Hopfully someone can clearify details around using NFC and Webhook for Android.
I want to start a flow by scanning a NFC with Android, and found out I can use webhook and Flick.
I have testet with NFC Tools, and no problem to write a webhook address to the NFC.
BUT here is my main concern; what about security?
Everybody with NFC reader could trigger the flow.
YES, I can password protect it, but then I could for example install a keypad instead, or other HW.
Is there any easy(?) way to use NFC and Android like for Iphones?
On Iphone the NFC tag will open the flow through Homey app.
But this require you are logged in and the flow exist.
Even if you try to copy the flow it won’t do anything since you are not logged in to right Homey.
The problem is that if you put the full url in the NFC tag, then everyone can start the flow.
if i put this url in my NFC tag, everybody can turn on my heating. https://xxxxxxxxxxxxxxxxxxxxxxxx.connect.athom.com/api/manager/logic/webhook/Verwarm_15?tag=15
So you have to do it different.
If you read the tag, then you’re phone should do something.
Don’t know exactly how. Did not try it myself.
Actually… You miss or mix one/some thing
The “anybody” must have also physical access to NFC tag. At least first time.
But yes, there is a security threat also, because the person, viewing info on tag may repeat the request (nudge: without a actual NFC reader). And NB! - viewing may mean also for example sniffing in phone.
So, as any security related thing, this is also balance between security and usability. One side: the guest may just touch NFC and do action (without any additional requirements); Another one: The “toucher” must install some additional creds, apps and also be registered those in Homey.
Are you really doing that? Normally, the only thing you do is telling the NFC app on your phone that if it scans an NFC tag with a particular (unique) id, it should open a particular URL. Someone else could scan the tag, but all they get is that unique id. The URL is stored on your phone, not on the tag.
With an application like NXP Tag Writer you can write a url to a capable NFC tag. Everyone who scans this NFC.tag after can open this url because it is read from the NFC tag itself. All your phone does is opening the url.
Or: you don’t write anything to the NFC tag itself and leave it “factory default”. Then your phone reads the unique key from the NFC tag.
An application on your phone (like Tasker on Android) is “programmed” to do a certain action when the.tag is scanned. So: when tag XXXX is scanned, THEN open an app, THEN visit a url, THEN create a wake up alarm, etc.
That is a secure way op performing actions because the tag doesn’t hold the actual information/action, but your phone does. It is just a way of triggering an action stored on your phone.
@robertklep
Of course I don’t do that. Is was only as an example. This way everybody could turn on whatever is in this NFC tag.
You should use it the other way around.
If the phone read something in the tag then the phone should do something with that. For example with Macrodroid, if you have an Android phone.
