Apple will be playing a far more prominent role in determining how its customers use NFC when compared to Google which takes a far more open approach.
There are two areas of NFC integration Apple is choosing, so far, not to leave in the hands of app developers. The first is tag discovery and the second is anti-cloning measures used to validate that a tag is not a clone. This first article will discuss tag discovery, the next will focus on anti-cloning measures Apple may want to implement within iOS.
NDEF and Tag Discovery
The common notion is that reading NDEF messages is now supported. NDEF is an industry standard data format that allows interoperability across NFC devices for data exchange. This is an immense step to NFC becoming ubiquitous. However, two notable features are still needed to fully unleash the potential of NFC: (1) tag discovery a.k.a NDEF dispatch and (2) providing the tag’s unique identifier (UID).
Introduced in the Nexus S of 2010, tag discovery is a feature that allows actions to be automatically taken in response to the user scanning an NFC tag formatted with an NDEF message. It was meant to permit use cases such as smart packaging with additional product information or retail endcaps for in-store rebates. A killer feature at the time since it allowed content (usually URLs) to be pushed to a user’s phone without the need for a pre-installed app. For years, brands and NFC enthusiasts requested that iPhones have the same capability. Without iPhone support consumer adoption of NFC was low.
Tag discovery is not allowed in the initial Core NFC release. Reading NDEF is great, but it should not be mistaken for automatic tag discovery and NDEF dispatch since an app is still required to invoke any NFC tag reading. iPhones will be able to scan NFC smart posters or smart packaging, but only with an app installed and running. Surely many will be developed much in the same way countless QR scanning apps exist.
Content Verification
Currently iPhones will only attempt to read an NDEF message from a tag when prompted to do so by an app. In contrast, when an NFC tag is brought near an Android NFC device the tag is automatically scanned for an NDEF message without any app initiating it. Any URLs found are launched automatically which is a great way to easily push additional product information without needing an app pre-installed. It is also a great way to push phishing links.
Data written on the tag can be verified by having a trustworthy party cryptographically sign it. If such a signature could be automatically extracted and validated, it could greatly accelerate NFC adoption. Without requiring an app, iPhones would then be able to determine the source of the tag’s information so that automatic actions could be enabled without as significant a risk of it being used to push malicious content. So, in the future, if iPhones could automatically determine the trustworthiness of the information stored on the tag, Apple would be able to provide the frictionless experience NFC is known for without sacrificing the security that iPhones are themselves known for.
A precedent for automatic verification already exists – web browsers loading a using https automatically the server’s identity before loading the page. The NFC Forum has already introduced the signature RTD standard which specifies how to sign NDEF data; however, Android’s tag discovery feature does not currently require NDEF messages be signed in order to take an action, which presents a quite clear security concern is evident. That said, nothing is stopping developers from validating the source of the information from within an app, but Apple may very well want to be able to perform it automatically before they add any automated actions to the iPhone’s NFC capabilities.
June 23, 2017