Storing user data on NFC card

Question

I'm trying to make a app to allow users to store their information (eg. name) on a NFC card and I've been thinking.

Is it safe to store user data on the card? I don't want them reading the data or writing anything on the card with another app but I still need to be able to update their info with the app I made.

If its not safe I will just use a token that is send to a server and get the data from a remote database. I didn't want to do that since then users would need to be connected to wifi.

Thanks for help.

Answer 1

This depends on the level of security you require, nothing is totally secure, you can make it very hard for others to get access to the data (e.g. requiring decompilation of your app/ custom NFC hardware/software for things like "man in middle" attacks, etc)

Things that can be done to improve security:-

• Custom data format (don't use NDef)
• Some NFC Tags offer password protection with password limiting
• Not storing the password in your App but getting it from wifi or other source
• Not using the same password on every Tag
• Some NFC Tags offers data encryption of the RF channel and other enhanced security features like more encryption and authentic verification.
• Encrypt/Decrypt the data using own encryption
• Tying the data to the Tag's UID (while the UID is not unique and some Tags have knock off versions available with changeable UID's, with the right choice of Tag this can add some complexity for people to get around)

For a casual level of security probably choosing a Tag with password protection and limiting should prevent other off the shelf Apps accessing the data.

But again nothing is totally secure, even things like contactless bank cards use backend monitoring of transactions to try and prevent security issues by demanding a user provides additional validation using chip and pin/other 2 Factor auth like SMS validation or they just block the transaction.