FORUMS
Remove All Ads from XDA

[MOD][XPOSED][OMAPI] Override SIM Secure Element Access Control

232 posts
Thanks Meter: 391
 
Post Reply Email Thread
Hi!

This module may be mainly interesting for developers. This module alone does nothing if not properly used together or within another app. Only use it if you know what you are doing.

Overview:
I created a Xposed module which overrides the Access Rule Checks within the SIMalliance Open Mobile API. These checks normally determine which app is allowed to access a SIM-card based Secure Element (SE) and which is not. Normally within the Secure Element (SIM card) there exists a special "Access Rule File" (also called "ARF") or a special card applet called "Access Rule Application Master" (also called "ARA-M") which has the AID A00000015141434C00) and (basically) contains application signatures and according access rules. So the maintainer of the Secure Element can define (and also update) the access rules with these mechanisms: which app is allowed to access the SE and which not. (see reference [1] for details below).

So while the access rules are securely stored in the hardware module (SE) the enforcement of these rules is done in software (within the Open Mobile "SmartcardService.apk"). And this is where this Xposed module hooks into. By using this module (or by integrating it into your app) you may access the SIM-card-based Secure Element with your app, even if the access rules within the SE would not allow it.

Here's the code:
https://github.com/johnzweng/XposedO...eSEAccessRules


This module does not globally disable the access rule checks but instead only grants full access to a single package name (app) which you manually have to define in code as TARGET_APPLICATION_PACKAGE_NAME.


More details and background story:
A few months ago the banks here in Austria started to roll out NFC-based tap'n'pay solutions which allow you to pay with your Android smartphone worldwide at every NFC-capable payment terminal. In contrast to Android Pay this is not a cloud-based software solution (using Host Card Emulation) but instead really uses a hardware-based secure element (like the chips used within EMV (chip'n'pin) plastic NFC banking cards). Austrian Banks decided to use Secure Elements located within the SIM-card (which is basically the same technology as your banking-card chip) so they don't need cooperations with all the phone manufacturers (and also not with Google), but only with the three mobile network operators (MNOs) here in Austria (which control all the SIM cards).

Unfortunately Google has not included an API in current Android which allows accessing SIM-card-based Secure Elements from an app (I guess they don't want banks and MNOs to develop their own independent payment solutions but instead want to push Android Pay). For this reason one of the largest smartcard manufacturers (Giesecke & Devrient - G&D) started to work on a third-party system API which is nowadays known as SIMalliance OpenMobile API (OMAPI). The SIMalliance is a group of industry players which want to push the use of Secure Elements in mobile phones. See also: Members of SIMalliance.

As this API is not part of official Android API the phone manufacturers (OEMs) have to include this API additionally on the phones. A lot of manufacturers do this already. You can check on your phone if this 3rd-party API exists by looking for these files:
  • /system/etc/permissions/org.simalliance.openmobileapi.xml
  • /system/framework/org.simalliance.openmobileapi.jar
  • /system/priv-app/SmartcardService/ (which hosts "SmartcardService.apk")
  • (and optionally in newer versions: /system/priv-app/UiccTerminal/)

As Google currently doesn't support this type of access to the SIM-card Secure Element you will not find this API on the Nexus phones. One exception was the Nexus 6 running Lollipop where Google included the SIMalliance Open Mobile API because they supported the Softcard (formerly Isis Mobile) wallet. After Google has acquired Softcard in 2015 they removed again the OpenMobile API from Nexus 6 in Android 6.

As I personally used a LG Nexus 5 and now use the Motorola Nexus 6 I started to work on integrating the Open Mobile API myself (which should be possible now on every phone since Android Lollipop (API level 21) as the TelephonyManager system class has got a few interesting new methods including one for sending APDUs over a logical channel to the SIM card: iccOpenLogicalChannel(String AID). As every phone running Android 5 or newer must implement this API you now can get the OMAPI working on every phone running Android 5 or newer (with minor restrictions). (Also the phone needs to have a special hardware wiring between the SIM card and the NFC chip - see "Single Wire Protocol" for details - to get a NFC payment working). But this is a different story which doesn't belong in this thread. For the interested, look at my Github repo which contains a fork of OMAPI working on unmodified Android versions (and two pre-built releases for OMAPI 2.05 and OMAPI 3.0 under the "releases" section - including a short How-To). This worked for me on a Nexus 5 and a Nexus 6.

But back to this topic:
After I had worked out the integration of OMAPI into Android 6.0.1 I finally was able to use tap'n'pay with my Nexus 6 using the banking card within my SIM card Secure Element. But as I am curious I was also interested in exploring my banking-card within the SIM Secure Element using a self-written app. This was when I realized that there is some kind of access control within the Secure Element which blocks my own test-app but not the app of my bank. (See reference [1] for details on these access rules.) To circumvent this I wrote this Xposed module and voilá, now we also have the possibility to talk with the Secure Element over OMAPI.


Final notes:
  • This Xposed module will only work if your device has the SIMalliance Open Mobile API (OMAPI) installed
  • This Xposed module may not work if the OMAPI on your device has been compiled using code obfuscation or was modified otherwise by your phone OEM (as the OMAPI is not part of official Android, every OEM may include its own version)
  • This Xposed module also may not work on other versions of OMAPI (it was tested with OMAPI v2.05 and should also work with OMAPI V3.0)

I hope this might be useful for someone. Have a nice day.


References:
[1] GlobalPlatform Device Technology - Secure Element Access Control (PDF)
[2] Open Mobile API specification - V2.05 (PDF)
[3] Open Mobile API specification - V3.0 (PDF)
[4] my Github repository for this Xposed module: XposedOMAPIOverrideSEAccessRules
[5] my Github repository with OMAPI fork for working on unmodified Android 5 or newer
The Following 6 Users Say Thank You to androcheck For This Useful Post: [ View ] Gift androcheck Ad-Free
 
 
7th January 2016, 08:27 AM |#2  
Junior Member
Thanks Meter: 2
 
More
I'm very impressed! Love your 'investigations'
5th April 2016, 06:46 PM |#3  
Member
Thanks Meter: 13
 
More
I installed OMAPI 2.05 with adb on my xperia sp with cyanogenmod 13 (android 6.0.1).
After that I installed the elba-pay app, but it's not working. May you help me?
6th April 2016, 12:05 PM |#4  
Quote:
Originally Posted by polo_joe

I installed OMAPI 2.05 with adb on my xperia sp with cyanogenmod 13 (android 6.0.1).
After that I installed the elba-pay app, but it's not working. May you help me?

Hi polo_joe:
This doesn't directly match the topic of this thread. But send me a PM then we can continue to communicate on a different channel (email, etc.). Most interesting would be a output of "logcat":

On your computer enter the command: "adb logcat -v time > logcat_debug.txt" in a terminal window then try to start the ELBA Pay app and afterwards look in the "logcat_debug.txt" logfile for errors.

john
6th April 2016, 12:41 PM |#5  
Member
Thanks Meter: 13
 
More
Quote:
Originally Posted by androcheck

Hi polo_joe:
This doesn't directly match the topic of this thread. But send me a PM then we can continue to communicate on a different channel (email, etc.). Most interesting would be a output of "logcat":

On your computer enter the command: "adb logcat -v time > logcat_debug.txt" in a terminal window then try to start the ELBA Pay app and afterwards look in the "logcat_debug.txt" logfile for errors.

john

thanks, will do!
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes