How to get icc authentication?

Question

I found some interesting methods in telephonyManager class like turning mobile data off/on but when trying to use them it obviously throws me security exception.("No carrier privilege"). I Googled it, but didn't find any helpful solution. Because it's carrier privilege I thought it may be possible to get its permission by telephonyManager.getIccAuthentication(int appType, int authType, String data) but I'm having problems with input parameters because I can't figure out what should I pass in to make it work.

From documentation to the first parameter would pass TelephonyManager.APPTYPE_SIM or/and TelephonyManager.APPTYPE_USIM depending on if it has big meaning in using setDataEnabled(boolean). If I would pass TelephonyManager.APPTYPE_SIM as a first argument I think I should passed TelephonyManager.AUTHTYPE_EAP_SIM as a second argument (correct me if I'm wrong) and vice versa, when TelephonyManager.APPTYPE_USIM as first so TelephonyManager.AUTHTYPE_EAP_AKA as second one.

And then there is the third argument. There must be encoded Base64 to string. I found in TelephonyProvider this line of code: String base64Challenge = Base64.encodeToString(byteParam, Base64.NO_WRAP); where byteParam is an input byte from another method which is being preceding by thousands other methods. If I pass "" as third parameter to getIccAuthentication method I get again securityException (it's obviously, wrong param) but it throws me lack of getIccSimChallengeResponse. I'm afraid of it may be infinite loop of methods, but maybe someone has any idea or help me to break this through?

My sample code:

public class MainActivity extends AppCompatActivity {


private static final String TAG = MainActivity.class.getSimpleName();

@Override
protected void onCreate(@Nullable Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);
    Button button = (Button) findViewById(R.id.buttonPanel);
    button.setOnClickListener(new View.OnClickListener() {
        @RequiresApi(api = Build.VERSION_CODES.O)
        @Override
        public void onClick(View view) {
            try {
                Process p = Runtime.getRuntime().exec("su");
                tel();
            } catch (IOException e) {
                e.printStackTrace();
            }

        }
    });

}

@RequiresApi(api = Build.VERSION_CODES.O)
private void tel(){
//        String base64Challenge = Base64.encodeToString(, 
Base64.NO_WRAP);
    TelephonyManager telephonyManager = (TelephonyManager)
            getSystemService(Context.TELEPHONY_SERVICE);
    boolean isCarrier = telephonyManager.hasCarrierPrivileges();
    String authentication = 
telephonyManager.getIccAuthentication(TelephonyManager.APPTYPE_SIM, 
TelephonyManager.AUTHTYPE_EAP_SIM, "");
    Log.v(TAG, authentication);
    if (isCarrier) {
        Log.v(TAG, "privs granted");
        telephonyManager.setDataEnabled(false);
    } else {
        Log.v(TAG, "no privilegies");
    }
}


}

Please add some code blocks. – Emre Aktürk Oct 02 '18 at 20:13 — Emre Aktürk, Oct 02 '18 at 20:13

score 2 · Answer 1 · edited Oct 02 '18 at 20:16

2

From the docs:

Requires Permission: READ_PRIVILEGED_PHONE_STATE or that the calling app has carrier privileges (see hasCarrierPrivileges()).

The first of those requires you to be installed as a privileged system app (requires root or owning system certificate). The second requires your UID to be the carrier's. Without that no combo of parameters will work.

edited Oct 02 '18 at 20:16

Marcin Orlowski

72,056
11
123
141

answered Oct 02 '18 at 20:13

Gabe Sechan

90,003
9
87
127

Okay, I have rooted device, asking for root permissions by simply executing "su" command. But what further? – Domin Oct 02 '18 at 20:44
The app doesn't need root, it needs to be installed in the system privlidged apps directory (uninstall it, adb push the apk to the proper location, reboot device). Then it can call that function, as long as the READ_PRIVLIDGED_PHONE_STATE permission is requested. However that will probably not be sufficient as it looks like the 3rd parameter is a base64 password that gets verified by a physcial SIM card in the device. – Gabe Sechan Oct 02 '18 at 20:48
Okay, thank you for the explanation. So all I need to have is generated base64 password that's verified by the sim card yes? Is this password a constant or being generated differently for each device? – Domin Oct 03 '18 at 07:47
Not sure. My guess would be device or telecom account specific and the SIM verifies it with data it downloaded at setup. A constant would be too easily cracked – Gabe Sechan Oct 03 '18 at 07:51

How to get icc authentication?

1 Answers1