• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1page.title=UICC Carrier Privileges
2@jd:body
3
4<!--
5    Copyright 2015 The Android Open Source Project
6
7    Licensed under the Apache License, Version 2.0 (the "License");
8    you may not use this file except in compliance with the License.
9    You may obtain a copy of the License at
10
11        http://www.apache.org/licenses/LICENSE-2.0
12
13    Unless required by applicable law or agreed to in writing, software
14    distributed under the License is distributed on an "AS IS" BASIS,
15    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16    See the License for the specific language governing permissions and
17    limitations under the License.
18-->
19<div id="qv-wrapper">
20  <div id="qv">
21    <h2>In this document</h2>
22    <ol id="auto-toc">
23    </ol>
24  </div>
25</div>
26
27<p>Android 5.1 introduced a mechanism to grant special privileges for APIs
28relevant to the Universal Integrated Circuit Card (UICC) owner’s apps. The
29Android platform loads certificates stored on a UICC and grants permission to
30apps signed by these certificates to make calls to a handful of special APIs.
31</p>
32<p>Android 7.0 extends this feature to support other storage sources, such as
33Access File Rule (ARF), for UICC carrier privilege rules, dramatically
34increasing the number of carriers that can use the APIs. For an API reference,
35see <a href="#carrierconfigmanager">CarrierConfigManager</a>; for instructions,
36see <a href="{@docRoot}devices/tech/config/carrier.html">Carrier
37Configuration</a>.</p>
38
39<p>Since carriers have full control of the UICC, this mechanism provides a
40secure and flexible way to manage apps from the Mobile Network Operator (MNO)
41hosted on generic application distribution channels (such as Google Play) while
42retaining special privileges on devices and without the need to sign apps with
43the per-device platform certificate or pre-install as a system app.</p>
44
45<h2 id=rules_on_uicc>Rules on UICC</h2>
46
47<p>Storage on the UICC is compatible with the
48<a href="http://www.globalplatform.org/specificationsdevice.asp">GlobalPlatform
49Secure Element Access Control specification</a>. The application identifier
50(AID) on card is <code>A00000015141434C00</code>, and the standard GET DATA
51command is used to fetch rules stored on the card. You may update these rules
52via card over-the-air (OTA) update.</p>
53
54<h3 id=data_hierarchy>Data hierarchy</h3>
55<p>UICC rules use the following data hierarchy (the two-character letter and
56number combination in parentheses is the object tag). Each rule is a REF-AR-DO
57(E2) and consists of a concatenation of a REF-DO and an AR-DO:</p>
58
59<ul>
60  <li>REF-DO (E1) contains a DeviceAppID-REF-DO or a concatenation of a
61  DeviceAppID-REF-DO and a PKG-REF-DO.
62  <ul>
63  <li>DeviceAppID-REF-DO (C1) stores the SHA-1 (20 bytes) or SHA-256 (32 bytes)
64  signature of the certificate.
65  <li>PKG-REF-DO (CA) is the full package name string defined in manifest, ASCII
66  encoded, max length 127 bytes.
67  </ul></li>
68  <li>AR-DO (E3) is extended to include PERM-AR-DO (DB), which is an 8-byte bit
69  mask representing 64 separate permissions.</li>
70</ul>
71
72<p>If PKG-REF-DO is not present, any app signed by the certificate is granted
73access; otherwise both certificate and package name need to match.</p>
74
75<h3 id=rule_example>Rule example</h3>
76<p>The application name is <code>com.google.android.apps.myapp</code> and the
77SHA-1 certificate in hex string is:</p>
78<pre>AB:CD:92:CB:B1:56:B2:80:FA:4E:14:29:A6:EC:EE:B6:E5:C1:BF:E4</pre>
79
80<p>The rule on UICC in hex string is:</p>
81<pre>
82E243 &lt;= 43 is value length in hex
83  E135
84    C114 ABCD92CBB156B280FA4E1429A6ECEEB6E5C1BFE4
85    CA1D 636F6D2E676F6F676C652E616E64726F69642E617070732E6D79617070
86  E30A
87    DB08 0000000000000001
88</pre>
89
90<h2 id=arf>Access Rule File (ARF) support</h2>
91<p>Android 7.0 adds support for reading carrier privilege rules from the Access
92Rule File (ARF).</p>
93<p>The Android platform first attempts to select the Access Rule Applet (ARA)
94application identifier (AID) <code>A00000015141434C00</code>. If it doesn't find
95the AID on the Universal Integrated Circuit Card (UICC), it falls back to ARF by
96selecting PKCS15 AID <code>A000000063504B43532D3135</code>. Android then reads
97Access Control Rules File (ACRF) at <code>0x4300</code> and looks for entries
98with AID <code>FFFFFFFFFFFF</code>. Entries with different AIDs are ignored, so
99rules for other use cases can co-exist.</p>
100<p>Example ACRF content in hex string:</p>
101<pre>30 10 A0 08 04 06 FF FF FF FF FF FF 30 04 04 02 43 10</pre>
102
103<p>Example Access Control Conditions File (ACCF) content:</p>
104<pre>30 16 04 14 61 ED 37 7E 85 D3 86 A8 DF EE 6B 86 4B D8 5B 0B FA A5 AF 81
105</pre>
106
107<p>In above example, <code>0x4310</code> is the address for ACCF, which contains
108the certificate hash
109<code>61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81</code>. Apps
110signed by this certificate are granted carrier privileges.</p>
111
112<h2 id=enabled_apis>Enabled APIs</h2>
113
114<p>Android supports the following APIs.</p>
115
116<h3 id=telephonymanager>TelephonyManager</h3>
117
118<ul>
119<li>API to allow the carrier application to ask UICC for a challenge/response:
120<a href="https://developer.android.com/reference/android/telephony/TelephonyManager.html#getIccAuthentication(int,%20int,%20java.lang.String)"><code>getIccAuthentication</code></a>.
121</li>
122
123<li>API to check whether calling application has been granted carrier
124privileges:
125<a href="http://developer.android.com/reference/android/telephony/TelephonyManager.html#hasCarrierPrivileges()"><code>hasCarrierPrivileges</code></a>.
126</li>
127
128<li>APIs to override brand and number:
129<ul>
130  <li><code>setOperatorBrandOverride</code></li>
131  <li><code>setLine1NumberForDisplay</code></li>
132  <li><code>setVoiceMailNumber</code></li>
133</ul></li>
134
135<li>APIs for direct UICC communication:
136<ul>
137  <li><code>iccOpenLogicalChannel</code></li>
138  <li><code>iccCloseLogicalChannel</code></li>
139  <li><code>iccExchangeSimIO</code></li>
140  <li><code>iccTransmitApduLogicalChannel</code></li>
141  <li><code>iccTransmitApduBasicChannel</code></li>
142  <li><code>sendEnvelopeWithStatus</code></li>
143</ul></li>
144
145<li>API to set device mode to global:
146<code>setPreferredNetworkTypeToGlobal</code>.</li>
147</ul>
148
149<h3 id=smsmanager>SmsManager</h3>
150
151<p>API to allow caller to create new incoming SMS messages:
152<code>injectSmsPdu</code>.</p>
153
154<h3 id=carrierconfigmanager>CarrierConfigManager</h3>
155
156<p>API to notify configuration changed:
157<code>notifyConfigChangedForSubId</code>. For instructions, see
158<a href="{@docRoot}devices/tech/config/carrier.html">Carrier Configuration</a>.
159</p>
160
161<h3 id=carriermessagingservice>CarrierMessagingService</h3>
162
163<p>Service that receives calls from the system when new SMS and MMS are sent
164or received. To extend this class, declare the service in your manifest file
165with the <code>android.Manifest.permission#BIND_CARRIER_MESSAGING_SERVICE</code>
166permission and include an intent filter with the <code>#SERVICE_INTERFACE</code>
167action. APIs include:</p>
168<ul>
169  <li><code>onFilterSms</code></li>
170  <li><code>onSendTextSms</code></li>
171  <li><code>onSendDataSms</code></li>
172  <li><code>onSendMultipartTextSms</code></li>
173  <li><code>onSendMms</code></li>
174  <li><code>onDownloadMms</code></li>
175</ul>
176
177<h3 id=telephonyprovider>TelephonyProvider</h3>
178
179<p>Content provider APIs to allow modifications (insert, delete, update, query)
180to the telephony database. Values fields are defined at
181<a href="https://developer.android.com/reference/android/provider/Telephony.Carriers.html"><code>Telephony.Carriers</code></a>;
182for more details, refer to
183<a href="https://developer.android.com/reference/android/provider/Telephony.html">Telephony</a>
184API reference on developer.android.com.</p>
185
186<h2 id=android_platform>Android platform</h2>
187
188<p>On a detected UICC, the platform will construct internal UICC objects that
189include carrier privilege rules as part of the UICC.
190<a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/master/src/java/com/android/internal/telephony/uicc/UiccCarrierPrivilegeRules.java"><code>UiccCarrierPrivilegeRules.java</code></a>
191loads rules, parses them from the UICC card, and caches them in memory. When
192a privilege check is needed, <code>UiccCarrierPrivilegeRules</code> compares the
193caller certificate with its own rules one by one. If the UICC is removed, rules
194are destroyed along with the UICC object.</p>
195
196<h2 id=validation>Validation</h2>
197<p>The Android 7.0 CTS includes tests for carrier APIs in
198<code>CtsCarrierApiTestCases.apk</code>. Because this feature depends on
199certificates on the UICC, you must prepare the UICC to pass these tests.</p>
200
201<h3 id=prepare_uicc>Preparing the UICC</h3>
202<p>By default, <code>CtsCarrierApiTestCases.apk</code> is signed by Android
203developer key, with hash value
204<code>61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81</code>. The
205tests also print out the expected certificate hash if certificates on UICC
206mismatch.</p>
207<p>Example output:</p>
208<pre>
209junit.framework.AssertionFailedError: This test requires a SIM card with carrier privilege rule on it.
210Cert hash: 61ed377e85d386a8dfee6b864bd85b0bfaa5af81
211</pre>
212
213<p>You may need a developer UICC to update it with the correct applet and
214certificate rules. However, the UICC does not require active cellular service to
215pass CTS tests.</p>
216
217<h3 id=run_tests>Running tests</h3>
218<p>For convenience, the Android 7.0 CTS supports a device token that restricts
219tests to run only on devices configured with same token. Carrier API CTS tests
220support the device token <code>sim-card-with-certs</code>. For example, the
221following device token restricts carrier API tests to run only on device
222<code>abcd1234</code>:</p>
223<pre>cts-tradefed run cts  --device-token abcd1234:sim-card-with-certs</pre>
224
225<p>When running a test without using a device token, the test runs on all
226devices.</p>
227
228<h2 id=faq>FAQ</h2>
229
230<p><strong>How can certificates be updated on the UICC?</strong></p>
231
232<p><em>A: Use existing card OTA update mechanism.</em></p>
233
234<p><strong>Can it co-exist with other rules?</strong></p>
235
236<p><em>A: It’s fine to have other security rules on the UICC under same AID; the
237platform will filter them out automatically.</em></p>
238
239<p><strong>What happens when the UICC is removed for an app that relies on the
240certificates on it?</strong></p>
241
242<p><em>A: The app will lose its privileges because the rules associated with the
243UICC are destroyed on UICC removal.</em></p>
244
245<p><strong>Is there a limit on the number of certificates on the UICC?</strong>
246</p>
247
248<p><em>A: The platform doesn’t limit the number of certificates; but because the
249check is linear, too many rules may incur a latency for check.</em></p>
250
251<p><strong>Is there a limit to number of APIs we can support via this method?
252</strong></p>
253
254<p><em>A: No, but we limit the scope of APIs to carrier related.</em></p>
255
256<p><strong>Are there some APIs prohibited from using this method? If so, how do
257you enforce them? (i.e. Will you have tests to validate which APIs are supported
258via this method?)</strong></p>
259
260<p><em>A: See the "API Behavioral Compatibility" section of the
261<a href="{@docRoot}compatibility/cdd.html">Android Compatibility Definition
262Document (CDD)</a>. We have some CTS tests to make sure the permission model of
263the APIs is not changed.</em></p>
264
265<p><strong>How does this work with the multi-SIM feature?</strong></p>
266
267<p><em>A: The default SIM that gets set by the user will be used.</em></p>
268
269<p><strong>Does this in any way interact or overlap with other SE access
270technologies, e.g. SEEK?</strong></p>
271<p><em>A: As an example, SEEK uses the same AID as on the UICC. So the rules
272co-exist and are filtered by either SEEK or UiccCarrierPrivileges.</em></p>
273
274<p><strong>When is it a good time to check carrier privileges?</strong></p>
275<p><em>A: After the SIM state loaded broadcast.</em></p>
276
277<p><strong>Can OEMs disable part of carrier APIs?</strong></p>
278
279<p><em>A: No. We believe current APIs are the minimal set, and we plan to use
280the bit mask for finer granularity control in the future.</em></p>
281
282<p><strong>Does setOperatorBrandOverride override ALL other forms of operator
283name strings? For example, SE13, UICC SPN, network based NITZ, etc.?</strong>
284</p>
285
286<p><em>A: Refer to the SPN entry in
287<a href="http://developer.android.com/reference/android/telephony/TelephonyManager.html">TelephonyManager</a>
288</em></p>
289
290<p><strong>What does the injectSmsPdu method call do?</strong></p>
291
292<p><em>A: This facilitates SMS backup/restore in the cloud. The injectSmsPdu
293call enables the restore function.</em></p>
294
295<p><strong>For SMS filtering, is the onFilterSms call based on SMS UDH port
296filtering? Or would carrier apps have access to ALL incoming SMS?</strong></p>
297
298<p><em>A: Carriers have access to all SMS data.</em></p>
299
300<p><strong>Since the extension of DeviceAppID-REF-DO to support 32 bytes appears
301incompatible with the current GP spec (which allows 0 or 20 bytes only) why are
302you introducing this change? Do you not consider SHA-1 to be good enough to
303avoid collisions? Have you proposed this change to GP already, as this could
304be backwards incompatible with existing ARA-M/ARF?</strong></p>
305
306<p><em>A: For providing future-proof security this extension introduces SHA-256
307for DeviceAppID-REF-DO in addition to SHA-1 which is currently the only option
308in the GP SEAC standard. It is highly recommended to use SHA-256.</em></p>
309
310<p><strong>If DeviceAppID is 0 (empty), would you really apply the rule to all
311device applications not covered by a specific rule?</strong></p>
312
313<p><em>A: Carrier apis require deviceappid-ref-do be non-empty. Being empty is
314intended for test purpose and is not recommended for operational deployments.
315</em></p>
316
317<p><strong>According to your spec, PKG-REF-DO used just by itself, without
318DeviceAppID-REF-DO, should not be accepted. But it is still described in Table
3196-4 as extending the definition of REF-DO. Is this on purpose? What will be the
320behavior of the code when only a PKG-REF-DO is used in a REF-DO?</strong></p>
321
322<p><em>A: The option of having PKG-REF-DO as a single value item in REF-DO was
323removed in the latest version. PKG-REF-DO should only occur in combination with
324DeviceAppID-REF-DO.</em></p>
325
326<p><strong>We assume we can grant access to all carrier-based permissions or
327have a finer-grained control. What will define the mapping between the bit mask
328and the actual permissions then? One permission per class? One permission per
329method specifically? Will 64 separate permissions be enough in the long run?
330</strong></p>
331
332<p><em>A: This is reserved for the future, and we welcome suggestions.</em></p>
333
334<p><strong>Can you further define the DeviceAppID for Android specifically?
335Since this is the SHA-1 (20 bytes) hash value of the Publisher certificate used
336to signed the given app, shouldn't the name reflect that purpose? (The name
337could be confusing to many readers as the rule will be applicable then to all
338apps signed with that same Publisher certificate.)</strong></p>
339
340<p><em>A: The deviceAppID storing certificates is already supported by the
341existing spec. We tried to minimize spec changes to lower barrier for adoption.
342For details, see <a href="#rules_on_uicc">Rules on UICC</a>.</em></p>
343