Novay's NFC Passport Reader

At Novay, as part of a project for EIT ICT Labs on Mobile Security & Privacy, we have been working hard on an Android app, based on JMRTD, to demonstrate how passports (and identity cards) and the passport holder can be validated. The first version of our efforts is now available from the Play Store.

Now the underlying ePassport Java library JMRTD was ported to Android almost two years ago in a proof-of-concept app. The new Novay app focuses on two new features. First, it makes the passport reading experience as user friendly as possible. The UI is up to 4.x standards, and has been better thought out. We're looking at showing the information as soon as possible as it comes in over the (awfully slow) NFC connection, while at the same time making sure that the user understands that the document needs to held in proximity to the device for the couple of seconds that it takes to read all of the information.

Second, and more importantly, the new app uses the security mechanisms of the chip embedded in a passport to their full potential. This means that the authenticity of the contents and of the chip are actually checked, and the results are displayed to the user.

We're working on a next version this app in a second phase of this project. We still see plenty of possibilities to improve the usability. 

People at Novay involved are: Peter Ebben, Ruud Kosman, and myself. Thanks to Atlantic Zeiser for providing the sample document that was used in the screenshots above and in the Play Store.

Two ideas I could have submitted to the SIMagine contest

Here are two ideas I could have submitted to the SIMagine contest, but didn't. ;)

1. Info Cards securely stored in your SIM: Florian van Keulen, one of Maarten's students did a project on different architectures for implementing Info Card on mobile devices. One of the options that Florian investigated was to store the Info Cards on the SIM. A handset resident application would then facilitate communication between the Card Selector on a different platform (a PC in an Internet cafe) and the SIM through Bluetooth.
   
2. Turning an existing contactless smart card into a pre-paid mobile SIM application: You're not supposed to be able to clone an ePassport or contactless creditcard, of course. But you can do something else. You can pre-record some challenge-response pairs using an NFC handset and store these in an application on the secure element (SE, usually the SIM card) of the handset. If the application can authenticate itself to an inspection system (a POS terminal) then the handset can be used instead of the original contactless card. This improves convenience: one device instead of multiple cards, you now have a GUI. As for security: You can limit the number of challenge-response pairs, you can time-stamp the challenge-response pairs (the SE can connect to some trusted time server during enrollment), etc.
   

Oh well, deadline expired, never mind.