6

I was reading information on this link in regards to signing an application with carrier privileges.

I am aware of how to sign an application using a keystore for production releases, but how do I add UICC certificates to my app so it gets carrier privileges?

My main goal is to be able to call TelephonyManager functions like:

iccOpenLogicalChannel
iccCloseLogicalChannel
iccTransmitApduLogicalChannel
iccTransmitApduBasicChannel

This is the stack trace I get when calling one of the above functions:

E/AndroidRuntime: FATAL EXCEPTION: main
E/AndroidRuntime: Process: com.xxxx, PID: 2668
E/AndroidRuntime: java.lang.SecurityException: No modify permission or carrier privilege.
E/AndroidRuntime:     at android.os.Parcel.readException(Parcel.java:1599)
E/AndroidRuntime:     at android.os.Parcel.readException(Parcel.java:1552)
E/AndroidRuntime:     at com.android.internal.telephony.ITelephony$Stub$Proxy.iccOpenLogicalChannel(ITelephony.java:2966)
E/AndroidRuntime:     at android.telephony.TelephonyManager.iccOpenLogicalChannel(TelephonyManager.java:2914)
E/AndroidRuntime:     at android.view.View.performClick(View.java:5198)
E/AndroidRuntime:     at android.view.View$PerformClick.run(View.java:21147)
E/AndroidRuntime:     at android.os.Handler.handleCallback(Handler.java:739)
E/AndroidRuntime:     at android.os.Handler.dispatchMessage(Handler.java:95)
E/AndroidRuntime:     at android.os.Looper.loop(Looper.java:148)
E/AndroidRuntime:     at android.app.ActivityThread.main(ActivityThread.java:5417)
E/AndroidRuntime:     at java.lang.reflect.Method.invoke(Native Method)
E/AndroidRuntime:     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726)
E/AndroidRuntime:     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)

Thanks in advance!

CompEng88
  • 1,336
  • 14
  • 25

2 Answers2

6

The question that you should ask yourself is actually a different one: How do I get the certificate for my app signing key into the UICC? Once you have that, the actual signing process is no different than with any other keystore.

So, you would have a keystore containing your signing key pair and a certificate for that key. The certificate could either be a self-signed certificate (that's typically the case for Android app signing keys) or a certificate issued to you by the UICC owner (MNO/carrier). In the first case, you would need to convince the UICC owner to add that self-signed certificate to the access control list(/application) on your UICC. In the second case, the carrier would typically include the root certificate corresponding to the certificate issued to you to the UICC.

You could then use that keystore to sign an app (just as you usually do).

Michael Roland
  • 39,663
  • 10
  • 99
  • 206
  • I figured it out actually. The link I posted from Google doesn't explain it well enough. They actually want you to use your own keystore and add an access rule for the sha of that keystore to the the smart card via an OTA. (or as you said, the other way should work too) – CompEng88 Nov 09 '15 at 04:14
  • I would like to find the certificate used in the simulated UICC into AVDManager, in order to sign my app with it, and then access the CarrierConfiguration API to play with VoLTE settings. Where can I find the certificate ? Thanks ! – Alex Aug 30 '16 at 09:01
  • 1
    Hi Alex, I am also working on same requirement, did you got any solution? – Yerram Naveen Nov 02 '16 at 12:20
  • 1
    How do I get the certificate for my app signing key into the UICC? – Benny Aug 15 '17 at 13:40
  • @CompEng88 I have similar requirement, how did you manage to make your app a carrier privilege app. Also you seem to mention Google link doesn't explain well. Please share your findings – DJphy Jan 29 '20 at 11:34
  • 2
    @DJphy: Here is a guide to make an app a carrier privilege app https://github.com/herlesupreeth/CoIMS_Wiki – Skyprenet Feb 05 '20 at 07:17
  • @Skyprenet Thanks for the link, hopeful the steps works out, And is that the only way ? I seem to have noticed, access rules can be updated over the air (OTA) as well !? – DJphy Feb 06 '20 at 08:05
  • 2
    @DJphy In order to update the access rules on the SIM card you need the KIC, KID and KIK keys. These keys are only available if you have a programmable version of the SIM (the operator SIM you buy at stores are of no use as the operator wont share those keys i mentioned before). If you could tell me in detail about the type of SIM you have I could suggest some workaround based on it. – Skyprenet Feb 06 '20 at 09:22
  • @Skyprenet hey thanks for the write up. I am a developer for an operator. We are Service providers. So what is the best way to add access rules to SIM. I am new to this. A brief explanation will be very helpful – DJphy Feb 08 '20 at 15:43
  • 2
    @DJphy If you are an developer for an operator then make sure you have the following security keys (KIC, KID and KIK) as they are a must to have in order to update access rule whatever method you take. More info about those can be found in the following [spec](https://www.etsi.org/deliver/etsi_ts/102200_102299/102225/06.02.00_60/ts_102225v060200p.pdf). Once you have those keys, then you can install ARA-M applet on the SIM (if its not present already), this applet takes care of authenticating the Android apps in your phone based on the access rule stored in the ARA-M applet. – Skyprenet Feb 10 '20 at 11:07
  • 1
    @DJphy Continuing here. The access rules in ARA-M applet are nothing but SHA-1 hash value of the signing key with which you sign the Android app. If your SIM has ARA-M already installed then just add the hash value of the app using the following [tool](https://git.osmocom.org/sim/sim-tools/), which uses KIC and KID security keys. Android OS probes this applet and checks against the hash value of the app which wants to have carrier privileges, if it matches then app is given carrier privileges or else not – Skyprenet Feb 10 '20 at 11:13
  • @Skyprenet thank you so much for the guide lines. Let me try these and I will get back, if I am unable to proceed. If all goes well, I will post that as an answer (full details) so others can benefit. Long live Skyprenet – DJphy Feb 10 '20 at 11:17
  • @DJphy were you successful on that? – Rafael Padovani Mar 10 '20 at 15:58
  • @RafaelPadovani Never really got a chance to try, because of lack of tools, info, by the organisation. I no longer work for that organisation, so i guess, end of story for Carrier apps, for now. But Skyprenet comments seem to be promising, give it a try. – DJphy Mar 11 '20 at 04:20
0

The Accepted answer is actually not fully correct. In the SIM, there is no concept of root certificate or such things.

All access rules (APK vs APPLET) are stored in ARA-M or ARA-D. Both ARA-M and ARA-D are just separate APPLET only as per Global Spec.

In access rule, the APK signature and APPLET AID are stored to get carrierpriilege() grant.

The APK signature means, it is the SHA1 (20B) of actual signature of APK. Whatever way the APK signature is derived ( self signed or CA's certificate), the SHA1 will be always different. Hence, all the allowed signature (SHA) to be sent to respective ARA-M. Now, to access ARA-M, you need side either channel keys ( ENC, KEK, MAC) to manually send APDU or an OTA link if it is a real live SIM.

By the way, there is no concept of root certificate of MNO inside SIM. The SIM is still in decade back except in theory of GP and their SCP.

Chandan Maity
  • 11
  • 2