Unlock DB using NFC tag. Select entry using NFC tag. Use secure NFC tags.

[plamenjm]

Plan:

1. Unlock database with NFC tag (incomplete);
2. Select entry with NFC tag (pending);

---

Done:
Added NFC permission and NFC switch settings in Advanced Unlock and Autofill/Keyboard;

NFC unlock is integrated in similar way like the other Advanced Unlock options. Looks like it is properly integrated - including the menu item to delete NFC unlock data;

NFC unlock password is stored with different key - not overriding, not disabling the other Advanced Unlock options;

There are few extra lines for easy debug/test in emulator - the emulator do not have NFC;

Review is needed for the code marked with comment 'todo-op'!

---

Currently it is tested only in read mode - using few NFC transport cards. The DB password is saved together with NFC data; Currently it is using only NFC tag ID;

Current NFC UI is simple hint - check the pictures;

At this stage it can be used only for automation - it is not secure, because everyone with card with the same tag ID can unlock the database;

---

Pending:

1. Write an test with NDef NFC tag;
2. For "NFC select" - start activity from keyboard, because NFC talks only with the foreground activity;
3. Read/Write encrypted NFC tags (Mifare, which are harder to copy/clone);

---

[J-Jamet]

Thanks, I can see better what you are trying to do and it's better than my first idea of making it a KeePass standard. By using advanced unlock, we can link any key to an NFC, that's very good.

I haven't tested your feature yet but I can make a specific icon to indicate that the advanced unlock is in NFC mode.

[plamenjm]

It is at very start stage. I just got few blank NFC tags to test with: Mifare DesFire 4k, S70 4k, S50 1k, Mifare ultralight (512 bytes), NTAG 213 (few bytes).

I checked how to write ONLY the unprotected Ndef tags (NTAG 213). Not tested yet!

I guess, the other types are more complicated and I need to research more. Looks like, some phones/devices can not read/write Mifare cards.

I do not know how much the encrypted NFC cards can compare with the hardware keys.

1. From security point of view. For example, Google know how to read and clone "Mifare classic 1k" card for 2 hours. I guess, Mifare DesFire and S70 are more secure.

2. From usability point of view - Yubikey you can plug it into USB. (Or maybe connect with bluetooth). But you can not plug the NFC card. For that you need "USB NFC reader/writer". (As far I know, NFC is standard only for phones, not for laptop and desktop PC)

That is why, I am looking only at android flavor of KeePass.
(In case there are good reasons for moving NFC to DB settings - then, that could be a next step in the future.)

[plamenjm]

Current status:
Unlock with readonly and writable NFC tags.
NFC authentication and read-protect is not working.

---

Details:

1. Readonly and unsupported tags - Using NFC tag ID (unique) for;
2. Ndef - Writing mime record with db-password-checksum;
3. NdefFormatable - Like Ndef, not tested, probably it works fine;
4. MifareUltralight - Writing db-password-checksum to the last-empty-page;
5. Authentication and Read-protect. All attempts failed with 'tranceive failed' and 'tag lost' exceptions.

I tested with LineageOS, Android 11. Phone OnePlus 3T. It may works with different Android/Device!?

Things done so far:
5.1. NTAG213, Mifare Ultralight EV1 and similar;
5.1.1. Authenticate with tag-password;
5.1.2. Write tag-password;
5.1.3. Protect last-empty-page, config and password;
5.1.4. Read-protect the tag;
5.2. Mifare Ultralight C;
5.2.1. Authenticate with tag-key;

---

7.1. Credential DB extract/store:
Biometric/Device record: key = DBFileUri; value = credential;
NFC tag record: key = DBFileUri + '#nfc'; value = credential + NFC-tag-unique-ID-version-etc;

6.2. NFC tag read/write: db-password-checksum;
Needs re-write NFC tag after password change! Alternative - checksum based on Device or App installation?

---

8. Review is needed for the code marked with comment 'todo-op'!
9. Pending: MifareClassic (S50, S70), Mifare DESFire, etc. This could fail too similar to point 5;
10. Pending: Use NFC tag to select entry;

---

Current UI:

11. With 'Info' enabled, there is 'Info' dialog before unlock DB

12. Before save credentials and before write to NFC tag, there is 'Write' dialog with 'Info' (if enabled) and few Switch views (checkbox).

User have to tap-and-hold the NFC tag util (and 1 second after) tap dialog 'Ok' button!!

14. The same 'Write' dialog is used for 'Undo'.

Example: User saved credentials and NdefRecord were saved to NFC tag. There is Switch view to delete the saved data, restore (almost) and 'Undo' the changes on NFC tag.

Currently, the Switch views are shown only if needed - if applicated for the current NFC tag.
Currently, the Switch views are NOT smart - not enabled/disabled based on the user selection.

'Write' with Info (Info dialog is the same):

'Write' for non-Ndef NFC tag:

'Write' for NFC tag which supports Ndef: