Is Apple Or NFC The Bigger Loser With iPhone 5?

Android and Windows Phone seem to be diving into the near-field communication (NFC) pool, but Apple said no for the iPhone 5. If Apple had signed on, it's a reasonable bet that some sort of retail presence for NFC would develop to take advantage of it, but now I'm not so sure. The lack of NFC in the iPhone 5 might retard deployment of NFC in the real world.

On the other hand, maybe the opposite is possible. Maybe NFC will be deployed--after all, Android is the volume leader--and Apple users will be the ones to miss out, and iPhones will end up behind the curve in this way. And it's not just retail.

My own personal sense is that NFC is basically a gimmick, but it does make some operations so easy that I can see people liking it. The choice is this: Currently you either have to have the point of sale scan a barcode on your mobile device or maybe do some app-based payment system. With NFC you'd be able to hold the device within a few centimeters of the point of sale or tap it against some designated point and a transaction would take place. You might or might not get some confirmation screen on your mobile; I hope you do because it's asking for big trouble for them not to confirm, but that's an implementation issue.

No question it's easier the NFC way, but for some reason Apple passed on it and now it will be a year before it can implement it. What do you think? Did Apple miss out, or did it take a pass on a lot of trouble?

Just a couple of months ago, at the Black Hat conference in Las Vegas, hacker Charlie Miller, now working for Twitter, demonstrated the ease with which phones with current implementations of NFC can be hacked. Of course, these phone manufacturers could have just done a better job, but maybe Apple saw potential NFC security problems as not worth the trouble.

Fundamentally, there's nothing less secure about NFC, just implementations of it. It's a wireless communication standard like many others implemented on phones, computers, tablets, and other devices, but (as shown in the chart below) it only works in very close proximity--just a few centimeters--and at a fairly low data rate.

Will everyone else run away from the security issues like Apple? The potential applications for NFC are numerous; the most trite example is paying for your coffee by tapping your phone against some designated point at checkout, but your NFC phone could also present a ticket at the turnstile of a concert or sporting event. Tapped against a copier or printer it could allow you to print a document from your phone, and there are already projects to provide information to phones at kiosks, such as this one from the Long Island Railroad.

As Miller showed at Black Hat, the security problems derived from two implementation characteristics: The features were turned on by default, and NFC actions could be invoked without confirmation by the user. Unfortunately, both probably are viewed as "features" because the whole point of NFC is to make complex things brain-dead-simple--even if you can't read you can learn to tap the phone.

From the point of view of security dweebs like Charlie and me, users should have to turn such features on deliberately, and when they do so, that would be a good point to give them some warnings about possible dangers. Actions when tapping the phone should not just happen; the user should be presented with an alert on the device presenting them with options: Do you want to receive information from this kiosk? Do you want to view the Web page at www.example.com/whatever? Do you want to pay this much to this vendor from this credit card?

This is a lesson Microsoft learned painfully for PCs in the period of roughly 2004-2009: default-deny is the secure strategy. Android isn't likely to get this right for a while; I'm curious to see Microsoft's NFC implementation in Windows Phone 8 and how it's handled.

I think people will want these applications and I'm willing to bet they'll start popping up in spite of there being no iPhone support. Apple better hope they don't get too popular.