willian… /
nfcgate
Code Pull requests Actions
An NFC research toolkit application for Android
Apache-2.0 license
0 stars 163 forks 0 watching
1 Branch 0 Tags Activity
Public repository · Forked from nfcgate/nfcgate
v2 Code
This branch is up to date with
nfcgate/nfcgate:v2 .
Contribute Sync fork
roussosalex and kleest 2 weeks ago
.github 4 months ago
app 2 weeks ago
chore last month
doc 2 weeks ago
fastlane/metadata/an… 7 months ago
gradle/wrapper last month
nfcd 2 weeks ago
protobuf 10 months ago
.gitignore 2 weeks ago
.gitlab-ci.yml 8 months ago
View all files
README License
NFCGate
NFCGate is an Android application meant
to capture, analyze, or modify NFC traffic.
It can be used as a researching tool to
reverse engineer protocols or assess the
security of protocols against traffic
modifications.
Notice
This application was developed for
security research purposes by students of
the Secure Mobile Networking Lab at TU
Darmstadt. Please do not use this
application for malicious purposes.
Features
On-device capture: Captures NFC
traffic sent and received by other
applications running on the device.
Relay: Relays NFC traffic between two
devices using a server. One device
operates as a "reader" reading an NFC
tag, the other device emulates an NFC
tag using the Host Card Emulation
(HCE).
Replay: Replays previously captured
NFC traffic in either "reader" or "tag"
mode.
Clone: Clones the initial tag
information (e.g. ID).
pcapng export of captured NFC
traffic, readable by Wireshark.
Requirements for specific
modes
NFC support
Android 5+ (API level 21+)
Xposed-compatible hooking
framework (EdXposed, LSPosed with
Zygisk or Riru): On-device capture,
relay tag mode, replay tag mode,
clone mode.
ARMv8-A, ARMv7: Relay tag mode,
replay tag mode, clone mode.
HCE: Relay tag mode, replay tag
mode, clone mode.
Usage
Building
1. Initialize submodules: git submodule
update --init
2. Build using Android Studio or Gradle
Operating Modes
As instructions differ per mode, each
mode is described in detail in its own
document in doc/mode/ :
On-device capture
Relay
Replay
Clone
Pcapng Export
Captured traffic can be exported in or
imported from the pcapng file format. For
example, Wireshark can be used to further
analyze NFC traffic. A detailed description
of the import and export functionality is
documented in doc/pcapng.md.
Compatibility
NFCGate provides an in-app status check.
For further notes on compatibility see the
compatibility document.
Known Issues and Caveats
Please consider the following issues and
caveats before using the application (and
especially before filing a bug report).
NFC Stack
When using modes, that utilize HCE, the
phone has to implement the NFC
Controller Interface (NCI) specification.
Most of the phones should implement this
specification when offering HCE support.
Confidentiality of Data Channel
(relay)
To ensure confidentiality and integrity, use
Transport Layer Security (TLS), which can
be enabled in NFCGate settings. You need
a CA-issued or self-signed certificate.
Certificates from system-trusted CAs are
trusted automatically. Self-signed
certificates can be trusted by the user on
first use ( TOFU).
Compatibility with Cards (relay,
replay, clone)
We can only proxy tags supported by
Android. For example, Android no longer
offers support for MiFare classic chips, so
these cards are not supported. When in
Navigate back to
doubt, use an application like NFC Tag info
to find out if your tag is compatible. Also,
willians39
at the moment, every tag technology
nfcgate by Android's HCE is supported
supported
(A, B, F), however NFC-B and NFC-F
remain untested. NFC-A tags are the most
common tags (for example, both the
MiFare DESFire and specialized chips like
the ones in electronic passports use NFC-
A), but you may experience problems if
you use other tags.
Compatibility with readers
(relay)
This application only works with readers
which do not implement additional
security measures. One security measure
which will prevent our application from
working in relay mode is when the reader
checks the time it takes the card to
respond (or, to use the more general case,
if the reader implements "distance
bounding"). The network transmission
adds a noticeable delay to any transaction,
so any secure reader will not accept our
proxied replies.
This does not affect other operating
modes.
Android NFC limitations (relay,
replay)
Some features of NFC are not supported
by Android and thus cannot be used with
our application. We have experienced
cases where the NFC field generated by
the phone was not strong enough to
properly power more advanced features of
some NFC chips (e.g. cryptographic
operations). Keep this in mind if you are
testing chips we have not experimented
with.
Publications and Media
This application was presented at the 14th
USENIX Workshop on Offensive
Technologies (WOOT '20). An arXiv
preprint can be found here.
An early version of this application was
presented at WiSec 2015. The extended
Abstract and poster can be found on the
website of one of the authors. It was also
presented in a brief Lightning Talk at the
Chaos Communication Camp 2015.
Reference our Project
Any use of this project which results in an
academic publication or other publication
which includes a bibliography should
include a citation to NFCGate:
@inproceedings {Klee2020Nfcgate,
author = {Steffen Klee and Alexandros
title = {NFCGate: Opening the Door fo
booktitle = {14th {USENIX} Workshop o
year = {2020},
url = {https://www.usenix.org/confere
publisher = {{USENIX} Association},
month = aug,
}
The initial NFCGate paper describing the
first version of NFCGate can be cited as
follows:
@inproceedings{Maass2015Nfcgate,
title={DEMO: NFCGate: an NFC relay appl
author={Max Maass and Uwe M{\"u}ller an
booktitle={Proceedings of the 8th ACM C
year={2015}
}
License
Copyright 2015-2024 NFCGate Team
Licensed under the Apache License, Ver
you may not use this file except in co
You may obtain a copy of the License a
http://www.apache.org/licenses/LIC
Unless required by applicable law or a
distributed under the License is distr
WITHOUT WARRANTIES OR CONDITIONS OF AN
See the License for the specific langu
limitations under the License.
Contact
Steffen Klee
Max Maass
Used Libraries
xHook (Licensed under the MIT
License)
Xposed Bridge (Licensed under the
Apache License v2.0)
LibNFC-NCI (Licensed under the
Apache License v2.0)
Protobuf (Licensed under the
modified BSD 3-Clause License)
Android About Page (Licensed under
the MIT License)
Android Device Names (Licensed
under the Apache License v2.0)
Android Support library - preference
v7 bugfix ( Released into the public
domain and partly licensed under the
Apache License v2.0)
Android Room (Licensed under the
Apache License v2.0)
Android Lifecycle ( Licensed under the
Apache License v2.0)
Credits
ADBI: ARM and THUMB inline hooking
Releases
No releases published
Create a new release
Packages
No packages published
Publish your first package
Languages
Java 75.5% C++ 21.3% Other 3.2%
Suggested workflows
Based on your tech stack
Scala Configure
Build and test a Scala project with SBT.
Java with Maven Configure
Build and test a Java project with Apache
Maven.
Publish Java Package with Configure
Maven
Build a Java Package using Maven and publish
to GitHub Packages.
More workflows Dismiss suggestions
Terms Privacy Security Status Docs Contact
Manage cookies Do not share my personal information
© 2025 GitHub, Inc.