Open Mobile API: Accessing the UICC on Android Devices

📝 Abstract

This report gives an overview of secure element integration into Android devices. It focuses on the Open Mobile API as an open interface to access secure elements from Android applications. The overall architecture of the Open Mobile API is described and current Android devices are analyzed with regard to the availability of this API. Moreover, this report summarizes our efforts of reverse engineering the stock ROM of a Samsung Galaxy S3 in order to analyze the integration of the Open Mobile API and the interface that is used to perform APDU-based communication with the UICC (Universal Integrated Circuit Card). It further provides a detailed explanation on how to integrate this functionality into CyanogenMod (an after-market firmware for Android devices).

💡 Analysis

This report gives an overview of secure element integration into Android devices. It focuses on the Open Mobile API as an open interface to access secure elements from Android applications. The overall architecture of the Open Mobile API is described and current Android devices are analyzed with regard to the availability of this API. Moreover, this report summarizes our efforts of reverse engineering the stock ROM of a Samsung Galaxy S3 in order to analyze the integration of the Open Mobile API and the interface that is used to perform APDU-based communication with the UICC (Universal Integrated Circuit Card). It further provides a detailed explanation on how to integrate this functionality into CyanogenMod (an after-market firmware for Android devices).

📄 Content

Technical Report Open Mobile API: Accessing the UICC on Android Devices Michael Roland University of Applied Sciences Upper Austria Josef Ressel Center u’smile michael.roland@fh-hagenberg.at Michael Hölzl Johannes Kepler University Linz Institute of Networks and Security hoelzl@ins.jku.at Abstract This report gives an overview of secure element integration into Android devices. It focuses on the Open Mobile API as an open interface to access secure elements from Android applications. The overall architecture of the Open Mobile API is described and current Android devices are ana- lyzed with regard to the availability of this API. Moreover, this report summa- rizes our efforts of reverse engineering the stock ROM of a Samsung Galaxy S3 in order to analyze the integration of the Open Mobile API and the in- terface that is used to perform APDU-based communication with the UICC (Universal Integrated Circuit Card). It further provides a detailed explanation on how to integrate this functionality into CyanogenMod (an after-market firmware for Android devices). This work has been carried out within the scope of “u’smile”, the Josef Ressel Center for User-Friendly Secure Mobile Environments, funded by the Chris- tian Doppler Gesellschaft, A1 Telekom Austria AG, Drei-Banken-EDV GmbH, LG Nexera Business Solutions AG, NXP Semiconductors Austria GmbH, and Österreichische Staatsdruckerei GmbH in cooperation with the Institute of Net- works and Security at the Johannes Kepler University Linz. Moreover, this work has been carried out in close cooperation with the project “High Speed RFID” within the EU programme “Regionale Wettbewerbsfähigkeit OÖ 2007–2013 (Regio 13)” funded by the European Regional Development Fund (ERDF) and the Province of Upper Austria (Land Oberösterreich). Revision 1.0 January 11, 2016 | 3 Contents

1. Introduction 5
2. Secure Element Integration 7 2.1 Embedded Secure Element . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Universal Integrated Circuit Card (UICC) . . . . . . . . . . . . . . . 9 2.3 Micro SD Card (smartSD/ASSD) . . . . . . . . . . . . . . . . . . . . 10
3. Open Mobile API 13 3.1 Overall Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2 Secure Element Access Control . . . . . . . . . . . . . . . . . . . . . 14 3.3 An Implementation: SEEK-for-Android Smartcard API . . . . . . . . 15 3.4 Secure Element Provider Interface before Version 4.0.0 . . . . . . . . 17 3.4.1 Integration as Compiled-In Terminal . . . . . . . . . . . . . . 17 3.4.2 Integration as Add-On Terminal . . . . . . . . . . . . . . . . 17 3.4.3 Interface Methods . . . . . . . . . . . . . . . . . . . . . . . . 17 3.5 Secure Element Provider Interface since Version 4.0.0 . . . . . . . . . 19 3.5.1 Service Interface . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.5.2 Differentiation between System and Add-on Terminals . . . . 21 3.6 Availability in Devices . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4. Reverse-Engineering Android Applications 25 4.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.2 Using the Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.2.1 Downloading Files from the Device . . . . . . . . . . . . . . . 26 4.2.2 Preparing the Framework Files . . . . . . . . . . . . . . . . . 27 4.2.3 De-optimizing Dalvik Executables . . . . . . . . . . . . . . . . 27 4.2.4 Unpacking Application Packages . . . . . . . . . . . . . . . . 28 4.2.5 Converting Dalvik Bytecode to Java Bytecode . . . . . . . . . 28 4.2.6 Decompiling Java Bytecode . . . . . . . . . . . . . . . . . . . 28 4.3 Interpreting Decompiled Code: Results . . . . . . . . . . . . . . . . . 28
5. SEEK on the Galaxy S3 33 5.1 Open Mobile API Framework . . . . . . . . . . . . . . . . . . . . . . 33 5.2 Smartcard System Service . . . . . . . . . . . . . . . . . . . . . . . . 33 5.3 UICC Terminal Interface . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.4 Telephony System Service . . . . . . . . . . . . . . . . . . . . . . . . 35 5.4.1 RIL_REQUEST_OEM_HOOK_RAW . . . . . . . . . . . . 36 5.4.2 Getting the Answer-to-Reset . . . . . . . . . . . . . . . . . . 37 5.4.3 Opening a Logical Channel . . . . . . . . . . . . . . . . . . . 37 5.4.4 Closing a Logical Channel . . . . . . . . . . . . . . . . . . . . 37 5.4.5 Exchanging an APDU Command on the Basic Channel . . . . 38 5.4.6 Exchanging an APDU Command on a Logical Channel . . . . 38 4 | OPEN MOBILE API: ACCESSING THE UICC ON ANDROID DEVICES
6. Adding UICC Terminal Support to CyanogenMod 41 6.1 CyanogenMod 11.0 for the Samsung Galaxy S3 . . . . . . . . . . . . 41 6.2 Patches to Include SEEK-for-Android . . . . . . . . . . . . . . . . . . 42 6.3 Enabling UICC Access through SEEK . . . . . . . . . . . . . . . . . 43 6.3.1 Radio Interface Layer . . . . . . . . . . . . . . . . . . . . . . 43 6.3.2 Telephony System Service . . . . . . . . . . . . . . . . . . . . 48 6.3.3 Smartcard System Service . . . . . . . . . .

This content is AI-processed based on ArXiv data.