How to Access Secure Element without rooting a dev

2019-04-10 10:33发布

问题:

The SEEK-for-Android documentation says that listed devices support the SmartCard API.

I want to access a SIM-based secure element (SE) through my Android application. Can I achieve this without rooting any of these supported devices and without rebuilding its Android system image? In my case, the device is a Samsung Galaxy S3.

回答1:

Yes, you can use SEEK-for-Android without rooting the system. However, this technology is very device-dependent; some vendor specific libraries must be present in the system. It worked fine for me with Sony Xperia with no necessary changes. After adding some libraries (the Samsung company did it on our demand), Samsung phones were OK, too.

The only thing you have to do is to build your application with a special SDK. Use SDK Open Mobile API by Giesecke & Devrient GmbH and declare the org.simalliance.openmobileapi library in the manifest XML:

<application android:label="@string/app_name">

    <uses-library android:name="org.simalliance.openmobileapi" android:required="true" />

    <activity android:name=".MainActivity">
      ...
    </activity>
</application>

Have a look at this tutorial: https://github.com/seek-for-android/pool/wiki/UsingSmartCardAPI. I followed it and I succeeded.



回答2:

As of today, several smartphones (particularly those from Samsung and Sony) ship with the Open Mobile API (as implemented by SEEK-for-Android) for access to at least UICC/SIM based secure elements (some may provide access to other types of secure elements too). The stock ROM of the Galaxy S3, for instance, does contain the Open Mobile API which can be used to access the UICC.

The Open Mobile API is accessible through the package org.simalliance.openmobileapi. Hence, in order to use the Open Mobile API, you would just need to compile your project against this library (see this explanation). But be careful not to include that library into your APK file, as the implementations on devices often slightly differ from what you get by the SEEK-for-Android project.

Note that alternative/custom ROMs (e.g. CyanogenMod) usually do not include the Open Mobile API, even for those platforms where the stock ROM does. For the S3, you can find a tutorial on how to include the necessary adaptions into CyanogenMod here.

So far this gives you access to the Open Mobile API. However, in order to actually access applications on the UICC, your Android app needs to pass the access control mechanisms of the Open Mobile API. See this explanation. Usually, the stock ROM implementations prefer the access rule file base approach over the ARA applet mechanism. So you have to properly configure those access rules on the UICC/SIM card.



回答3:

There are two dependencies for working connection between Android APK and UICC/SIM card.

  1. ROM or OS of your phone should support org.simalliance.openmobileapi
  2. UICC/SIM should support PKCS#15 application

This ensures not anyone can access the files / services from UICC/SIM. As rightly said in one of the above answers, we would need permissions from owners of UICC/SIM to allow our application to reside to it.

PKCS#15 specifications are published by GlobalPlatform and are available for free of cost (after nominal registration)