Confirm
152
edits
Changes
add threat model
One risk could be that a user let their phone on the corner of a desk or in their pocket while NFC is enabled, and that somebody share content without them to be aware of it (in the street, in the office, etc). This is mitigated by the fact that NFC is disabled automatically when the screen is off and/or locked.
== Use cases / Security & Privacy considerations ==
Ref: https://webbluetoothcg.github.io/web-bluetooth/use-cases.html#risks
Communication: 4cm and less
Possible sources for content:
* NFC cards (passive)
* NFC tags (passive)
* Device with NFC enabled (active)
{| class="wikitable"
| Action || User prompt || Potential threats || Mitigations
|-
| Reading a tag
|| no <br/>
works when screen off: no </br>
works when screen locked: no </br>
|| Loading malicious content the user is unaware of:
* Browser loading a malicious URL
* Adding a contact to the Contact list
|| NFC is disabled when the screen is off
|-
|Sharing content (writing on a tag / NFC handover + BT)
|| yes (sharing UI)<br/>
<br/>works when screen off: no
<br/>works when screen locked: no
<br/>NB: A photo taken from the Camera while the phone is still PIN-locked can’t be shared from the Preview panel
||
|-
| Receiving shared content (NFC handover + BT)
|| no (notification after file is received)
works when screen off: no
works when screen locked: no
|| Devices stayed paired for BT: no
|| forced browsing?
||
|-
| App spoofs a web activity associated with NFC (e.g. sends nfc-ndef-discovered)
||
||
|| Probably ok
|-
| User places phone on something which is a NFC enabled. NFC device spams phone with unwanted material.
|| no
|| E.g.: stick an nfc tag to the back of someones phone, it will also navigate to a url when you unlock.
||
|-
| NFC enabled bluetooth for file transfers. Can an attacker take advantage of this?
||
||
|| BT turned off after transfer is done if it was off in the settings.
|}
In the case of the use of BT with a NFC handover, the risks applicable to the use of Bluetooth apply to NFC use cases too :
https://webbluetoothcg.github.io/web-bluetooth/use-cases.html#security_privacy
[[Category:Web APIs]]
[[Category:Security]]
