UK government's battle with Apple over EU citizens app(bbc.co.uk)
bbc.co.uk
UK government's battle with Apple over EU citizens app
https://www.bbc.co.uk/news/uk-politics-46043668
47 comments
Any idea why Apple doesn't allow use of NFC? It's been in devices for ages, I'm surprise to hear it's not available to developers. Given Apple reviews all apps anyway, and can restrict what it's used for any way they like, I can't imagine why they wouldn't allow apps to use it.
I'm actually very suprised by this article because in iOS 11, over a year old now, they did open up NFC to developers: https://developer.apple.com/documentation/corenfc.
The problem could be that they require a different data format then the NFC Data Exchange Format (NDEF) as that is the only format that CoreNFC supports.
The problem could be that they require a different data format then the NFC Data Exchange Format (NDEF) as that is the only format that CoreNFC supports.
Communicating with a passport requires two-way communication for authentication and data transfer; they're not simple NFC tags.
> Any idea why Apple doesn't allow use of NFC?
iOS apps can access NFC capablities on devices with that have appropriate hardware support, but from what I understand the CoreNFC API has some limitations.
For example, it doesn't provide a way to read an RFID'c unique ID without using a private API that would disqualify an app from being published on the app store. There's some information about this at [1] and [2]. CoreAPI can read NDEF tags, but they don't expose the UID.
Perhaps the Home Office's app needs the UID of the passport's embedded RFID? I don't know why they might want this, or why Apple restricts the ability to read it. Privacy concerns?
[1] https://www.taptrack.com/article/blog/core-nfc-2/
[2] https://stackoverflow.com/questions/51822226/corenfc-not-rea...
iOS apps can access NFC capablities on devices with that have appropriate hardware support, but from what I understand the CoreNFC API has some limitations.
For example, it doesn't provide a way to read an RFID'c unique ID without using a private API that would disqualify an app from being published on the app store. There's some information about this at [1] and [2]. CoreAPI can read NDEF tags, but they don't expose the UID.
Perhaps the Home Office's app needs the UID of the passport's embedded RFID? I don't know why they might want this, or why Apple restricts the ability to read it. Privacy concerns?
[1] https://www.taptrack.com/article/blog/core-nfc-2/
[2] https://stackoverflow.com/questions/51822226/corenfc-not-rea...
You don’t just need the UID (and by the way, passports don’t have one).
You need to do a proper cryptographic handshake with the passport, something impossible with the current SDK. You need to be able to send raw “APDUs” (commands) to the smart card/passport.
You need to do a proper cryptographic handshake with the passport, something impossible with the current SDK. You need to be able to send raw “APDUs” (commands) to the smart card/passport.
> you need to be able to send raw “APDUs” (commands) to the smart card/passport.
Is this available via a private API in CoreNFC? Is that what they're asking for?
Edit:
> and by the way, passports don’t have one
Thanks - I didn't know that. Now reading about Pseudo-Unique IDs.
Is this available via a private API in CoreNFC? Is that what they're asking for?
Edit:
> and by the way, passports don’t have one
Thanks - I didn't know that. Now reading about Pseudo-Unique IDs.
Not available as far as I know; I looked into it as I needed it as well.
Seems like there are some classes in the SDK that hint at that but so far they don’t work (presumably they require an entitlement that only Apple can provide).
Seems like there are some classes in the SDK that hint at that but so far they don’t work (presumably they require an entitlement that only Apple can provide).
Maybe they don't want NFC payment alternatives that would rival Apple Pay. And they don't want to restrict it for that use-case because it makes them look weak for artificially blocking out the competition so they just restrict the feature entirely.
Or the security/PR nightmare that would happen when someone used one of those that was poorly implemented and said “I paid with Apple Pay and all my money was stolen!”
Or an anti-competition suit?
It's really silly – but Apple keep the NFC functionality exclusively for use by Apple Pay. Whilst it is NFC, Apple have never marketed it as such. Presumably they want people to think that it's just Apple Pay 'magic'.
Not just Apple Pay anymore, they also use it for certain transit cards and student ID cards. New phones can read tags and launch the appropriate app (via notification like Camera gives you for QR code reading): https://www.macrumors.com/2018/09/12/2018-iphones-background...
But they prevent competition with their own services in myriad ways already via their review process. Try building your own app store, for example.
Presumably because they want to force financial institutions to go through Apple Pay, so they can take their transaction fee cut.
Imagine Ford making a car that only accepts fuel bought at a Ford fueling station.
I am sure you can see the advantages?
I am sure you can see the advantages?
> The Home Office has also signed a £91m contract with French company Sopra Steria to set up computer terminals at 56 local libraries
Just £1.625 million per library? Does that seem a crazy amount to anyone else?
Just £1.625 million per library? Does that seem a crazy amount to anyone else?
I does seem crazy, but apparently it includes the application process as well. In general not a lot of people tend to care about this kind of thing. Governments often aren't empowered to do it, the large tech companies don't care, the idealist are busy copying the large tech companies and the hobbyist are busy with their own hobbies. Left are large consulting companies that can provide custom solutions and will charge as such.
Also, local to who? There aren't 56 points in the UK such that everyone has a local point for any reasonable definition of "local".
These are the only 56 libraries left that have not been shut down by the current government.
https://librarytechnology.org/libraries/ukpublic/
> libraries.org includes 4982 public libraries in the United Kingdom
> libraries.org includes 4982 public libraries in the United Kingdom
So this is a smartphone app because they want to use the NFC in the smartphone to scan the passport.
Does anyone know how the NFC in a passport works? If it just communicates the passport number, then it seems like they could allow a fallback where the user types in the passport number, without any loss of security.
(Because if that is how it works, all you're really proving is knowledge of the passport number, not possession of the passport)
EDIT: According to this StackOverflow post[0] the NFC reader needs to supply the passport number, date of birth, and expiry date before it can retrieve whatever data is on the passport, so it can't work the way I described.
[0] https://security.stackexchange.com/questions/30772/what-nfc-...
Does anyone know how the NFC in a passport works? If it just communicates the passport number, then it seems like they could allow a fallback where the user types in the passport number, without any loss of security.
(Because if that is how it works, all you're really proving is knowledge of the passport number, not possession of the passport)
EDIT: According to this StackOverflow post[0] the NFC reader needs to supply the passport number, date of birth, and expiry date before it can retrieve whatever data is on the passport, so it can't work the way I described.
[0] https://security.stackexchange.com/questions/30772/what-nfc-...
The passport is a standard NFC smart card, just like your credit card. Internally it can do crypto, which means it’s not just about a passport number but cryptographically proving the person is in possession of their passport.
It's signed and encrypted:
https://en.wikipedia.org/wiki/Biometric_passport
Relatedly on twitter: https://twitter.com/JakubKrupa/status/1057665110976663552 downthread
"The most difficult part of the process - confirmation of ID - was not being done through an automated process: applicants didn't have to use the controversial app to scan their passports. Of those who voluntarily decided to use it 30% FAILED."
And as various people have pointed out, unless a deal appears in a really short timeframe, all 3m EU nationals living in the UK will have to go through this process in order to continue working or renting in the UK. https://www.bbc.co.uk/news/uk-politics-46035919
"The most difficult part of the process - confirmation of ID - was not being done through an automated process: applicants didn't have to use the controversial app to scan their passports. Of those who voluntarily decided to use it 30% FAILED."
And as various people have pointed out, unless a deal appears in a really short timeframe, all 3m EU nationals living in the UK will have to go through this process in order to continue working or renting in the UK. https://www.bbc.co.uk/news/uk-politics-46035919
Oh, so there will not be a transition period for EU citizens in case of a no-deal Brexit?
Nobody knows!
Well, the Minister for Immigration said that "new immigration controls - including employer checks of immigration status - will apply to EU citizens next year" to the Select Committee, but it's routine for ministerial statements to be countermanded the next week, so who knows? It's not as if there are penalties for error or incompetence.
Well, the Minister for Immigration said that "new immigration controls - including employer checks of immigration status - will apply to EU citizens next year" to the Select Committee, but it's routine for ministerial statements to be countermanded the next week, so who knows? It's not as if there are penalties for error or incompetence.
Same reason why Apple isn't compatible with my bank. Apple wants to lock their NFC chip. And make lots of money with their ridiculous transaction fees in the process obviously.
Dont blame them, but people will choose Android over it.
Dont blame them, but people will choose Android over it.
She told MPs the Home Office could not be blamed because Apple "won't release the upgrade we need in order for it to function".
Wrong. The Home Office should have checked with Apple before developing the app.
Wrong. The Home Office should have checked with Apple before developing the app.
[deleted]
This strikes me as an extreme form of premature optimization.
This seems like the sort of thing that should be rolled out to council offices, the Post Office, somewhere like that (libraries, as stated in the post).
Or (and!) airports (they already have the infrastructure!).
Let's maybe not spend 1.5 million per device though. That's something like 10-30 software dev salaries, per location. Graft?
This seems like the sort of thing that should be rolled out to council offices, the Post Office, somewhere like that (libraries, as stated in the post).
Or (and!) airports (they already have the infrastructure!).
Let's maybe not spend 1.5 million per device though. That's something like 10-30 software dev salaries, per location. Graft?
The Home Office has also signed a £91m contract with French company Sopra Steria to set up computer terminals at 56 local libraries around the UK to help those without smartphones, or without the necessary digital skills, to apply to stay in the UK.
[deleted]
Considering what's a stake for citizens and the govt, one wonders would it make sense to partner with a commodity hardware manufacturer and split the cost of the device? Use recyclable parts and encourage people to return them for a fee?
It needs to be ready and distributed in less than 5 months.
Furthermore, not everyone thinks the Home Office or the government in general is making a good faith effort to do this competently.
Furthermore, not everyone thinks the Home Office or the government in general is making a good faith effort to do this competently.
The current government is basically incapable of doing anything competently.
This goes double for anything involving IT or negotiating with other countries.
This goes double for anything involving IT or negotiating with other countries.
How about - user completes everything else on their iPhone, app generates a code, user asks Android owning friend to download companion app: SaveMyIPhoneOwningEuroFriendsBacon.apk, friend enters code and scans passport?
I think there’s more chance of the Tory government getting a deal with the EU for brexit than this!
iOS definitely supports NFC for third party apps. Here’s the documentation:
https://developer.apple.com/documentation/corenfc
I just played with the Yubico iOS SDK just the other day and it supports my Yubikey 5 flawlessly.
https://developer.apple.com/documentation/corenfc
I just played with the Yubico iOS SDK just the other day and it supports my Yubikey 5 flawlessly.
They support a very limited form of NFC, which will most definitely not allow you to read a passport.
kaddio(2)
Government: 'Great let's base our whole system on this'
:|