Novay's NFC Passport Reader

At Novay, as part of a project for EIT ICT Labs on Mobile Security & Privacy, we have been working hard on an Android app, based on JMRTD, to demonstrate how passports (and identity cards) and the passport holder can be validated. The first version of our efforts is now available from the Play Store.

Now the underlying ePassport Java library JMRTD was ported to Android almost two years ago in a proof-of-concept app. The new Novay app focuses on two new features. First, it makes the passport reading experience as user friendly as possible. The UI is up to 4.x standards, and has been better thought out. We're looking at showing the information as soon as possible as it comes in over the (awfully slow) NFC connection, while at the same time making sure that the user understands that the document needs to held in proximity to the device for the couple of seconds that it takes to read all of the information.

Second, and more importantly, the new app uses the security mechanisms of the chip embedded in a passport to their full potential. This means that the authenticity of the contents and of the chip are actually checked, and the results are displayed to the user.

We're working on a next version this app in a second phase of this project. We still see plenty of possibilities to improve the usability. 

People at Novay involved are: Peter Ebben, Ruud Kosman, and myself. Thanks to Atlantic Zeiser for providing the sample document that was used in the screenshots above and in the Play Store.

JMRTD for Android

JMRTD, the Java library that I (together with others) maintain to access and interpret ePassport content, has been ported to Android by Max Günther. To demonstrate this, Max has developed an app (see the screenshot) for Nexus S (and other NFC Android handsets). We're not the first ePassport project on Android or NFC, but we try to be the most usable one!

The contactless technology in ePassports, ISO-14443, is fully compatible with NFC. Essentially this means that an NFC device in reader mode will be able to read ePassports. That is, of course, if the device has sufficient access privileges (i.e. Basic Access Control BAC, and Extended Access Control EAC). Max's app demonstrates how the essential passport holder details (aka datagroup 1) and the passport holder's facial image (aka datagroup 2) can be displayed.

The latter is actually non-trivial since that image is encoded in JPEG 2000 by some issuing countries, a format that is not supported in Android by default (thankfully there's jj2000). Another challenge that we encountered is the presence of a crippled version of Bouncy Castle in Android 2.3 which prevents inclusion of the full version (thankfully there's Spongy Castle). In general we've made many changes to JMRTD and SCUBA to make these libraries easier to port to other platforms.

We're working hard on making the app more robust and usable. Max and Claude Heyman are currently the main developers looking at Android NFC. We're trying to get MRZ OCR scanning to work (perhaps based on the Java OCR project). In its current form the app is not doing document validation or access to EAC protected data, but JMRTD allows this, in principle. We hope to publish the proof-of-concept app via the Android market soon. If you own a Nexus S (and an ePassport) we're definitely interested in your feedback.

Update: Max published the app on the market.

NFC phones

It's 2010. The NFC revolution should have happened by now.

I know this is a classical bootstrap problem: why offer services if consumers don't own NFC handsets, why produce NFC handsets if nobody offers services?

And then there are problems with the business model, there are cultural differences between banks and mobile operators, etc. There was a problem of the location of the secure element (SE): either embedded in the device (owned by the manufacturer), or on the SIM (owned by the operator). I think the mobile operators won.

Oh, and there have been countless trials and pilots.

So where are the new handsets? Below is my list of annotated bookmarks.

• Nokia has an NFC shell (2005) that can be strapped onto the Nokia 3220.
• Samsung has its SGH-X700N (2006).
  
• Nokia's clamshell model, the Nokia 6131-NFC (2007), and bar model, Nokia 6212 classic (2008) are pretty popular. These S40 devices have a dedicated SE embedded into the handset.
• There's a nice list of handsets over at NFC Research in Hagenberg, including models by Sagem, LG, and Motorola (2008?).
• LG seems to have had an LG KU380-NFC handset with NFC support based on an STMicroeletronics chip.
  
• Nokia announced the Nokia 6216 classic (2009) which was supposed to support an SE on the SIM (via SWP). But this model has been killed now.
• Mobile-ecosystem found that Samsung and LG have new NFC enabled smart phones (2010).
• Samsung developed an NFC version of its S5230 smart phone for use in trials.
  
• And let's hope the rumors about Apple's iPhone4G are true.

(I should have checked Wikipedia before I compiled that list, theirs is a superset of mine. Never mind.)

But maybe a different strategy is needed while we wait for the handset revolution: strap something onto an ordinary smart phone to NFC-enable it.

• A sticker with a dumb RFID tag. Only tag emulation, so no smart poster support. But it should be enough for the most popular use case (proximity payment without asking for user consent).
• A sticker with a smart tag which communicates with the handset over Bluetooth.
• A MicroSD card such as the one by Giesecke & Devrient and the one by First Data and Tyfone.