Skip to content
An NFC research toolkit application for Android
Java C++ C HTML CMake
Branch: v2
Clone or download

Latest commit

kleest Bypass ISO 7816 cmd requirements
Android requires the first command to conform to a ISO 7816 SELECT
command for AID selection. Bypassing this requirement allows NFCGate to
receive any NFC traffic.
This hook is only active if NFCGate is in tag mode.
Latest commit 0f03e65 Dec 28, 2019


Type Name Latest commit message Commit time
Failed to load latest commit information.
app Always use the local time in received NfcComm Feb 26, 2020
doc doc: Added pcapng documentation May 7, 2019
gradle/wrapper Updated gradle wrapper Jan 30, 2020
nfcd Bypass ISO 7816 cmd requirements Mar 19, 2020
protobuf Renamed namespace May 3, 2019
.gitignore Updated gradle wrapper Jan 30, 2020
.gitlab-ci.yml Fixed CI Oct 30, 2018
.gitmodules Added on-demand protobuf generation May 23, 2018
AUTHORS License consolidation Mar 8, 2018
LICENSE Fixed license May 9, 2019 Added building instructions Jul 7, 2019
build.gradle Updated gradle wrapper Jan 30, 2020
gradlew Added CI Oct 30, 2018
gradlew.bat NEW PROJECT, intents work Oct 19, 2014
settings.gradle Added on-demand protobuf generation May 23, 2018


NFCGate is an Android application meant to capture, analyze, or modify NFC traffic. It can be used as a researching tool to reverse engineer protocols or assess the security of protocols against traffic modifications.


This application was developed for security research purposes by students of the Secure Mobile Networking Lab at TU Darmstadt. Please do not use this application for malicious purposes.


  • On-device capture: Captures NFC traffic sent and received by other applications running on the device.
  • Relay: Relays NFC traffic between two devices. One device operates as a "reader" reading an NFC tag, the other device emulates an NFC tag using the Host Card Emulation (HCE).
  • Replay: Replays previously captured NFC traffic in either "reader" or "tag" mode.
  • Clone: Clones the initial tag information (e.g. ID).
  • pcapng export of captured NFC traffic, readable by Wireshark.

Requirements for specific modes

  • NFC support
  • Android 4.4+ (API level 19+)
  • Xposed: On-device capture, relay tag mode, replay tag mode, clone mode.
  • ARMv8-A, ARMv7: Relay tag mode, replay tag mode, clone mode.
  • HCE: Relay tag mode, replay tag mode, clone mode.



  1. Initialize submodules: git submodule update --init
  2. Build using Android Studio or Gradle

Operating Modes

As instructions differ per mode, each mode is described in detail in its own document in doc/mode/:

Pcapng Export

Captured traffic can be exported in or imported from the pcapng file format. For example, Wireshark can be used to further analyze NFC traffic. A detailed description of the import and export functionality is documented in doc/


NFCGate provides an in-app status check. For further notes on compatibility see the compatibility document.

Known Issues and Caveats

Please consider the following issues and caveats before using the application (and especially before filing a bug report).

NFC Stack

When using modes, that utilize HCE, the phone has to implement the NFC Controller Interface (NCI) specification. Most of the phones should implement this specification when offering HCE support.

Confidentiality of Data Channel (relay)

Right now, all data in relay mode is sent unencrypted over the network. We may or may not get around to implementing cryptographic protection, but for now, consider everything you send over the network to be readable by anyone interested, unless you use extra protection like VPNs. Keep that in mind while performing your own tests.

Compatibility with Cards (relay, replay, clone)

We can only proxy tags supported by Android. For example, Android no longer offers support for MiFare classic chips, so these cards are not supported. When in doubt, use an application like NFC Tag info to find out if your tag is compatible. Also, at the moment, every tag technology supported by Android's HCE is supported (A, B, F), however NFC-B and NFC-F remain untested. NFC-A tags are the most common tags (for example, both the MiFare DESFire and specialized chips like the ones in electronic passports use NFC-A), but you may experience problems if you use other tags.

Compatibility with readers (relay)

This application only works with readers which do not implement additional security measures. One security measure which will prevent our application from working in relay mode is when the reader checks the time it takes the card to respond (or, to use the more general case, if the reader implements "distance bounding"). The network transmission adds a noticeable delay to any transaction, so any secure reader will not accept our proxied replies.
This does not affect other operating modes.

Android NFC limitations (relay, replay)

Some features of NFC are not supported by Android and thus cannot be used with our application. We have experienced cases where the NFC field generated by the phone was not strong enough to properly power more advanced features of some NFC chips (e.g. cryptographic operations). Keep this in mind if you are testing chips we have not experimented with.

Publications and Media

This application was presented at WiSec 2015. The extended Abstract (outdated by now) and poster (slightly outdated) can be found on the website of one of the authors. It was also presented in a brief Lightning Talk at the Chaos Communication Camp 2015.


   Copyright 2015-2019 NFCGate Team

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   See the License for the specific language governing permissions and
   limitations under the License.

Used Libraries


  • ADBI: ARM and THUMB inline hooking
You can’t perform that action at this time.