ikarus23

ikarus23/MifareClassicTool

Java GPL-3.0 Security

An Android NFC app for reading, writing, analyzing, etc. MIFARE Classic RFID tags.

6.1k stars
1k forks
recent
GitHub +21 / week

6.1k

Stars

1k

Forks

34

Open issues

30

Contributors

v4.3.1 25 Jan 2026

AI Analysis

MIFARE Classic Tool is an Android NFC application for reading, writing, analyzing, and cloning MIFARE Classic RFID tags through dictionary-based key attacks and low-level hex manipulation. It serves specialized security researchers, penetration testers, and RFID enthusiasts who need direct hardware-level access to MIFARE Classic tags; it is not a general-purpose NFC app and requires deep familiarity with hexadecimal data and MIFARE Classic technology.

Security Mobile Tool Discovery value: 4/10
Documentation 8/10
Activity 8/10
Community 8/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 7/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

nfc rfid mifare-classic security-research android-app
Actively maintained Well documented Niche/specialized use case Popular Production ready
Deep Analysis · Based on README and public signals
2w ago

Android NFC tool for reading and writing MIFARE Classic RFID tags, serving security researchers and hobbyists since 2013

MIFARE Classic Tool (MCT) is a free, open-source Android application that lets users read, write, clone, and analyze MIFARE Classic RFID tags using their phone's NFC hardware. It targets security researchers, hobbyists, access-control system administrators, and technically literate users who understand hexadecimal data and MIFARE Classic internals. Available on Google Play, F-Droid, and direct APK, it has accumulated over 6,000 GitHub stars and maintained active development for 13+ years, making it one of the most established mobile RFID tools in its niche.

Origin

Created in February 2013, MCT predates most mobile NFC tooling. It emerged as Android NFC APIs matured and MIFARE Classic security weaknesses became widely known, filling a gap between desktop Proxmark3 tooling and zero mobile-friendly alternatives.

Growth

Growth has been slow and organic over 13 years, driven by persistent demand from security researchers, CTF participants, physical access control administrators, and hobbyists. The project benefits from being one of very few maintained free tools in this niche. A donate version on Google Play suggests a small but loyal user base willing to pay. Growth is not viral — it accumulates through word-of-mouth in security communities and forum threads like the Proxmark forum.

In production

Available on Google Play and F-Droid with a separate donate version, suggesting measurable real-world install base. The Proxmark forum thread and multi-language README (English, Simplified Chinese, Traditional Chinese) indicate international usage. Exact install numbers are not available from repository metadata, but multi-platform distribution and 6,000+ stars for a highly specialized tool suggest meaningful adoption within its target niche.

Code analysis
Architecture

Appears to be a single Android application written in Java, likely structured around NFC tag interaction activities and utility classes for encoding/decoding MIFARE Classic data structures. The feature set (block-wise read/write, value block decode, access condition decode) suggests a modular utility design rather than a complex multi-component architecture.

Tests

Not documented in README

Maintenance

Last push was June 21, 2026 — five days before the evaluation date — indicating the project is actively maintained. Thirteen years of continuous development with no apparent abandonment periods is a strong signal of sustained commitment. A donate version and external documentation site (icaria.de) suggest ongoing investment by the maintainer.

Honest verdict

ADOPT IF: you need a free, mobile-friendly tool to read, write, clone, or analyze MIFARE Classic tags and already have the relevant sector keys; especially useful for field work, CTF challenges, or access control administration on a compatible Android device. AVOID IF: you need key recovery/cracking capabilities, require NFC standards beyond MIFARE Classic (NTAG, DESFire, etc.), or your Android device's NFC controller lacks MIFARE Classic hardware support — a known and documented limitation. MONITOR IF: you rely on it for professional security assessments and want to track whether newer Android NFC API restrictions or hardware changes begin to erode compatibility over time.

Independent dimensions

Mainstream potential

2/10

Technical importance

7/10

Adoption evidence

6/10

Risks
  • Android NFC hardware fragmentation: a documented list of incompatible devices exists, and future Android versions or chipset changes could further restrict MIFARE Classic hardware-level access without app-level workarounds.
  • Single-maintainer dependency: 13 years of active development by what appears to be a single primary maintainer; succession or burnout risk is real even if currently low.
  • MIFARE Classic is a legacy, cryptographically weak technology; long-term relevance depends on how slowly organizations migrate away from it — this is a real but slow-moving risk.
  • No key recovery capability means MCT is dependent on users having prior knowledge of tag keys, limiting utility in scenarios where tags use unknown keys.
  • Special 'gen1/gen1a' magic tags cannot be cloned due to Android NFC API limitations, a fundamental constraint that cannot be resolved in software.
Prediction

MCT will likely continue slow, steady maintenance as long as MIFARE Classic infrastructure remains deployed globally — which appears likely for at least another decade given its widespread use in transit and access control systems. Mainstream growth is unlikely; niche stability is probable.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Java
93.2%
HTML
4.9%
Python
1.7%
Shell
0.2%

Information

Language
Java
License
GPL-3.0
Last updated
3w ago
Created
163mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

nfcgate

nfcgate/nfcgate

NFCGate is an Android research toolkit for capturing, analyzing, and modifying...

2.3k Java Security
RfidResearchGroup

RfidResearchGroup/proxmark3

Proxmark3 is a specialized RFID reader/writer and analysis tool designed for...

5.8k C Security
HiddenRamblings

HiddenRamblings/TagMo

TagMo is an Android NFC tag manager for reading, writing, and emulating amiibo...

3.2k JavaScript Gaming
revtel

revtel/react-native-nfc-manager

react-native-nfc-manager brings Near Field Communication capabilities to React...

1.6k Java Mobile
jocmp

jocmp/capyreader

Capy Reader is a lightweight Android RSS reader that supports multiple backend...

1.3k Kotlin Mobile
vs. alternatives
Proxmark3 (hardware + software)

Far more powerful for key recovery, advanced attacks, and protocol analysis, but requires dedicated hardware ($100-300+) and technical expertise. MCT uses the phone's built-in NFC, making it more accessible for basic read/write/clone tasks when keys are already known.

NFC Tools (by wakdev)

More polished UI and broader NFC standard support (NDEF, NFC-A/B/F/V), but does not offer MIFARE Classic-specific features like sector key management, access condition decoding, or block-level dump/clone operations that MCT specializes in.

NFC TagInfo (by NXP/Springcard)

Excellent for tag inspection and standard identification, but read-only and not designed for writing, cloning, or key dictionary attacks. Complementary rather than competing for most MCT use cases.

Flipper Zero

Dedicated hardware device with MIFARE Classic read/write/clone capability and built-in key dictionary. More portable and hardware-independent than a phone, but costs ~$200 and MCT is free for users who already have compatible Android devices.

mfcuk / mfoc (desktop CLI)

Provide key recovery capabilities that MCT explicitly does not support. Used upstream of MCT: researchers recover keys with mfoc/mfcuk on desktop, then use MCT on Android for field operations once keys are known.