Access MIFARE DESFire Card

Question

How can I access a MIFARE DESFire card using an Android phone as NFC reader? I am planning to develop an android application (for payment) on Android phone.

The DESFire operations (Authentication, Read and Write) that I want to perform using the Android phone need a SAM card, I thought I can emulate that SAM card in the phone using HCE.

Answer 1

DESFire/DESFire EV1 cards communicate on top of the ISO/IEC 14443-4 data exchange protocol (ISO-DEP). Therefore, on Android devices, they can be accessed through the IsoDep class. So once you get your tag handle ( Tag object), you can instantiate the IsoDep object using:

Tag tag = ...  // (e.g. get from NFC discovery intent)
IsoDep isoDep = IsoDep.get(tag);

You can connect to the card and use the IsoDep object's transceive() method to send commands to (and receive responses from) the card:

isoDep.connect();
byte[] response = isoDep.transsceive(command);

You can either use the DESFire native command set, the DESFire APDU wrapped native command set or the ISO/IEC 7816-4 command set (see the DESFire datasheet for more details). Due to known problems with the presence detection on some devices (which automatically sends READ BINARY APDUs to detect if a tag is still available), I strongly suggest to use either the APDU wrapped native command set or the ISO/IEC 7816-4 command set (see this question ).

Now, the problematic part is the SAM. A SAM (Secure Access Module) is a secure smartcard chip that holds keys and performs security critical parts of the communication with the DESFire card. You cannot simply "emulate" such a SAM using host-based card emulation. That would not make much sense, as the whole idea of HCE is route communication from contactless smartcard readers through the NFC interface to the (insecure) application processor . Implementing the SAM functionality on the application processor would defeat the whole purpose (ie high security level) of a dedicated SAM chip. Moreover, in order to emulate SAM functionality, you would not need HCE as you could directly store the credentials for access to the DESFire card within your application.

An option that you might have is to use a cloud-based secure element approach. Thus, you could have the SAM functionality on a server/in the cloud and route the communication with your DESFire card though your app to that server.

byte[] command = receiveCommandFromBackend();  // receive command from server/cloud over the network
byte[] response = isoDep.transsceive(command);
sendResponseToBackend(response); // send response to server/cloud over the network

To summarize this: You don't need HCE. Depending on your security requirements, you could either store the credentials for access to the DESFire cards within your app (note that an attacker might be able to extract that information) or you could use a cloud-based SE approach to shift the security critical parts to an online backend system (but that would typically require continuous network access during communication with the card).

Yet another approach would of course be to use a local secure element within your device, but that would require that you have access to it which is usually not easy/impossible.

Answer 2

Mifare DESFire is not a standard for payment, you should rely on ISO14443-4 (ie ISO7816-4) instead, at least that's what all the big names did. These are also the standards that HCE is based upon. Having a payment system based on DESFire would probably be something very specific. The problem with DESFire is that it is proprietary technology. Developing a payment app using HCE is very challenging in terms of security.