src/devices/tech/config/uicc.jd - platform/docs/source.android.com - Git at Google

 page.title=UICC Carrier Privileges
 @jd:body

 <!--
     Copyright 2015 The Android Open Source Project

     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
     You may obtain a copy of the License at

         http://www.apache.org/licenses/LICENSE-2.0

     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     See the License for the specific language governing permissions and
     limitations under the License.
 -->
 <div id="qv-wrapper">
   <div id="qv">
     <h2>In this document</h2>
     <ol id="auto-toc">
     </ol>
   </div>
 </div>

 <p>Android 5.1 introduced a new mechanism to grant special privileges for APIs relevant
 to the Universal Integrated Circuit Card (UICC) owner’s apps. The Android platform will load
 certificates stored on a UICC and grant
 permission to apps signed by these certificates to make calls to a handful of
 special APIs. Since carriers have full control of the UICC, this mechanism
 provides a secure and flexible way to manage apps from the Mobile Network
 Operator (MNO) hosted on generic application distribution channels such as
 Google Play but still have special privileges on devices without the need for
 the apps to be signed by the per-device platform certificate or be
 pre-installed as a system app.</p>

 <h2 id=rules_on_uicc>Rules on UICC</h2>

 <p>Storage on the UICC is compatible with the <a
 href="http://www.globalplatform.org/specificationsdevice.asp">GlobalPlatform
 Secure Element Access Control specification</a>. The application identifier
 (AID) on card is A00000015141434C00, and the standard GET DATA command is used
 to fetch rules stored on the card. You may update these rules via card
 over-the-air (OTA) update.  Data hierarchy is as follows (noting the
 two-character letter and number combination in parentheses is the object tag).
 (An extension to spec is under review.)</p>

 <p>Each rule is a REF-AR-DO (E2) and consists of a concatenation of a REF-DO and
 an AR-DO:</p>

 <ul>
   <li>REF-DO (E1) contains a DeviceAppID-REF-DO or a concatenation of a
 DeviceAppID-REF-DO and a PKG-REF-DO.
   <ul>
     <li>DeviceAppID-REF-DO (C1) stores the SHA1 (20 bytes) or SHA256 (32 bytes)
 signature of the certificate.
     <li>PKG-REF-DO (CA) is the full package name string defined in manifest, ASCII
 encoded, max length 127 bytes.
   </ul>
   <li>AR-DO (E3) is extended to include PERM-AR-DO (DB), which is an 8-byte bit mask
 representing 64 separate permissions.
 </ul>

 <p>If PKG-REF-DO is not present, any app signed by the certificate will be granted
 access; otherwise both certificate and package name need to match.</p>

 <h3 id=example>Example</h3>

 <p>App name: com.google.android.apps.myapp<br>
 Sha1 of certificate in hex string:</p>
 <pre>
 AB:CD:92:CB:B1:56:B2:80:FA:4E:14:29:A6:EC:EE:B6:E5:C1:BF:E4</pre>

 <p>Rule on UICC in hex string:</p>
 <pre>
 E243 &lt;= 43 is value length in hex
   E135
     C114 ABCD92CBB156B280FA4E1429A6ECEEB6E5C1BFE4
     CA1D 636F6D2E676F6F676C652E616E64726F69642E617070732E6D79617070
   E30A
     DB08 0000000000000001
 </pre>

 <h2 id=enabled_apis>Enabled APIs</h2>

 <p>Currently we support the following APIs, listed below (refer to
 developer.android.com for more details).</p>

 <h3 id=telephonymanager>TelephonyManager</h3>

 <p>API to check whether calling application has been granted carrier privileges:</p>

 <pre>
 <a
 href="http://developer.android.com/reference/android/telephony/TelephonyManager.html#hasCarrierPrivileges()">hasCarrierPrivileges</a>
 </pre>

 <p>APIs for brand and number override:</p>

 <pre>
 setOperatorBrandOverride
 setLine1NumberForDisplay
 setVoiceMailNumber
 </pre>

 <p>APIs for direct UICC communication:</p>

 <pre>
 iccOpenLogicalChannel
 iccCloseLogicalChannel
 iccExchangeSimIO
 iccTransmitApduLogicalChannel
 iccTransmitApduBasicChannel
 sendEnvelopeWithStatus
 </pre>

 <p>API to set device mode to global:</p>

 <pre>
 setPreferredNetworkTypeToGlobal
 </pre>

 <h3 id=smsmanager>SmsManager</h3>

 <p>API allows caller to create new incoming SMS messages:</p>

 <pre>
 injectSmsPdu
 </pre>

 <h4 id=carriermessagingservice>CarrierMessagingService</h4>

 <p>A service that receives calls from the system when new SMS and MMS are
 sent or
 received. To extend this class, you must declare the service in your manifest
 file with the android.Manifest.permission#BIND_CARRIER_MESSAGING_SERVICE
 permission and include an intent filter with the #SERVICE_INTERFACE action.</p>

 <pre>
 onFilterSms
 onSendTextSms
 onSendDataSms
 onSendMultipartTextSms
 onSendMms
 onDownloadMms
 </pre>

 <h4 id=telephonyprovider>TelephonyProvider</h4>

 <p>Content provider APIs that allow modification to the telephony database, value
 fields are defined at Telephony.Carriers:</p>

 <pre>
 insert, delete, update, query
 </pre>

 <p>See the <a
 href="https://developer.android.com/reference/android/provider/Telephony.html">Telephony
 reference on developer.android.com</a> for additional information.</p>

 <h2 id=android_platform>Android platform</h2>

 <p>On a detected UICC, the platform will construct internal UICC objects that
 include carrier privilege rules as part of the UICC. <a
 href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/master/src/java/com/android/internal/telephony/uicc/UiccCarrierPrivilegeRules.java">UiccCarrierPrivilegeRules.java</a>
 will load rules, parse them from the UICC card, and cache them in memory. When
 a privilege check is needed, UiccCarrierPrivilegeRules will compare the caller
 certificate with its own rules one by one. If the UICC is removed, rules will
 be destroyed along with the UICC object.</p>

 <h2 id=faq>FAQ</h2>

 <p><strong>How can certificates be updated on the UICC?
 </strong></p>

 <p><em>A: Use existing card OTA update mechanism.
 </em></p>

 <p><strong>Can it co-exist with other rules?
 </strong></p>

 <p><em>A: It’s fine to have other security rules on the UICC under same AID; the
 platform will filter them out automatically.
 </em></p>

 <p><strong>What happens when the UICC is removed for an app that relies on the
 certificates on it?
 </strong></p>

 <p><em>A: The app will lose its privileges because the rules associated with the UICC
 are destroyed on UICC removal.
 </em></p>

 <p><strong>Is there a limit on the number of certificates on the UICC?
 </strong></p>

 <p><em>A: The platform doesn’t limit the number of certificates; but because the check
 is linear, too many rules may incur a latency for check.
 </em></p>

 <p><strong>Is there a limit to number of APIs we can support via this method?
 </strong></p>

 <p><em>A: No, but we limit the scope of APIs to carrier related.
 </em></p>

 <p><strong>Are there some APIs prohibited from using this method? If so, how do you
 enforce them? (ie. Will you have tests to validate which APIs are supported via
 this method?)
 </strong></p>

 <p><em>A: Please refer to the "API Behavioral Compatibility" section of the <a
 href="{@docRoot}compatibility/android-cdd.pdf">Android Compatibility Definition
 Document CDD)</a>. We have some CTS tests to make sure the permission model of
 the APIs is not changed.
 </em></p>

 <p><strong>How does this work with the multi-SIM feature?
 </strong></p>

 <p><em>A: The default SIM that gets set by the user will be used.</em></p>

 <p><strong>Does this in any way interact or overlap with other SE access technologies e.g.
 SEEK?
 <em>A: As an example, SEEK uses the same AID as on the UICC. So the rules co-exist
 and are filtered by either SEEK or UiccCarrierPrivileges.</em>
 </strong></p>

 <p><strong>When is it a good time to check carrier privileges?
 <em>A: After the SIM state loaded broadcast.</em>
 </strong></p>

 <p><strong>Can OEMs disable part of carrier APIs?
 </strong></p>

 <p><em>A: No. We believe current APIs are the minimal set, and we plan to use the bit
 mask for finer granularity control in the future.
 </em></p>

 <p><strong>Does setOperatorBrandOverride override ALL other forms of operator name
 strings? For example, SE13, UICC SPN, network based NITZ, etc.?
 </strong></p>

 <p><em>A: See the SPN entry within TelephonyManager:
 <a
 href="http://developer.android.com/reference/android/telephony/TelephonyManager.html">http://developer.android.com/reference/android/telephony/TelephonyManager.html</a>
 </em></p>

 <p><strong>What does the injectSmsPdu method call do?
 </strong></p>

 <p><em>A: This facilitates SMS backup/restore in the cloud. The injectSmsPdu call
 enables the restore function.
 </em></p>

 <p><strong>For SMS filtering, is the onFilterSms call based on SMS UDH port filtering? Or
 would carrier apps have access to ALL incoming SMS?
 </strong></p>

 <p><em>A: Carriers have access to all SMS data.</em></p>

 <p><strong>Since the extension of DeviceAppID-REF-DO to support 32 bytes appears
 incompatible with the current GP spec (which allows 0 or 20 bytes only) why are
 you introducing this change? Do you not consider SHA-1 to be good enough to
 avoid collisions?  Have you proposed this change to GP already, as this could
 be backwards incompatible with existing ARA-M / ARF?
 </strong></p>

 <p><em>A: For providing future proof security this extension introduces SHA-256 for
 DeviceAppID-REF-DO in addition to SHA-1 which is currently the only option in
 the GP SEAC standard. It is highly recommended to use SHA-256.</em></p>

 <p><strong>If DeviceAppID is 0 (empty), would you really apply the rule to all device
 applications not covered by a specific rule?
 </strong></p>

 <p><em>A: Carrier apis require deviceappid-ref-do be non-empty. Being empty is
 intended for test purpose and is not recommended for operational deployments.</em></p>

 <p><strong>According to your spec, PKG-REF-DO used just by itself, without
 DeviceAppID-REF-DO, should not be accepted. But it is still described in Table
 6-4 as extending the definition of REF-DO. Is this on purpose? What will be the
 behavior of the code when only a PKG-REF-DO is used in a REF-DO?
 </strong></p>

 <p><em>A: The option of having PKG-REF-DO as a single value item in REF-DO was removed
 in the latest version. PKG-REF-DO should only occur in combination with
 DeviceAppID-REF-DO.
 </em></p>

 <p><strong>We assume we can grant access to all carrier-based permissions or have a
 finer-grained control. What will define the mapping between the bit mask and
 the actual permissions then? One permission per class? One permission per
 method specifically? Will 64 separate permissions be enough in the long run?
 </strong></p>

 <p><em>A: This is reserved for the future, and we welcome suggestions.</em></p>

 <p><strong>Can you further define the DeviceAppID for Android specifically? Since this is
 the SHA-1 (20 bytes) hash value of the Publisher certificate used to signed the
 given app, shouldn't the name reflect that purpose? (The name could be
 confusing to many readers as the rule will be applicable then to all apps
 signed with that same Publisher certificate.)
 </strong></p>

 <p><em>A: See the  <a
 href="#rules_on_uicc">Rules on UICC</a> section for details. The deviceAppID storing
 certificates is already supported by the existing spec. We tried to minimize
 spec changes to lower barrier for adoption. </em></p>
	page.title=UICC Carrier Privileges
	@jd:body

	<!--
	Copyright 2015 The Android Open Source Project

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<div id="qv-wrapper">
	<div id="qv">
	<h2>In this document</h2>
	<ol id="auto-toc">
	</ol>
	</div>
	</div>

	<p>Android 5.1 introduced a new mechanism to grant special privileges for APIs relevant
	to the Universal Integrated Circuit Card (UICC) owner’s apps. The Android platform will load
	certificates stored on a UICC and grant
	permission to apps signed by these certificates to make calls to a handful of
	special APIs. Since carriers have full control of the UICC, this mechanism
	provides a secure and flexible way to manage apps from the Mobile Network
	Operator (MNO) hosted on generic application distribution channels such as
	Google Play but still have special privileges on devices without the need for
	the apps to be signed by the per-device platform certificate or be
	pre-installed as a system app.</p>

	<h2 id=rules_on_uicc>Rules on UICC</h2>

	<p>Storage on the UICC is compatible with the <a
	href="http://www.globalplatform.org/specificationsdevice.asp">GlobalPlatform
	Secure Element Access Control specification</a>. The application identifier
	(AID) on card is A00000015141434C00, and the standard GET DATA command is used
	to fetch rules stored on the card. You may update these rules via card
	over-the-air (OTA) update. Data hierarchy is as follows (noting the
	two-character letter and number combination in parentheses is the object tag).
	(An extension to spec is under review.)</p>

	<p>Each rule is a REF-AR-DO (E2) and consists of a concatenation of a REF-DO and
	an AR-DO:</p>

	<ul>
	<li>REF-DO (E1) contains a DeviceAppID-REF-DO or a concatenation of a
	DeviceAppID-REF-DO and a PKG-REF-DO.
	<ul>
	<li>DeviceAppID-REF-DO (C1) stores the SHA1 (20 bytes) or SHA256 (32 bytes)
	signature of the certificate.
	<li>PKG-REF-DO (CA) is the full package name string defined in manifest, ASCII
	encoded, max length 127 bytes.
	</ul>
	<li>AR-DO (E3) is extended to include PERM-AR-DO (DB), which is an 8-byte bit mask
	representing 64 separate permissions.
	</ul>

	<p>If PKG-REF-DO is not present, any app signed by the certificate will be granted
	access; otherwise both certificate and package name need to match.</p>

	<h3 id=example>Example</h3>

	<p>App name: com.google.android.apps.myapp<br>
	Sha1 of certificate in hex string:</p>
	<pre>
	AB:CD:92:CB:B1:56:B2:80:FA:4E:14:29:A6:EC:EE:B6:E5:C1:BF:E4</pre>

	<p>Rule on UICC in hex string:</p>
	<pre>
	E243 <= 43 is value length in hex
	E135
	C114 ABCD92CBB156B280FA4E1429A6ECEEB6E5C1BFE4
	CA1D 636F6D2E676F6F676C652E616E64726F69642E617070732E6D79617070
	E30A
	DB08 0000000000000001
	</pre>

	<h2 id=enabled_apis>Enabled APIs</h2>

	<p>Currently we support the following APIs, listed below (refer to
	developer.android.com for more details).</p>

	<h3 id=telephonymanager>TelephonyManager</h3>

	<p>API to check whether calling application has been granted carrier privileges:</p>

	<pre>
	<a
	href="http://developer.android.com/reference/android/telephony/TelephonyManager.html#hasCarrierPrivileges()">hasCarrierPrivileges</a>
	</pre>

	<p>APIs for brand and number override:</p>

	<pre>
	setOperatorBrandOverride
	setLine1NumberForDisplay
	setVoiceMailNumber
	</pre>

	<p>APIs for direct UICC communication:</p>

	<pre>
	iccOpenLogicalChannel
	iccCloseLogicalChannel
	iccExchangeSimIO
	iccTransmitApduLogicalChannel
	iccTransmitApduBasicChannel
	sendEnvelopeWithStatus
	</pre>

	<p>API to set device mode to global:</p>

	<pre>
	setPreferredNetworkTypeToGlobal
	</pre>

	<h3 id=smsmanager>SmsManager</h3>

	<p>API allows caller to create new incoming SMS messages:</p>

	<pre>
	injectSmsPdu
	</pre>

	<h4 id=carriermessagingservice>CarrierMessagingService</h4>

	<p>A service that receives calls from the system when new SMS and MMS are
	sent or
	received. To extend this class, you must declare the service in your manifest
	file with the android.Manifest.permission#BIND_CARRIER_MESSAGING_SERVICE
	permission and include an intent filter with the #SERVICE_INTERFACE action.</p>

	<pre>
	onFilterSms
	onSendTextSms
	onSendDataSms
	onSendMultipartTextSms
	onSendMms
	onDownloadMms
	</pre>

	<h4 id=telephonyprovider>TelephonyProvider</h4>

	<p>Content provider APIs that allow modification to the telephony database, value
	fields are defined at Telephony.Carriers:</p>

	<pre>
	insert, delete, update, query
	</pre>

	<p>See the <a
	href="https://developer.android.com/reference/android/provider/Telephony.html">Telephony
	reference on developer.android.com</a> for additional information.</p>

	<h2 id=android_platform>Android platform</h2>

	<p>On a detected UICC, the platform will construct internal UICC objects that
	include carrier privilege rules as part of the UICC. <a
	href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/master/src/java/com/android/internal/telephony/uicc/UiccCarrierPrivilegeRules.java">UiccCarrierPrivilegeRules.java</a>
	will load rules, parse them from the UICC card, and cache them in memory. When
	a privilege check is needed, UiccCarrierPrivilegeRules will compare the caller
	certificate with its own rules one by one. If the UICC is removed, rules will
	be destroyed along with the UICC object.</p>

	<h2 id=faq>FAQ</h2>

	<p><strong>How can certificates be updated on the UICC?
	</strong></p>

	<p><em>A: Use existing card OTA update mechanism.
	</em></p>

	<p><strong>Can it co-exist with other rules?
	</strong></p>

	<p><em>A: It’s fine to have other security rules on the UICC under same AID; the
	platform will filter them out automatically.
	</em></p>

	<p><strong>What happens when the UICC is removed for an app that relies on the
	certificates on it?
	</strong></p>

	<p><em>A: The app will lose its privileges because the rules associated with the UICC
	are destroyed on UICC removal.
	</em></p>

	<p><strong>Is there a limit on the number of certificates on the UICC?
	</strong></p>

	<p><em>A: The platform doesn’t limit the number of certificates; but because the check
	is linear, too many rules may incur a latency for check.
	</em></p>

	<p><strong>Is there a limit to number of APIs we can support via this method?
	</strong></p>

	<p><em>A: No, but we limit the scope of APIs to carrier related.
	</em></p>

	<p><strong>Are there some APIs prohibited from using this method? If so, how do you
	enforce them? (ie. Will you have tests to validate which APIs are supported via
	this method?)
	</strong></p>

	<p><em>A: Please refer to the "API Behavioral Compatibility" section of the <a
	href="{@docRoot}compatibility/android-cdd.pdf">Android Compatibility Definition
	Document CDD)</a>. We have some CTS tests to make sure the permission model of
	the APIs is not changed.
	</em></p>

	<p><strong>How does this work with the multi-SIM feature?
	</strong></p>

	<p><em>A: The default SIM that gets set by the user will be used.</em></p>

	<p><strong>Does this in any way interact or overlap with other SE access technologies e.g.
	SEEK?
	<em>A: As an example, SEEK uses the same AID as on the UICC. So the rules co-exist
	and are filtered by either SEEK or UiccCarrierPrivileges.</em>
	</strong></p>

	<p><strong>When is it a good time to check carrier privileges?
	<em>A: After the SIM state loaded broadcast.</em>
	</strong></p>

	<p><strong>Can OEMs disable part of carrier APIs?
	</strong></p>

	<p><em>A: No. We believe current APIs are the minimal set, and we plan to use the bit
	mask for finer granularity control in the future.
	</em></p>

	<p><strong>Does setOperatorBrandOverride override ALL other forms of operator name
	strings? For example, SE13, UICC SPN, network based NITZ, etc.?
	</strong></p>

	<p><em>A: See the SPN entry within TelephonyManager:
	<a
	href="http://developer.android.com/reference/android/telephony/TelephonyManager.html">http://developer.android.com/reference/android/telephony/TelephonyManager.html</a>
	</em></p>

	<p><strong>What does the injectSmsPdu method call do?
	</strong></p>

	<p><em>A: This facilitates SMS backup/restore in the cloud. The injectSmsPdu call
	enables the restore function.
	</em></p>

	<p><strong>For SMS filtering, is the onFilterSms call based on SMS UDH port filtering? Or
	would carrier apps have access to ALL incoming SMS?
	</strong></p>

	<p><em>A: Carriers have access to all SMS data.</em></p>

	<p><strong>Since the extension of DeviceAppID-REF-DO to support 32 bytes appears
	incompatible with the current GP spec (which allows 0 or 20 bytes only) why are
	you introducing this change? Do you not consider SHA-1 to be good enough to
	avoid collisions? Have you proposed this change to GP already, as this could
	be backwards incompatible with existing ARA-M / ARF?
	</strong></p>

	<p><em>A: For providing future proof security this extension introduces SHA-256 for
	DeviceAppID-REF-DO in addition to SHA-1 which is currently the only option in
	the GP SEAC standard. It is highly recommended to use SHA-256.</em></p>

	<p><strong>If DeviceAppID is 0 (empty), would you really apply the rule to all device
	applications not covered by a specific rule?
	</strong></p>

	<p><em>A: Carrier apis require deviceappid-ref-do be non-empty. Being empty is
	intended for test purpose and is not recommended for operational deployments.</em></p>

	<p><strong>According to your spec, PKG-REF-DO used just by itself, without
	DeviceAppID-REF-DO, should not be accepted. But it is still described in Table
	6-4 as extending the definition of REF-DO. Is this on purpose? What will be the
	behavior of the code when only a PKG-REF-DO is used in a REF-DO?
	</strong></p>

	<p><em>A: The option of having PKG-REF-DO as a single value item in REF-DO was removed
	in the latest version. PKG-REF-DO should only occur in combination with
	DeviceAppID-REF-DO.
	</em></p>

	<p><strong>We assume we can grant access to all carrier-based permissions or have a
	finer-grained control. What will define the mapping between the bit mask and
	the actual permissions then? One permission per class? One permission per
	method specifically? Will 64 separate permissions be enough in the long run?
	</strong></p>

	<p><em>A: This is reserved for the future, and we welcome suggestions.</em></p>

	<p><strong>Can you further define the DeviceAppID for Android specifically? Since this is
	the SHA-1 (20 bytes) hash value of the Publisher certificate used to signed the
	given app, shouldn't the name reflect that purpose? (The name could be
	confusing to many readers as the rule will be applicable then to all apps
	signed with that same Publisher certificate.)
	</strong></p>

	<p><em>A: See the <a
	href="#rules_on_uicc">Rules on UICC</a> section for details. The deviceAppID storing
	certificates is already supported by the existing spec. We tried to minimize
	spec changes to lower barrier for adoption. </em></p>