As Near Field Communications (NFC) is integrated into our daily lives more and more (credit/debit cards and mobile payments, transit systems, ticketing systems), application developers should understand the risks of implementing NFC in mobile applications. This talk covers several current and proposed NFC implementations with case studies including attacks and mitigations, as well as the hardware basics behind NFC to better help developers and security testers understand the inherent strengths and limitations of NFC. The presentation will cover the ISO 14443 A and B standards, waveform modulation, and propagation across the RF channel. Demo attacks against NFC applications, including misdirecting FourSquare check-ins and malware which can intercept NFC intents to launch rogue applications, will be shown. Ensuring users’ privacy becomes a key concern as more companies roll out NFC. We will show the data popular NFC enabled applications store including how it could be used to track when and where a device had been used. While the focus will primarily on Android based NFC applications, the security best practices apply in general for other NFC enabled devices such as products from RIM and Nokia. The presentation includes an in depth look at the NFC Data Exchange Format (NDEF) which is found across devices. Understanding and fuzzing this format can lead to parsers failing and crashing on malformed input as will be demonstrated against Android’s Tags application.
