1 page.title=UICC Carrier Privileges 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p>Android 5.1 introduced a mechanism to grant special privileges for APIs 28 relevant to the Universal Integrated Circuit Card (UICC) owners apps. The 29 Android platform loads certificates stored on a UICC and grants permission to 30 apps signed by these certificates to make calls to a handful of special APIs. 31 </p> 32 <p>Android 7.0 extends this feature to support other storage sources, such as 33 Access File Rule (ARF), for UICC carrier privilege rules, dramatically 34 increasing the number of carriers that can use the APIs. For an API reference, 35 see <a href="#carrierconfigmanager">CarrierConfigManager</a>; for instructions, 36 see <a href="{@docRoot}devices/tech/config/carrier.html">Carrier 37 Configuration</a>.</p> 38 39 <p>Since carriers have full control of the UICC, this mechanism provides a 40 secure and flexible way to manage apps from the Mobile Network Operator (MNO) 41 hosted on generic application distribution channels (such as Google Play) while 42 retaining special privileges on devices and without the need to sign apps with 43 the per-device platform certificate or pre-install as a system app.</p> 44 45 <h2 id=rules_on_uicc>Rules on UICC</h2> 46 47 <p>Storage on the UICC is compatible with the 48 <a href="http://www.globalplatform.org/specificationsdevice.asp">GlobalPlatform 49 Secure Element Access Control specification</a>. The application identifier 50 (AID) on card is <code>A00000015141434C00</code>, and the standard GET DATA 51 command is used to fetch rules stored on the card. You may update these rules 52 via card over-the-air (OTA) update.</p> 53 54 <h3 id=data_hierarchy>Data hierarchy</h3> 55 <p>UICC rules use the following data hierarchy (the two-character letter and 56 number combination in parentheses is the object tag). Each rule is a REF-AR-DO 57 (E2) and consists of a concatenation of a REF-DO and an AR-DO:</p> 58 59 <ul> 60 <li>REF-DO (E1) contains a DeviceAppID-REF-DO or a concatenation of a 61 DeviceAppID-REF-DO and a PKG-REF-DO. 62 <ul> 63 <li>DeviceAppID-REF-DO (C1) stores the SHA-1 (20 bytes) or SHA-256 (32 bytes) 64 signature of the certificate. 65 <li>PKG-REF-DO (CA) is the full package name string defined in manifest, ASCII 66 encoded, max length 127 bytes. 67 </ul></li> 68 <li>AR-DO (E3) is extended to include PERM-AR-DO (DB), which is an 8-byte bit 69 mask representing 64 separate permissions.</li> 70 </ul> 71 72 <p>If PKG-REF-DO is not present, any app signed by the certificate is granted 73 access; otherwise both certificate and package name need to match.</p> 74 75 <h3 id=rule_example>Rule example</h3> 76 <p>The application name is <code>com.google.android.apps.myapp</code> and the 77 SHA-1 certificate in hex string is:</p> 78 <pre>AB:CD:92:CB:B1:56:B2:80:FA:4E:14:29:A6:EC:EE:B6:E5:C1:BF:E4</pre> 79 80 <p>The rule on UICC in hex string is:</p> 81 <pre> 82 E243 <= 43 is value length in hex 83 E135 84 C114 ABCD92CBB156B280FA4E1429A6ECEEB6E5C1BFE4 85 CA1D 636F6D2E676F6F676C652E616E64726F69642E617070732E6D79617070 86 E30A 87 DB08 0000000000000001 88 </pre> 89 90 <h2 id=arf>Access Rule File (ARF) support</h2> 91 <p>Android 7.0 adds support for reading carrier privilege rules from the Access 92 Rule File (ARF).</p> 93 <p>The Android platform first attempts to select the Access Rule Applet (ARA) 94 application identifier (AID) <code>A00000015141434C00</code>. If it doesn't find 95 the AID on the Universal Integrated Circuit Card (UICC), it falls back to ARF by 96 selecting PKCS15 AID <code>A000000063504B43532D3135</code>. Android then reads 97 Access Control Rules File (ACRF) at <code>0x4300</code> and looks for entries 98 with AID <code>FFFFFFFFFFFF</code>. Entries with different AIDs are ignored, so 99 rules for other use cases can co-exist.</p> 100 <p>Example ACRF content in hex string:</p> 101 <pre>30 10 A0 08 04 06 FF FF FF FF FF FF 30 04 04 02 43 10</pre> 102 103 <p>Example Access Control Conditions File (ACCF) content:</p> 104 <pre>30 16 04 14 61 ED 37 7E 85 D3 86 A8 DF EE 6B 86 4B D8 5B 0B FA A5 AF 81 105 </pre> 106 107 <p>In above example, <code>0x4310</code> is the address for ACCF, which contains 108 the certificate hash 109 <code>61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81</code>. Apps 110 signed by this certificate are granted carrier privileges.</p> 111 112 <h2 id=enabled_apis>Enabled APIs</h2> 113 114 <p>Android supports the following APIs.</p> 115 116 <h3 id=telephonymanager>TelephonyManager</h3> 117 118 <ul> 119 <li>API to allow the carrier application to ask UICC for a challenge/response: 120 <a href="https://developer.android.com/reference/android/telephony/TelephonyManager.html#getIccAuthentication(int,%20int,%20java.lang.String)"><code>getIccAuthentication</code></a>. 121 </li> 122 123 <li>API to check whether calling application has been granted carrier 124 privileges: 125 <a href="http://developer.android.com/reference/android/telephony/TelephonyManager.html#hasCarrierPrivileges()"><code>hasCarrierPrivileges</code></a>. 126 </li> 127 128 <li>APIs to override brand and number: 129 <ul> 130 <li><code>setOperatorBrandOverride</code></li> 131 <li><code>setLine1NumberForDisplay</code></li> 132 <li><code>setVoiceMailNumber</code></li> 133 </ul></li> 134 135 <li>APIs for direct UICC communication: 136 <ul> 137 <li><code>iccOpenLogicalChannel</code></li> 138 <li><code>iccCloseLogicalChannel</code></li> 139 <li><code>iccExchangeSimIO</code></li> 140 <li><code>iccTransmitApduLogicalChannel</code></li> 141 <li><code>iccTransmitApduBasicChannel</code></li> 142 <li><code>sendEnvelopeWithStatus</code></li> 143 </ul></li> 144 145 <li>API to set device mode to global: 146 <code>setPreferredNetworkTypeToGlobal</code>.</li> 147 </ul> 148 149 <h3 id=smsmanager>SmsManager</h3> 150 151 <p>API to allow caller to create new incoming SMS messages: 152 <code>injectSmsPdu</code>.</p> 153 154 <h3 id=carrierconfigmanager>CarrierConfigManager</h3> 155 156 <p>API to notify configuration changed: 157 <code>notifyConfigChangedForSubId</code>. For instructions, see 158 <a href="{@docRoot}devices/tech/config/carrier.html">Carrier Configuration</a>. 159 </p> 160 161 <h3 id=carriermessagingservice>CarrierMessagingService</h3> 162 163 <p>Service that receives calls from the system when new SMS and MMS are sent 164 or received. To extend this class, declare the service in your manifest file 165 with the <code>android.Manifest.permission#BIND_CARRIER_MESSAGING_SERVICE</code> 166 permission and include an intent filter with the <code>#SERVICE_INTERFACE</code> 167 action. APIs include:</p> 168 <ul> 169 <li><code>onFilterSms</code></li> 170 <li><code>onSendTextSms</code></li> 171 <li><code>onSendDataSms</code></li> 172 <li><code>onSendMultipartTextSms</code></li> 173 <li><code>onSendMms</code></li> 174 <li><code>onDownloadMms</code></li> 175 </ul> 176 177 <h3 id=telephonyprovider>TelephonyProvider</h3> 178 179 <p>Content provider APIs to allow modifications (insert, delete, update, query) 180 to the telephony database. Values fields are defined at 181 <a href="https://developer.android.com/reference/android/provider/Telephony.Carriers.html"><code>Telephony.Carriers</code></a>; 182 for more details, refer to 183 <a href="https://developer.android.com/reference/android/provider/Telephony.html">Telephony</a> 184 API reference on developer.android.com.</p> 185 186 <h2 id=android_platform>Android platform</h2> 187 188 <p>On a detected UICC, the platform will construct internal UICC objects that 189 include carrier privilege rules as part of the UICC. 190 <a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/master/src/java/com/android/internal/telephony/uicc/UiccCarrierPrivilegeRules.java"><code>UiccCarrierPrivilegeRules.java</code></a> 191 loads rules, parses them from the UICC card, and caches them in memory. When 192 a privilege check is needed, <code>UiccCarrierPrivilegeRules</code> compares the 193 caller certificate with its own rules one by one. If the UICC is removed, rules 194 are destroyed along with the UICC object.</p> 195 196 <h2 id=validation>Validation</h2> 197 <p>The Android 7.0 CTS includes tests for carrier APIs in 198 <code>CtsCarrierApiTestCases.apk</code>. Because this feature depends on 199 certificates on the UICC, you must prepare the UICC to pass these tests.</p> 200 201 <h3 id=prepare_uicc>Preparing the UICC</h3> 202 <p>By default, <code>CtsCarrierApiTestCases.apk</code> is signed by Android 203 developer key, with hash value 204 <code>61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81</code>. The 205 tests also print out the expected certificate hash if certificates on UICC 206 mismatch.</p> 207 <p>Example output:</p> 208 <pre> 209 junit.framework.AssertionFailedError: This test requires a SIM card with carrier privilege rule on it. 210 Cert hash: 61ed377e85d386a8dfee6b864bd85b0bfaa5af81 211 </pre> 212 213 <p>You may need a developer UICC to update it with the correct applet and 214 certificate rules. However, the UICC does not require active cellular service to 215 pass CTS tests.</p> 216 217 <h3 id=run_tests>Running tests</h3> 218 <p>For convenience, the Android 7.0 CTS supports a device token that restricts 219 tests to run only on devices configured with same token. Carrier API CTS tests 220 support the device token <code>sim-card-with-certs</code>. For example, the 221 following device token restricts carrier API tests to run only on device 222 <code>abcd1234</code>:</p> 223 <pre>cts-tradefed run cts --device-token abcd1234:sim-card-with-certs</pre> 224 225 <p>When running a test without using a device token, the test runs on all 226 devices.</p> 227 228 <h2 id=faq>FAQ</h2> 229 230 <p><strong>How can certificates be updated on the UICC?</strong></p> 231 232 <p><em>A: Use existing card OTA update mechanism.</em></p> 233 234 <p><strong>Can it co-exist with other rules?</strong></p> 235 236 <p><em>A: Its fine to have other security rules on the UICC under same AID; the 237 platform will filter them out automatically.</em></p> 238 239 <p><strong>What happens when the UICC is removed for an app that relies on the 240 certificates on it?</strong></p> 241 242 <p><em>A: The app will lose its privileges because the rules associated with the 243 UICC are destroyed on UICC removal.</em></p> 244 245 <p><strong>Is there a limit on the number of certificates on the UICC?</strong> 246 </p> 247 248 <p><em>A: The platform doesnt limit the number of certificates; but because the 249 check is linear, too many rules may incur a latency for check.</em></p> 250 251 <p><strong>Is there a limit to number of APIs we can support via this method? 252 </strong></p> 253 254 <p><em>A: No, but we limit the scope of APIs to carrier related.</em></p> 255 256 <p><strong>Are there some APIs prohibited from using this method? If so, how do 257 you enforce them? (i.e. Will you have tests to validate which APIs are supported 258 via this method?)</strong></p> 259 260 <p><em>A: See the "API Behavioral Compatibility" section of the 261 <a href="{@docRoot}compatibility/cdd.html">Android Compatibility Definition 262 Document (CDD)</a>. We have some CTS tests to make sure the permission model of 263 the APIs is not changed.</em></p> 264 265 <p><strong>How does this work with the multi-SIM feature?</strong></p> 266 267 <p><em>A: The default SIM that gets set by the user will be used.</em></p> 268 269 <p><strong>Does this in any way interact or overlap with other SE access 270 technologies, e.g. SEEK?</strong></p> 271 <p><em>A: As an example, SEEK uses the same AID as on the UICC. So the rules 272 co-exist and are filtered by either SEEK or UiccCarrierPrivileges.</em></p> 273 274 <p><strong>When is it a good time to check carrier privileges?</strong></p> 275 <p><em>A: After the SIM state loaded broadcast.</em></p> 276 277 <p><strong>Can OEMs disable part of carrier APIs?</strong></p> 278 279 <p><em>A: No. We believe current APIs are the minimal set, and we plan to use 280 the bit mask for finer granularity control in the future.</em></p> 281 282 <p><strong>Does setOperatorBrandOverride override ALL other forms of operator 283 name strings? For example, SE13, UICC SPN, network based NITZ, etc.?</strong> 284 </p> 285 286 <p><em>A: Refer to the SPN entry in 287 <a href="http://developer.android.com/reference/android/telephony/TelephonyManager.html">TelephonyManager</a> 288 </em></p> 289 290 <p><strong>What does the injectSmsPdu method call do?</strong></p> 291 292 <p><em>A: This facilitates SMS backup/restore in the cloud. The injectSmsPdu 293 call enables the restore function.</em></p> 294 295 <p><strong>For SMS filtering, is the onFilterSms call based on SMS UDH port 296 filtering? Or would carrier apps have access to ALL incoming SMS?</strong></p> 297 298 <p><em>A: Carriers have access to all SMS data.</em></p> 299 300 <p><strong>Since the extension of DeviceAppID-REF-DO to support 32 bytes appears 301 incompatible with the current GP spec (which allows 0 or 20 bytes only) why are 302 you introducing this change? Do you not consider SHA-1 to be good enough to 303 avoid collisions? Have you proposed this change to GP already, as this could 304 be backwards incompatible with existing ARA-M/ARF?</strong></p> 305 306 <p><em>A: For providing future-proof security this extension introduces SHA-256 307 for DeviceAppID-REF-DO in addition to SHA-1 which is currently the only option 308 in the GP SEAC standard. It is highly recommended to use SHA-256.</em></p> 309 310 <p><strong>If DeviceAppID is 0 (empty), would you really apply the rule to all 311 device applications not covered by a specific rule?</strong></p> 312 313 <p><em>A: Carrier apis require deviceappid-ref-do be non-empty. Being empty is 314 intended for test purpose and is not recommended for operational deployments. 315 </em></p> 316 317 <p><strong>According to your spec, PKG-REF-DO used just by itself, without 318 DeviceAppID-REF-DO, should not be accepted. But it is still described in Table 319 6-4 as extending the definition of REF-DO. Is this on purpose? What will be the 320 behavior of the code when only a PKG-REF-DO is used in a REF-DO?</strong></p> 321 322 <p><em>A: The option of having PKG-REF-DO as a single value item in REF-DO was 323 removed in the latest version. PKG-REF-DO should only occur in combination with 324 DeviceAppID-REF-DO.</em></p> 325 326 <p><strong>We assume we can grant access to all carrier-based permissions or 327 have a finer-grained control. What will define the mapping between the bit mask 328 and the actual permissions then? One permission per class? One permission per 329 method specifically? Will 64 separate permissions be enough in the long run? 330 </strong></p> 331 332 <p><em>A: This is reserved for the future, and we welcome suggestions.</em></p> 333 334 <p><strong>Can you further define the DeviceAppID for Android specifically? 335 Since this is the SHA-1 (20 bytes) hash value of the Publisher certificate used 336 to signed the given app, shouldn't the name reflect that purpose? (The name 337 could be confusing to many readers as the rule will be applicable then to all 338 apps signed with that same Publisher certificate.)</strong></p> 339 340 <p><em>A: The deviceAppID storing certificates is already supported by the 341 existing spec. We tried to minimize spec changes to lower barrier for adoption. 342 For details, see <a href="#rules_on_uicc">Rules on UICC</a>.</em></p> 343
