New CS proposal: NFC Security Cheat Sheet #1805
Description
What is the proposed Cheat Sheet about?
A short, practical guide to building NFC features safely on iOS and Android. It covers reader/writer, tag, and card-emulation (HCE/SE) use cases and gives clear do/don’t advice with links to the right standards.
What security issues are commonly encountered related to this area?
- Replay (no nonce/counter/TTL) and live relay/distance fraud
- Eavesdropping beyond “a few cm” when data is sent in the clear
- Tag cloning and weak/legacy crypto; UID-based security
- Malicious NDEF/URI actions and deep-link/intent hijacking
- Downgrade to legacy/unauthenticated modes
- Parser bugs and resource abuse (oversized/invalid NDEF/APDU), jamming/DoS
- Provisioning and supply-chain issues (misconfigured or counterfeit tags)
- Payments specifics for Tap-to-Pay/SoftPOS (PCI/EMV compliance, timing, attestation)
What is the objective of the Cheat Sheet?
- Summarize core NFC secure-design principles across common use cases
- Explain common risks and practical ways to reduce them
- Offer high-level iOS and Android considerations to apply the guidance in practice
- Link to MASVS/MASTG and authoritative standards for deeper implementation and testing
What other resources exist in this area?
- OWASP: MASVS/MASTG/MASWE cover mobile requirements and testing; this Cheat Sheet would complement them with prescriptive NFC design guidance
- Standards and vendor docs: NFC Forum (NDEF, Signature RTD, Connection Handover), Android NFC and HCE docs, Apple Core NFC docs
- Payments: PCI MPoC, EMVCo contactless specifications
- Research: relay/distance-bounding, long-range eavesdropping, and legacy tag cryptanalysis