back to article Home Office boffins slip out passport-scanning Android app

Android owners with NFC handsets can now read their passports with an official Home Office app - and civil servants want to know what other features could be added to it. UK passports have had chips in them since 2006, containing a digital version of the photograph and other details, all cryptographically signed. Phones …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    If I can scan my own passport can I scan yours.

    If I can borrow yours can I scan it and can I clone it?

    If I can clone it, what are the implications?

    1. Anonymous Coward
      Anonymous Coward

      @ac

      The answers to all these questions may be found by reading the article.

      1. Anonymous Custard

        Re: @ac

        The problem perhaps is that all the manual check questions (as listed in the article) can be answered by looking in the passport itself. Hence won't be any barrier to the "borrowed passport" scenario, although they would prevent "walk-by" scanning.

        1. Anonymous Coward
          Anonymous Coward

          @Anonymous Custard

          If they have access to the physical passport to get that information, they have the information stored in the RFID anyway!! All those nice details about the person, and the stamps for the countries they've visited and when... is all that there is in the chip.

      2. Steve I
        Joke

        Re: @ac

        "reading the article"

        Never stopped anyone from commenting before.

  2. Pete 2 Silver badge

    Because we can

    > and the first to publicly ask: Why bother?

    Steady on. If every piece of software: paid or free, was to question whether there was any need for it, there would be hardly any of the stuff around and the likes of Github would be an empty wilderness containing the rare few projects that had a life of their own - or corporate sponsorship.

    Most amateur written software is produced to demonstrate the prowess of the writer (just like comments in forums are ... ) rather than to make a meaningful contribution to the sum of human happiness. If these guys enjoyed writing their app, and it doesn't harm anyone (and there aren't any security downsides) then what the hell - let 'em do it if it makes them happy.

  3. Pen-y-gors

    Pointless

    The only legitimate use for a passport is to allow you to PASS through a PORT when entering a country, where government officials will have all they need to read the document - or is Border Agency going down the BYOD line?

    Any other usage (as an ID document etc) is very dodgy, and an attempt to introduce ID cards by the back door.

    1. Pete 2 Silver badge

      Re: Pointless

      > Any other usage (as an ID document etc) is very dodgy

      Especially in foreign parts where a passport number is often used in lieu of a citizen's ID card number - even on official documents. Buy a house abroad and you could well find your PP number is written into the official documents of ownership. A bit of a bummer as every time you change your passport you get a different number ...

  4. Anonymous Custard
    Black Helicopters

    Who do you think you are?

    Might have a quick look at this, simply to see who my passport actually thinks I am. Having tried the ePassport gates @ Gatwick now several times (business travel) and getting bounced from them more times than they let me through, I'm becoming convinced I'm either not who my passport thinks I am, or perhaps not who I think I am (not sure which is the more worrying option).

    Oh bring back the IRIS gates - quick, simple and they actually worked...

    1. MrXavia
      Thumb Up

      Re: Who do you think you are?

      Totally Agree I loved using the IRIS, so simple, so reliable (for me anyway) and secure!

      Not sure about the newer e-borders thing, never been open when i've been through T3...

  5. McVirtual
    FAIL

    Meh...

    Didn't work on my 2008 NFC passport...

    the fact you have to put data in to unlock it is fair enough, and will stop people scanning other folks passports without consent I guess.

    Bit of a pointless (an exceptionally UGLY looking) application imho

    1. Anonymous Coward
      Anonymous Coward

      Re: Meh...

      Bit of a pointless (an exceptionally UGLY looking) application imho

      My son just got a new passport and I happened to have a quick read through the notes that came with it while sticking them in recycling last night. Think this app is basically an extension of the way they answer the

      "How can I find out what info is electronically stored on my passport"

      with

      "You can see this by using the passport scanner in a passport office"

      So, now they can add

      "or if you have a suitable Android phone you can yous the IPS passport reader app"

      I think its intended as a "reassurance" for people who think there's lots of secret information about them stored electronically on their passport ... but then again, would those people really believe that there isn't lots of secret information stored electronically on their passport that this app won't show!

      N.b. cannot comment on exceptionally UGLY looking as I don't have a suitable phone!

      1. Norman Hartnell
        Headmaster

        @AC 08:59

        "or if you have a suitable Android phone you can yous the IPS passport reader app"

        Not sure where to begin on that one.

      2. Horridbloke
        Linux

        Re: Meh...

        "...that this app won't show"

        Assuming the app isn't hiding anything the makers could always open-source it.

  6. Anonymous Coward
    Anonymous Coward

    Ah, the joy of identity theft..

    The main electronic check of passport data is if the name checks against the number, and (if so equipped) if biometrics match. Gaining access to the stored biometrics means you can feed fully valid data into any system and hey, presto, it was you who did x/y/z. And we all know that according to officials, the computer never lies.

    One more argument to buy an RFID proofed passport and credit card holder.

  7. g e
    Joke

    Errrr have you seen the Permissions?

    Access to NFC

    Access to Data

    Access to GCHQ/NSA

  8. flashard

    2 factor authentication?

    Cloning would involve the physical features of the passport, and signing the data on the chip - so reading is a LONG way from cloning.

    One reason for reading the data would be to access the digital photo at a higher level of quality than you would get by scanning the page. Automated entry gates use this approach to compare your face (by taking a photo) to the copy on the passport.

    I’m now wondering if there would be some way to use it to prove that you’re physically holding your passport in your hand i.e. passport as 2 factor authentication.... might be a few uses for that.

    1. Robert Helpmann??
      Childcatcher

      Re: 2 factor authentication?

      ...reading is a LONG way from cloning.

      Yes, but it would seem that it is a necessary first step, and this sort of thing has the potential for simplifying the process. It will also offer a check that your newly purchased fake passport will work at this level.

  9. andreas koch
    Trollface

    My passport chip didn't answer.

    Could that possibly be related to the incident when I accidentally left it in the microwave on 700W for 14 seconds?

    1. Barry Tabrah
      Thumb Up

      Re: My passport chip didn't answer.

      Couldn't be that. I read on the internet that you had to microwave the passport in order to recharge the NFC chip and extend its range.

  10. welshie

    makes you wonder why have the chip

    If the chip only contains stuff that can be optically read from the passport, and if it needs to be optically read for data that is needed to retrieve data from the chip, what's the point in the chip, other than supposedly to spot when the optical data and the chip data doesn't match? I take it that the data on the chip is in someway officially signed to prevent someone tampering with it or faking it.

  11. Anonymous Coward
    Anonymous Coward

    Formerly known as - "Identity and Passport Office"

    User freely gives personal data to government,

    by verifying fandroid's ownership.

  12. Anonymous Coward
    Anonymous Coward

    proves there's a chip in the passport?

    So it's validating the chip contents against the printed content.

    Do forgeries also include a valid chip? If not, it might be a way of eliminating them when using a passport to show your bona fides.

  13. Flywheel
    FAIL

    NFC you say?

    "Don't stand so close to me"

  14. SynicNZ

    wouldn't work on mine

    But NFCTagInfo has no problem. Reads other countries also.

  15. Captain Mainwaring
    Pint

    Of limited value in the real world

    This Android app as it stands is OK as a basic chip working/not working check, but of little use in the commercial admin world. Perhaps by adding an online element to this program, it could become a useful Passport authenticator, checking that the Passport that has been scanned is indeed an original, authentic document as issued by HMPO. This might well have applications in the world of HR, banking and legal services and if provided for free, would probably enjoy wide spread use.

  16. Anonymous Coward
    Anonymous Coward

    NFC Tag Info

    One of the first things I did with my NFC enabled phone was scan my passport with NFC Tag Info, just because.

    Although I regret it, as my passport photo is awful!

    Having said that, it's easy enough to see the point in the chip for border control, verifying both sets of data, and assuming a "signed" nfc chip.

    And good of them to release an official app, so you can see what's on yours, just because. Also immediately made me feel better when I saw you cant drive-by scan passports without knowing the details already.

  17. Anonymous Coward
    Anonymous Coward

    How do we know this app is real and not malicious?

    Anyone can upload an app with a description that links back to a .gov webpage. Is there a page somewhere on the IPS website that links to the app?

    1. thesykes

      Re: How do we know this app is real and not malicious?

      As the only permission the app asks for is NFC, why worry? It can't access the internet, phone logs etc. As soon as it tried it would crash. One of the good things about Android permissions, if they're not specified in the manifest file, they won't work.

      1. Anonymous Coward
        Anonymous Coward

        Android permissions can be bypassed.

        http://www.hackinparis.com/Bypassing-the-Android-permission-model

        http://blog.trendmicro.com/trendlabs-security-intelligence/bypassing-android-permissions-what-you-need-to-know/

        I could go on, but I think that makes the point: perms can't protect you against a malicious app. In this particular case, the reader app could easily invoke the browser to upload your data to a remote website as part of a URL query string.

  18. John 98

    Great - if only the scanner at Gatwick worked

    I have used the scanners at Schiphol with no problem - but the UK version, which looks hugely more complicated and expensive, can't read my passport (or a lot of others). Perhaps the guy who came up with the android app should be given the contract for the airport scanners?

  19. Cliff

    real world use!

    Earlier this year I had to arrange visas and accreditations for 200 people, meaning needing an electronic log off 200 passport details and 200 passport-style photographs without the photocopy hologram overlay distortion.

    This could actually have been rather useful at times.

  20. Anonymous Coward
    Anonymous Coward

    immigration/visa check

    I remember having a very tedious conversation with immigration that went:

    Who gets fined/imprisoned if I employ someone without a uk passport/visa? - you do

    How do I check they have a uk passport/visa? - ask them to show you it

    How do I check it's valid? - you can't

    So it could be anyone's passport/visa with the photo replaced? - yes

    ...and I go to prison if I can't tell - yes

    ...so all I can do is not employ people who are a bit off white or speak funny - no, that would be illegal sir

    This might fill that hole.

    1. cpage

      Re: immigration/visa check

      Can anyone else get this App to work properly?

      I tried it once on my passport - it's very tedious to use as you have to enter the passport number and other data from the same page to show that you have physical access to the passport. It did indeed display my (awful) passport photo, but that's all. I then tried it on my wife's passport which also has a chip. I couldn't get it to work. I then tried it on mine again, re-entering all the necessary data of course. Didn't work this time. So perhaps it's a use-once application?

      These are, of course, the people who brought us the Iris scanners at major airports, which in my experience only worked about one time in ten. The new facial recognition terminals at Heathrow were all out of order last time I entered the country, so maybe their reliability is just as good.

    2. Graham Cobb Silver badge
      Big Brother

      Re: immigration/visa check

      My understanding is that having made a reasonable attempt to check is a valid defence, and that the law (or the courts) recognise that we are not experts in validating passports. Although it is wise to have a written policy and to keep a record that you can produce if asked. Of course, IANAL.

      This does lead me into a concern about this app, though. If an app like this is available, many people might decide they need to use the app, and record the details, to protect themselves. For employers keeping records of right to work it might be reasonable, but how long before a local pub or club decides that you have to produce and scan your passport in order to get in? And then come under presure to turn over the records to the police when they discover that a terrorist suspect had been in the pub??

      In other words, with apps like this around, a passport could become a de-facto national ID card, by the back door. I, for one, will not be producing my passport for any UK business that wants to do business with me.

This topic is closed for new posts.

Other stories you might like