Android / NFC / webhook / security

Hopfully someone can clearify details around using NFC and Webhook for Android.

I want to start a flow by scanning a NFC with Android, and found out I can use webhook and Flick.
I have testet with NFC Tools, and no problem to write a webhook address to the NFC.
BUT here is my main concern; what about security?
Everybody with NFC reader could trigger the flow.

YES, I can password protect it, but then I could for example install a keypad instead, or other HW.
Is there any easy(?) way to use NFC and Android like for Iphones?

On Iphone the NFC tag will open the flow through Homey app.
But this require you are logged in and the flow exist.
Even if you try to copy the flow it won’t do anything since you are not logged in to right Homey.

All NFC Tags have a unique tag-number. Check on this number is “secure”

Still, everybody with NFC reader could start the flow.
Or do I miss something?

The NFC tag itself isn’t starting the flow / visiting the webhook. Your Android device is doing that.

Other people can scan the NFC tag, but that does not start the flow. It’s all happening on your device.

1 Like

The problem is that if you put the full url in the NFC tag, then everyone can start the flow.
if i put this url in my NFC tag, everybody can turn on my heating.
https://xxxxxxxxxxxxxxxxxxxxxxxx.connect.athom.com/api/manager/logic/webhook/Verwarm_15?tag=15
So you have to do it different.
If you read the tag, then you’re phone should do something.
Don’t know exactly how. Did not try it myself.

Actually… You miss or mix one/some thing
The “anybody” must have also physical access to NFC tag. At least first time.

But yes, there is a security threat also, because the person, viewing info on tag may repeat the request (nudge: without a actual NFC reader). And NB! - viewing may mean also for example sniffing in phone.

So, as any security related thing, this is also balance between security and usability. One side: the guest may just touch NFC and do action (without any additional requirements); Another one: The “toucher” must install some additional creds, apps and also be registered those in Homey.

So, what’s Your exact need? :wink:

Are you really doing that? Normally, the only thing you do is telling the NFC app on your phone that if it scans an NFC tag with a particular (unique) id, it should open a particular URL. Someone else could scan the tag, but all they get is that unique id. The URL is stored on your phone, not on the tag.

These are two different ways of using nfc tags.

With an application like NXP Tag Writer you can write a url to a capable NFC tag. Everyone who scans this NFC.tag after can open this url because it is read from the NFC tag itself. All your phone does is opening the url.

Or: you don’t write anything to the NFC tag itself and leave it “factory default”. Then your phone reads the unique key from the NFC tag.
An application on your phone (like Tasker on Android) is “programmed” to do a certain action when the.tag is scanned. So: when tag XXXX is scanned, THEN open an app, THEN visit a url, THEN create a wake up alarm, etc.
That is a secure way op performing actions because the tag doesn’t hold the actual information/action, but your phone does. It is just a way of triggering an action stored on your phone.

@robertklep
Of course I don’t do that. Is was only as an example. This way everybody could turn on whatever is in this NFC tag.
You should use it the other way around.
If the phone read something in the tag then the phone should do something with that. For example with Macrodroid, if you have an Android phone.

What @Henk_Renting sayd.

1 Like

Tested with Macdroid and got it working like @Henk_Renting described.
Thanks for alle the comments and help.

1 Like