willian… /

nfcgate

Code Pull requests Actions

An NFC research toolkit application for Android

Apache-2.0 license

0 stars 163 forks 0 watching

1 Branch 0 Tags Activity

Public repository · Forked from nfcgate/nfcgate

v2 Code

This branch is up to date with

nfcgate/nfcgate:v2 .

Contribute Sync fork

roussosalex and kleest 2 weeks ago

.github 4 months ago

app 2 weeks ago

chore last month

doc 2 weeks ago

fastlane/metadata/an… 7 months ago

gradle/wrapper last month

nfcd 2 weeks ago

protobuf 10 months ago

.gitignore 2 weeks ago

.gitlab-ci.yml 8 months ago

View all files

README License

NFCGate
NFCGate is an Android application meant
to capture, analyze, or modify NFC traffic.
It can be used as a researching tool to
reverse engineer protocols or assess the
security of protocols against traffic
modifications.

Notice

This application was developed for

security research purposes by students of
the Secure Mobile Networking Lab at TU
Darmstadt. Please do not use this
application for malicious purposes.

Features

On-device capture: Captures NFC

traffic sent and received by other
applications running on the device.
Relay: Relays NFC traffic between two
devices using a server. One device
operates as a "reader" reading an NFC
tag, the other device emulates an NFC
tag using the Host Card Emulation
(HCE).
Replay: Replays previously captured
NFC traffic in either "reader" or "tag"
mode.
Clone: Clones the initial tag
information (e.g. ID).
pcapng export of captured NFC
traffic, readable by Wireshark.

Requirements for specific

modes

NFC support
Android 5+ (API level 21+)
Xposed-compatible hooking
framework (EdXposed, LSPosed with
Zygisk or Riru): On-device capture,
relay tag mode, replay tag mode,
clone mode.
ARMv8-A, ARMv7: Relay tag mode,
replay tag mode, clone mode.
HCE: Relay tag mode, replay tag
mode, clone mode.

Usage

Building
1. Initialize submodules: git submodule
update --init

2. Build using Android Studio or Gradle

Operating Modes
As instructions differ per mode, each
mode is described in detail in its own
document in doc/mode/ :

On-device capture
Relay
Replay
Clone

Pcapng Export
Captured traffic can be exported in or
imported from the pcapng file format. For
example, Wireshark can be used to further
analyze NFC traffic. A detailed description
of the import and export functionality is
documented in doc/pcapng.md.

Compatibility

NFCGate provides an in-app status check.

For further notes on compatibility see the
compatibility document.

Known Issues and Caveats

Please consider the following issues and

caveats before using the application (and
especially before filing a bug report).

NFC Stack
When using modes, that utilize HCE, the
phone has to implement the NFC
Controller Interface (NCI) specification.
Most of the phones should implement this
specification when offering HCE support.

Confidentiality of Data Channel

(relay)
To ensure confidentiality and integrity, use
Transport Layer Security (TLS), which can
be enabled in NFCGate settings. You need
a CA-issued or self-signed certificate.
Certificates from system-trusted CAs are
trusted automatically. Self-signed
certificates can be trusted by the user on
first use ( TOFU).

Compatibility with Cards (relay,

replay, clone)
We can only proxy tags supported by
Android. For example, Android no longer
offers support for MiFare classic chips, so
these cards are not supported. When in
Navigate back to
doubt, use an application like NFC Tag info
to find out if your tag is compatible. Also,
willians39
at the moment, every tag technology
nfcgate by Android's HCE is supported
supported
(A, B, F), however NFC-B and NFC-F
remain untested. NFC-A tags are the most
common tags (for example, both the
MiFare DESFire and specialized chips like
the ones in electronic passports use NFC-
A), but you may experience problems if
you use other tags.

Compatibility with readers

(relay)
This application only works with readers
which do not implement additional
security measures. One security measure
which will prevent our application from
working in relay mode is when the reader
checks the time it takes the card to
respond (or, to use the more general case,
if the reader implements "distance
bounding"). The network transmission
adds a noticeable delay to any transaction,
so any secure reader will not accept our
proxied replies.
This does not affect other operating
modes.

Android NFC limitations (relay,

replay)
Some features of NFC are not supported
by Android and thus cannot be used with
our application. We have experienced
cases where the NFC field generated by
the phone was not strong enough to
properly power more advanced features of
some NFC chips (e.g. cryptographic
operations). Keep this in mind if you are
testing chips we have not experimented
with.

Publications and Media

This application was presented at the 14th

USENIX Workshop on Offensive
Technologies (WOOT '20). An arXiv
preprint can be found here.

An early version of this application was

presented at WiSec 2015. The extended
Abstract and poster can be found on the
website of one of the authors. It was also
presented in a brief Lightning Talk at the
Chaos Communication Camp 2015.

Reference our Project

Any use of this project which results in an

academic publication or other publication
which includes a bibliography should
include a citation to NFCGate:

@inproceedings {Klee2020Nfcgate,
author = {Steffen Klee and Alexandros
title = {NFCGate: Opening the Door fo
booktitle = {14th {USENIX} Workshop o
year = {2020},
url = {https://www.usenix.org/confere
publisher = {{USENIX} Association},
month = aug,
}

The initial NFCGate paper describing the

first version of NFCGate can be cited as
follows:

@inproceedings{Maass2015Nfcgate,
title={DEMO: NFCGate: an NFC relay appl
author={Max Maass and Uwe M{\"u}ller an
booktitle={Proceedings of the 8th ACM C
year={2015}
}

License

Copyright 2015-2024 NFCGate Team

Licensed under the Apache License, Ver

you may not use this file except in co
You may obtain a copy of the License a

http://www.apache.org/licenses/LIC

Unless required by applicable law or a

distributed under the License is distr
WITHOUT WARRANTIES OR CONDITIONS OF AN
See the License for the specific langu
limitations under the License.

Contact

Steffen Klee
Max Maass

Used Libraries

xHook (Licensed under the MIT

License)
Xposed Bridge (Licensed under the
Apache License v2.0)
LibNFC-NCI (Licensed under the
Apache License v2.0)
Protobuf (Licensed under the
modified BSD 3-Clause License)
Android About Page (Licensed under
the MIT License)
Android Device Names (Licensed
under the Apache License v2.0)
Android Support library - preference
v7 bugfix ( Released into the public
domain and partly licensed under the
Apache License v2.0)
Android Room (Licensed under the
Apache License v2.0)
Android Lifecycle ( Licensed under the
Apache License v2.0)

Credits

ADBI: ARM and THUMB inline hooking

Releases

No releases published
Create a new release

Packages

No packages published
Publish your first package

Languages

Java 75.5% C++ 21.3% Other 3.2%

Suggested workflows
Based on your tech stack

Scala Configure

Build and test a Scala project with SBT.

Java with Maven Configure

Build and test a Java project with Apache

Maven.

Publish Java Package with Configure

Maven
Build a Java Package using Maven and publish
to GitHub Packages.

More workflows Dismiss suggestions

Terms Privacy Security Status Docs Contact

Manage cookies Do not share my personal information

© 2025 GitHub, Inc.