Memory Protection For NFC Tags
Hello! In this lesson, we will discuss how to enable memory protection for our NFC Pokemon tags.
Review the concept of the NFC tag memory protection mechanism
Explain how to use the password protection commands
Implement a password protection feature for our app
Let's get started.
Why do we need memory protection?#
Before we dive in, let's first consider why we need this memory protection feature.
In the previous lesson, we already started using digital signatures to protect our NFC tags. So, you might wonder, why do we need extra memory protection?
Actually, these two mechanisms handle different security issues.
The digital signature mechanism is useful against the case when people try to fake or clone our NFC tags because we can verify the signature to find out if it's legitimate, as mentioned before.
However, what if people simply want to load the tag with bad content?
To be more precise, you have seen that we can use the write command to write data into our NFC tags. What if others also do write commands to override the data in our tags? Without a memory protection mechanism, our NFC tags will easily have tampered-with bad content.
Let's first discuss our options regarding NFC tag memory protection.
There are three levels of protection:
Type 2 Platform
Let's discuss the first NDEF level.
Recall from the previous lesson that NFC tags have a special block called CC block, which is used to indicate whether this NFC tag is NDEF-compatible. The second byte of the CC block can be used to enable read-only protection for NFC tags. This operation is irreversible, which means that once you set it to read-only, you won't be able to write it again.
You can turn on this protection by calling
NfcManager.ndefHandler.makeReadOnly(). Since we're not using NDEF in this app, this option won't be our final choice.
The second approach is for Type 2 Platform.
The NFC Type 2 Platform has defined a "Lock Control" feature, which has the ability to control the write access for each block or page. However, this feature has two drawbacks. First, this feature is pretty complex and hard to use. Second, this operation is irreversible, just like the NDEF one. Once you turn on these protection bits, you cannot turn them off.
For our NFC Pokemon app, we actually want to disable unauthorized write operations, not lock the tag data forever. So, this approach doesn't suit our use-case either.
The final approach is to use the tag-specific "password protection" feature. This feature is available for NXP NTAG 213 and 215 families, which are the most widely used NFC tags on the market.