So here is my basic motivation for my question obfuscated a little:
I want to track a users loyalty to a particular store. Each store would have a NFC sticker on the register. On purchase the user would use an app on their phone (NFC available of course) and the sticker would send back some code that designates the store.
Now here is my question, one, can I send a simple code back to my application that is then, for example, added to some database? This link, near the bottom, provides a description of 'Content Options' none of which I want. Also, the NFC-Forum specifications don't tell me much (or I'm just not looking in the right place).
Also, how do I actually put this tag/code onto one of these stickers? If I do it myself can I make them read-only?
you can put arbitrary information on the NFC tag - there is no limitation what you can upload and in which format. Think about NFC tags like if they were normal data storage places like e.g. hardrive or CD - to those you can save to them files with arbitrarty format holding the arbitrary content. Same with NFC tags.
Anyway there is recommended NFC Forum standard for the content format called NDEF (NFC Forum Data Exchange Format is a lightweight binary message format designed to
encapsulate one or more application-defined payloads into a single message construct.)
Also for specific data (links, Phone number, calendar event, etc.) there is another recommended NFC Forum standard called RTD (Record Type Definition specifies the format and rules for building standard record types used by NFC Forum application definitions and third parties that are based on the NDEF data format).
So in fact you can use arbitrary data format or NDEF, for the data itself you can follow RTD recommendations or not... It is up to you.
For tag writing you can buy some existing software and USB NFC reader/writer or you can program your own software - this is more difficult, since you must know HW characteristic of tag you would like to use.
All tags allow permanent data locking.
Regards,
STeN
www.mautilus.com, petr.mazanec#mautilus.com
For Android devices, you would create a tag with an so-called Android Application Record (AAR). The AAR contains the package name of your application, and, using a technology called Beam, Android automatically launches your application. You are then free to access the other records contained within the NDEF message, which then probably would contain the id of the shop somehow, and contact your site.
I have tried AAR already and it works, also I have created an NFC Eclipse plugin which would get you up and running in no time, if you have an Android phone and some tag, of course ;-)
Related
What is the general workflow that I would develop to use wristbands equipped with NTAG213 NFC in order to authenticate gym members.
Currently in our database we have a "CardCode" field. In actuality it is named Barcode, but that is because the current method of authenticating is showing a barcode to a scanner that corresponds with a unique member.
Is the general workflow NTAG213 that I would "write" this member identifying information to the tag and then when that member tries to check-in it would attempt to read this field.
My previous experience with radio technology are RFID tags that would come pre-written from manufacturer with a site code and card code. Different vendors have different arrangements of the bits for site code, card code, and parity bits - so you have to know the bit format to read the tags and authenticate the member.
I get the feeling that the NTAG213 works more like a disk, I use a password from the MFG to be able to write to the NTAG213 and my readers use the information to authenticate. I suppose with this type of tech it would be unreasonable to have the MFG to pre-write something? I really don't know what the flow is.
For bonus, any example code with android.nfc would be awesome (I'm targeting Newland Nquire 304 (Android Kitkat 4.4)
Please advise.
A good place to start is the Tag's datasheet
At the low level the tag acts like a 2 dimensional array of memory 4 bytes wide and varying lengths.
As it is NFC Type 2 compliant you can use the NFC standard NDEF data encoding format and various OS's have methods to write NDEF encoded data without you having to worry about fitting the data correctly in to the 2 dimensional memory array.
Most cards come from the factory blank (but some vendors can add data to them for you with a cost).
While NTAG213 usually come from the factory with no password set on them, you have to set your own. The password can be set for write operations or both read and write operations.
The cards can also be made NDEF read-only but I would not recommend that, instead use the password.
How you use them depends on the level of security that is needed (to stop people cloning the cards to share one gym membership) and on if you want customers to read their own tags or if only certain hardware is required to read the tags that is tightly controlled.
Generally I would limit the hardware that can read/write to the tag, then you can set a password on read and write operations.
Then there would be 2 workflows.
New member
Get blank tag
configure the password for read and write
Authenticate with password
format the card for Ndef
Encode the data you want on the card using one or more Ndef records, at minimum, this should be your own Unique ID (Never use the Tag's UID as these are not Unique and can be cloned and are not protected by the password)
Gym checkin
Authenticate with password
Read the data from the Tag (At least the Unique ID you have written to the Tag)
I would recommend you use the ènableReaderMode Android API to tag detection, some code for that at https://stackoverflow.com/a/59397667/2373819
There are a lot of examples out there that use the older Android API enableForegroundDispatch but this is less reliable especially for writing data.
Overall you need to make sure decisions about what you want to store on the Tag and how you want to use it before you can decide how to write the code, otherwise the question is to big to answer in detail.
I have an android device with this app installed on it. Then have a second device that I have factory-reset. Both are NFC enabled. And I am trying to provision the second device with a device owner application. I want to understand how this works. I am under the impression that when I bump the two devices together, something should happen. However, nothing happens. Both devices are on and I believe that I am bumping them in the right places. I have not worked with NFC before.
On the NFCProvisioning app provided by Google, that I linked above, I can see that the wifi ssid, and password are set in the ndef message. However, the url to the deviceowner app is not set anywhere. How will the device being provisioned know how to download the apk?
Also what about this nfcprovisioning.txt? Please, can someone who has done this before help me out. Many thanks!
So Now I have more time I can give a full answer.
So some background on Android and NFC first.
The Android OS has some built in parsing and handling of some types of data on NFC cards, it will handle cards with NDEF messages on them.
When an NFC card is presented the OS will attempt to read and understand the card. If there is no App running that has expressed and interest in NFC NDEF messages it will handle some types of NDEF messages in certain was.
E.g. If the NDEF message contains record with the Mime Type saying "Web Address" the OS will launch a web browser (or ask the user which web browser to open the URL in)
An NDEF message can also contain an "Android Application Reference" or AAR record, this specifies a package name that should handle the data on the card. If that application is not installed it will open up google play to install it.
(https://developer.android.com/guide/topics/connectivity/nfc/nfc.html#aar)
Details on Mime Types and AAR at https://developer.android.com/guide/topics/connectivity/nfc/nfc.html#create-records
This is all done by they OS creating an Intent from the NDEF data and passing it to applications.
So more specific to NFCProvisioning creates an NDEF message of a special Mime Type "application/com.android.managedprovisioning" that Android Understands is about Device Provisioning and that to use a package name that is was given or "com.example.android.deviceowner" or "com.example.android.deviceowner/.DeviceOwnerReceiver" if non given.
The package name could be one found on the play store but it also has a option to specify a URL to download the management app package from.
There is other data included in the NDEF message to Like Wifi details, time zone etc will will be passed on the the Device provisioning app.
Details of what can be passed is at https://developer.android.com/reference/android/app/admin/DevicePolicyManager#MIME_TYPE_PROVISIONING_NFC I believe
The problem you might be suffering is that the method used for the Provisioner device uses to send the data is NfcAdapter#setNdefPushMessage http://developer.android.com/reference/android/nfc/NfcAdapter.html#setNdefPushMessage(android.nfc.NdefMessage,%20android.app.Activity,%20android.app.Activity...) which has been deprecated in API level 29/ Android 10 (and no longer works)
see the issues raised on this https://github.com/android/enterprise-samples/issues/27
I have not used this process before, but looking at the code the "nfcprovisioning.txt" is just a text file you can load in that stores the values of the key=value pairs instead of having to type them in to the App every time.
e.g. it would have lines like for that the data you want to provision
EXTRA_PROVISIONING_WIFI_SSID=someWifiSSid
I am making an app using NFC tags and I have to prevent the NFC tag from cloning. I have seen many other NFC tags which when tried to be cloned, shows a pop up message "Cloning is restricted, tag is secured by secret key", I want the same security for my NFC tag.
That depends on what type of tag you use and what level of protection against cloning you want.
NFC tags (as defined by the NFC Forum) have no protection against cloning. Such tags are intended as containers for freely readable data (so called NDEF messages). Anyone could read an NDEF message from one tag and duplicate it to another tag.
Many NFC tags also contain a unique identifier that is pre-programmed by the tag manufacturer and cannot be modified on normal tags. You could use this unique identifier to determine if a tag was issued by you (i.e. you know its id) or forged (i.e. you don't know its id). Instead of using a list of genuine ids, you could also create a digital signature over the tag's id and its data. THat way, you could find out if data and signature are used on a tag with a different unique identifier. However, all data can still be extracted from your tag. Therefore, you should be aware of the fact, that specialized hardware (e.g. Proxmark, etc) and ready-made tags are available where an attacker can change the unique identifier to the value of your tag's id. So this is certainly not perfect cloning protection.
You could use a contactless smartcard/tag that provides communication encryption and shared-key based access control (e.g. MIFARE DESFire). With this approach, you could store data that you do not want an attacker to be able to clone in a key-protected memory area. However, if you want to be able to read that data from within your app (i.e. without having an online backend that directly communicates with the card), you would need to store the key to access the memory area within your app. Consequently, in an offline scenario (i.e. key stored in app), an attacker might be able to extract that key and use it to clone the tag.
You could use a tag/smartcard that contains a secret asymmetric key and provides a command to sign a cryptographic challenge with that key. In that case, in order to verify if the tag is genuine, you could request such a signature from the tag for a random challenge and verify the signature against the tags corresponding public key. This would certainly be the most secure solution as you do not need to store any shared secret within your app. The only ready-made NFC tag solution (that I'm currently aware of) that provides such functionality seems to be Inside Secure's VaultIC. Though you could create one yourself based on the asymmetric crypto functionality of a contactless smartcard (e.g. a Java Card).
Note that for all of the above cloning-protection scenarios you would have to create an app that checks if a tag is genuine or cloned. By default NFC phones only use the information in (1) and therefore do not perform any such checks.
Yes it's possible meanwhile to prevent cloning a Tag.
There is a new tag called the NTAG 413 - which can generate a new NDEF message every single time you tap it. (using AES krypto) This way it's not necessary to have a seperate app installed on your smartphone. You can incorporate the encryption in the URL of a NDEF for example and the host server can encrypt it with the same key. In case of copy the server will recognize it.
Some companies already offer them in different form factors, for key cards (hotels or access). More info can be found in this link but it's german..
https://www.variuscard.com/plastikkarten/chipkarten/nfc-ntag-413-dna/
While the original answer was correct it's getting a little bit out of date. Michael's addition (Oct 10, 17) added the NTAG413. There's now another additional NTAG424 DNA authentication NFC chip, which works in the same way. HID's Trusted Tag works in a similar way and there increasingly others.
Essentially the chips create a new unique code based on a stored key on each tap/scan. Code can be verified from a server.
There is no guaranteed way to restrict the nfc tag from getting clone as all nfc tags are by default . Other apps use secret key with in a nfc tag but that also can be cracked.
I have an app that design personalized tags that, when it is detected by an android phone, launches another app with some content. It all works fine and I know how to make a read only nfc Tag. The problem is, I would like to make a NFC Tag only readable by users of the other app. But I also want , if necessary, modify these tags in order to be rewritten. But I want to prevent from users to do themselves.
that's why a ndef.makeReadOnly() is not appropriate for me..
does anyone can help me ???
It depends somewhat on the exact tags you will be using. The standard NFC Forum tag types for storing NDEF messages that Android supports have no specific functionality defined for this. So the Android API does not provide it either. There is only makeReadOnly(), which in most cases makes the tag irreversibly read-only.
However, when you look at the chips inside the tags that actually implement the required NFC functionality, they often provide more functions. These extra functions may include access control for writing, allowing the chip to be configured like you want.
Some examples (all manufactured by NXP, as I am most familiar with those):
MIFARE Classic: the memory sectors are protected by 2 keys. One key can be configured for read-only, while the other can be used to write the memory. NB: not all Android devices can access these!
MIFARE Ultralight C: can provide additional password protection to prevent overwriting
MIFARE DESFire: multiple authentication keys and access rights can be configured, including read-only access without keys
ICODE SLI(X)-S: can provide additional password protection to prevent overwriting
Most of these tags are generally available for sale on-line. You will have to hunt a bit on the internet to gather all the information on how the configuration has to be done, though. There is PC software available in most cases.
The only 100% way to make NFC tag "read only" is to call makeReadOnly(), but this is irreversible.
You can use "out of the box" solution, like:
do not write data on NFC tag but instead save it locally (if data is limited to one device) or to a server/cloud (if data si global)
link your NFC Tag ID (getByteArrayExtra(NfcAdapter.EXTRA_ID)) with your saved data
when NFC Tag is read get its ID and find proper data via proper source (local or cloud DB)
.. if second app is "third party app" and cannot work with upper soultion, you can register your own NFC reading app (intent with right mimeType filter) and then pass your data (point no. 3) to main app using sendIntent (or similar supported method).
Hope it helps!
I am looking for a way to create a NFC-tag that shares the wifi credentials of my network without my guests having to have any special NFC apps on their phone (other than whats coming with the phone).
I have been looking at apps and services like NFC Tag Writer, WifiTap, NFC Task Launcher and NFCLabels.com, but it seems to me like it I would need to have the apps on the guest mobile as well to be able to use it, but I am not able to test it as I only have one NFC-enabled phone available. (Yes, I know, twisting my brains for nothing, but heck, weird behaviour is nothing new...)
My closest clue is that WifiTap states that:
The app processes URIs in the format of wifi://[network ssid]/[wep|wpa|open]/[network key]
If this is actually universal this would mean that I could do what I what I want to, but I have not found any confirmation on this. So, how could what I want be done and am I on the right track with the clue from WifiTap?
As Alex wrote in a comment, you can now (since Lollipop) write a tag containing Wi-Fi credentials directly from the Android Wi-Fi settings: long-tap a network → Write to NFC tag.
It seems to be an NDEF-formatted tag with the application/vnd.wfa.wsc MIME type and a "WPS NFC" token.
The relevant source code can be found in platform/packages/apps/Settings/src/com/android/settings/wifi/WriteWifiConfigToNfcDialog.java.
There is an official standard for this kind of situation: NFC Forum Connection Handover Technical Specification. However, this is currently not supported by Android. I don't think there is currently any way to transfer WiFi credentials using NFC without the help of a dedicated app.
One way of going about this is to create (or find) an app in the Google Play Store that has the following properties:
Intent filter for ACTION_NDEF_DISCOVERED and as URI the URL of the app in the Play Store.
Intent filter for ACTION_NDEF_DISCOVERED and as type some proprietary type (e.g. a MIME type)
Then you can create tags with an NDEF message containing the following NDEF records:
SmartPoster record with Play Store URI and some descriptive text (e.g. name of the app)
Record of proprietary type containing the WiFi credentials
Android Application Record for the app
The 3rd record will make sure that the proper app will always be started or the device user will be redirected to the Play Store to install it. This works only on ICS, however, but the 1st record (combined with the 1st intent filter) serves the same purpose on Gingerbread.
I've created an app which actually writes networks to tag in a standardized way - the problem is that Android does not currently recognize the handover records and automagically add them. And maybe that is all right - after all there is more to adding a network than just adding a network; you might for example verify the composer of the tag contents and so on.
Also, if you'd like to write more than one network to a tag, there might simply not be enough space to do it in the right (using standardized records) way.
I may have the wrong end of the stick but with the app nfc tools downloaded form the play store you can write a wifi network onto a tag that when scanned with defult android 5.0.2. On a nexus 7 2013 opens a message box asking confirmation formthe wifi connection, although this has always failed bar o
A URI of the form WIFI:T:WPA;S:SSID;P:PASSPHRASE;; will set WiFi if encoded to a QR code and scanned; but when encoded to an NFC tag it is unrecognized as a URI. This suggests to me that the NFC API is deficient in Android.