[web-nfc] Security and Privacy: NDEF scope not considered adequately (#537) from Michael Farrell via GitHub on 2020-01-26 (public-web-nfc@w3.org from January 2020)

From: Michael Farrell via GitHub <sysbot+gh@w3.org>
Date: Sun, 26 Jan 2020 00:56:23 +0000
To: public-web-nfc@w3.org
Message-ID: <issues.opened-555160962-1580000182-sysbot+gh@w3.org>

micolous has just created a new issue for https://github.com/w3c/web-nfc:

== Security and Privacy: NDEF scope not considered adequately ==
Per the [Security and Privacy Questionnaire](https://github.com/w3c/web-nfc/blob/gh-pages/security-privacy-questionnaire.md#23-how-does-this-specification-deal-with-personal-information-or-personally-identifiable-information-or-information-derived-thereof), it argues that the scope is limited because this API only processes NDEF records.

However, as mobile NFC access has been historically highly limited on non-Android devices, NDEF is a _de facto_ lowest common denominator for NFC access.  As a result, it is not possible to anticipate how NDEF records are used, or in what ways it has been "repurposed".

For example, [Yubikey has an "NDEF compatibility mode"](https://support.yubico.com/support/solutions/articles/15000006432-understanding-the-ndef-interface-on-nfc-enabled-yubikeys), where the device will pass back OTPs in text form (to be pasted into an app/browser on the phone).

The security and privacy considerations should not presume `NDEF is a post-it note`, and consider things like tags returning dynamic data over NDEF, or data that could be passed through NDEF records.

Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/537 using your GitHub account

Received on Sunday, 26 January 2020 00:56:25 UTC