devices use a combination of Near Field Communications (NFC) and Bluetooth to share files. But both Bluetooth and NFC are relatively slow compared Wi-Fi, which makes sharing larger files using AirDrop much faster and more convenient.
Regarding protocol, I don't think Apple has made it public and as far as I know Apple they must have patented it. Since AirDrop uses Bluetooth as well, and Android and iPhone Bluetooth are not compatible. Hence, due to all these reasons, we did not see any Android app that can send data via AirDrop.
I've been reading up on how to transfer data between iOS devices over Bluetooth using GameKit. I'm not writing a game, per se, but do have a need to transfer a small amount of binary data between two devices. Between two iOS devices, this is easy enough. However, I was wondering if it is possible to transfer data between an iOS device and an Android device via the same mechanism.
Has anyone come across documentation/tutorial that would explain how to do this? Is it even technically possible? Or has Apple put in some sort of restriction that would prevent this?
The other option I discovered was Bonjour over Bluetooth. Would this be a more suitable option for this type of operation?
This question has been asked many times on this site and the definitive answer is: NO, you can't connect an Android phone to an iPhone over Bluetooth, and YES Apple has restrictions that prevent this.
Some possible alternatives:
Bonjour over WiFi, as you mentioned. However, I couldn't find a comprehensive tutorial for it.
Some internet based sync service, like Dropbox, Google Drive, Amazon S3. These usually have libraries for several platforms.
Direct TCP/IP communication over sockets. (How to write a small (socket) server in iOS)
Bluetooth Low Energy will be possible once the issues on the Android side are solved (Communicating between iOS and Android with Bluetooth LE)
Coolest alternative: use the Bump API. It has iOS and Android support and really easy to integrate. For small payloads this can be the most convenient solution.
Details on why you can't connect an arbitrary device to the iPhone. iOS allows only some bluetooth profiles to be used without the Made For iPhone (MFi) certification (HPF, A2DP, MAP...). The Serial Port Profile that you would require to implement the communication is bound to MFi membership. Membership to this program provides you to the MFi authentication module that has to be added to your hardware and takes care of authenticating the device towards the iPhone. Android phones don't have this module, so even though the physical connection may be possible to build up, the authentication step will fail. iPhone to iPhone communication is possible as both ends are able to authenticate themselves.
Maybe a bit delayed, but technologies have evolved since so there is certainly new info around which draws fresh light on the matter...
As iOS has yet to open up an API for WiFi Direct and Multipeer Connectivity is iOS only, I believe the best way to approach this is to use BLE, which is supported by both platforms (some better than others).
On iOS a device can act both as a BLE Central and BLE Peripheral at the same time, on Android the situation is more complex as not all devices support the BLE Peripheral state. Also the Android BLE stack is very unstable (to date).
If your use case is feature driven, I would suggest to look at Frameworks and Libraries that can achieve cross platform communication for you, without you needing to build it up from scratch.
For example: http://p2pkit.io or google nearby
Disclaimer: I work for Uepaa, developing p2pkit.io for Android and iOS.
You could use p2pkit, or the free solution it was based on: https://github.com/GitGarage. Doesn't work very well, and its a fixer-upper for sure, but its, well, free. Works for small amounts of data transfer right now.
I was wondering if there is an API that allows for direct communication between two or more Android devices, particularly for real-time multiplayer gaming. For example, is Bluetooth communication between two devices for the purpose of gaming?
EDIT: I do not have a (reliable) server so I cannot consider it as an option. I am looking for an API that strictly uses direct device communication (so no servers).
http://androidforums.com/android-games/57-mages-multiplayer-android-game-engine-chess-game-included.html
Here is one multiplayer engine i have run across when exploring networking options. I have not used it though so I cannot give any insightful opinion about it.
Generally I tend to lean towards creating my own tcp client / server solution. Of course the best choice for you depends on what type game / application you are looking to make. Generally if you plan to have a good number of users on at a single given time (more than 3+) P2P is strayed away from. That being said i have also yet to see a well working solution for a client / server application over bluetooth, which leaves you with traditional networking strategies.
Yes there are APIs for that now.
"Nearby Connections is a peer-to-peer networking API that allows apps to easily discover, connect to, and exchange data with nearby devices in real-time, regardless of network connectivity."
https://developers.google.com/nearby/connections/overview
Also see:
Wifi P2P
https://developer.android.com/guide/topics/connectivity/wifip2p
Overview on what to select:
https://developer.android.com/training/connect-devices-wirelessly
PS I know this is an old question but it still ranks very high on search engines, therefore I add this answer.
If you're doing Peer-2-Peer, then Bluetooth and/or NFC would be your best bets. I would suggest to using the "Internet" approach through Wifi as it offers more flexibility.