1page.title=UICC Carrier Privileges
2@jd:body
3
4<!--
5    Copyright 2015 The Android Open Source Project
6
7    Licensed under the Apache License, Version 2.0 (the "License");
8    you may not use this file except in compliance with the License.
9    You may obtain a copy of the License at
10
11        http://www.apache.org/licenses/LICENSE-2.0
12
13    Unless required by applicable law or agreed to in writing, software
14    distributed under the License is distributed on an "AS IS" BASIS,
15    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16    See the License for the specific language governing permissions and
17    limitations under the License.
18-->
19<div id="qv-wrapper">
20  <div id="qv">
21    <h2>In this document</h2>
22    <ol id="auto-toc">
23    </ol>
24  </div>
25</div>
26
27<p>Android 5.1 introduced a mechanism to grant special privileges for APIs
28relevant to the Universal Integrated Circuit Card (UICC) owner’s apps. The
29Android platform loads certificates stored on a UICC and grants permission to
30apps signed by these certificates to make calls to a handful of special APIs.
31</p>
32<p>Android 7.0 extends this feature to support other storage sources, such as
33Access File Rule (ARF), for UICC carrier privilege rules, dramatically
34increasing the number of carriers that can use the APIs. For an API reference,
35see <a href="#carrierconfigmanager">CarrierConfigManager</a>; for instructions,
36see <a href="{@docRoot}devices/tech/config/carrier.html">Carrier
37Configuration</a>.</p>
38
39<p>Since carriers have full control of the UICC, this mechanism provides a
40secure and flexible way to manage apps from the Mobile Network Operator (MNO)
41hosted on generic application distribution channels (such as Google Play) while
42retaining special privileges on devices and without the need to sign apps with
43the per-device platform certificate or pre-install as a system app.</p>
44
45<h2 id=rules_on_uicc>Rules on UICC</h2>
46
47<p>Storage on the UICC is compatible with the
48<a href="http://www.globalplatform.org/specificationsdevice.asp">GlobalPlatform
49Secure Element Access Control specification</a>. The application identifier
50(AID) on card is <code>A00000015141434C00</code>, and the standard GET DATA
51command is used to fetch rules stored on the card. You may update these rules
52via card over-the-air (OTA) update.</p>
53
54<h3 id=data_hierarchy>Data hierarchy</h3>
55<p>UICC rules use the following data hierarchy (the two-character letter and
56number combination in parentheses is the object tag). Each rule is a REF-AR-DO
57(E2) and consists of a concatenation of a REF-DO and an AR-DO:</p>
58
59<ul>
60  <li>REF-DO (E1) contains a DeviceAppID-REF-DO or a concatenation of a
61  DeviceAppID-REF-DO and a PKG-REF-DO.
62  <ul>
63  <li>DeviceAppID-REF-DO (C1) stores the SHA-1 (20 bytes) or SHA-256 (32 bytes)
64  signature of the certificate.
65  <li>PKG-REF-DO (CA) is the full package name string defined in manifest, ASCII
66  encoded, max length 127 bytes.
67  </ul></li>
68  <li>AR-DO (E3) is extended to include PERM-AR-DO (DB), which is an 8-byte bit
69  mask representing 64 separate permissions.</li>
70</ul>
71
72<p>If PKG-REF-DO is not present, any app signed by the certificate is granted
73access; otherwise both certificate and package name need to match.</p>
74
75<h3 id=rule_example>Rule example</h3>
76<p>The application name is <code>com.google.android.apps.myapp</code> and the
77SHA-1 certificate in hex string is:</p>
78<pre>AB:CD:92:CB:B1:56:B2:80:FA:4E:14:29:A6:EC:EE:B6:E5:C1:BF:E4</pre>
79
80<p>The rule on UICC in hex string is:</p>
81<pre>
82E243 &lt;= 43 is value length in hex
83  E135
84    C114 ABCD92CBB156B280FA4E1429A6ECEEB6E5C1BFE4
85    CA1D 636F6D2E676F6F676C652E616E64726F69642E617070732E6D79617070
86  E30A
87    DB08 0000000000000001
88</pre>
89
90<h2 id=arf>Access Rule File (ARF) support</h2>
91<p>Android 7.0 adds support for reading carrier privilege rules from the Access
92Rule File (ARF).</p>
93<p>The Android platform first attempts to select the Access Rule Applet (ARA)
94application identifier (AID) <code>A00000015141434C00</code>. If it doesn't find
95the AID on the Universal Integrated Circuit Card (UICC), it falls back to ARF by
96selecting PKCS15 AID <code>A000000063504B43532D3135</code>. Android then reads
97Access Control Rules File (ACRF) at <code>0x4300</code> and looks for entries
98with AID <code>FFFFFFFFFFFF</code>. Entries with different AIDs are ignored, so
99rules for other use cases can co-exist.</p>
100<p>Example ACRF content in hex string:</p>
101<pre>30 10 A0 08 04 06 FF FF FF FF FF FF 30 04 04 02 43 10</pre>
102
103<p>Example Access Control Conditions File (ACCF) content:</p>
104<pre>30 16 04 14 61 ED 37 7E 85 D3 86 A8 DF EE 6B 86 4B D8 5B 0B FA A5 AF 81
105</pre>
106
107<p>In above example, <code>0x4310</code> is the address for ACCF, which contains
108the certificate hash
109<code>61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81</code>. Apps
110signed by this certificate are granted carrier privileges.</p>
111
112<h2 id=enabled_apis>Enabled APIs</h2>
113
114<p>Android supports the following APIs.</p>
115
116<h3 id=telephonymanager>TelephonyManager</h3>
117
118<ul>
119<li>API to allow the carrier application to ask UICC for a challenge/response:
120<a href="https://developer.android.com/reference/android/telephony/TelephonyManager.html#getIccAuthentication(int,%20int,%20java.lang.String)"><code>getIccAuthentication</code></a>.
121</li>
122
123<li>API to check whether calling application has been granted carrier
124privileges:
125<a href="http://developer.android.com/reference/android/telephony/TelephonyManager.html#hasCarrierPrivileges()"><code>hasCarrierPrivileges</code></a>.
126</li>
127
128<li>APIs to override brand and number:
129<ul>
130  <li><code>setOperatorBrandOverride</code></li>
131  <li><code>setLine1NumberForDisplay</code></li>
132  <li><code>setVoiceMailNumber</code></li>
133</ul></li>
134
135<li>APIs for direct UICC communication:
136<ul>
137  <li><code>iccOpenLogicalChannel</code></li>
138  <li><code>iccCloseLogicalChannel</code></li>
139  <li><code>iccExchangeSimIO</code></li>
140  <li><code>iccTransmitApduLogicalChannel</code></li>
141  <li><code>iccTransmitApduBasicChannel</code></li>
142  <li><code>sendEnvelopeWithStatus</code></li>
143</ul></li>
144
145<li>API to set device mode to global:
146<code>setPreferredNetworkTypeToGlobal</code>.</li>
147</ul>
148
149<h3 id=smsmanager>SmsManager</h3>
150
151<p>API to allow caller to create new incoming SMS messages:
152<code>injectSmsPdu</code>.</p>
153
154<h3 id=carrierconfigmanager>CarrierConfigManager</h3>
155
156<p>API to notify configuration changed:
157<code>notifyConfigChangedForSubId</code>. For instructions, see
158<a href="{@docRoot}devices/tech/config/carrier.html">Carrier Configuration</a>.
159</p>
160
161<h3 id=carriermessagingservice>CarrierMessagingService</h3>
162
163<p>Service that receives calls from the system when new SMS and MMS are sent
164or received. To extend this class, declare the service in your manifest file
165with the <code>android.Manifest.permission#BIND_CARRIER_MESSAGING_SERVICE</code>
166permission and include an intent filter with the <code>#SERVICE_INTERFACE</code>
167action. APIs include:</p>
168<ul>
169  <li><code>onFilterSms</code></li>
170  <li><code>onSendTextSms</code></li>
171  <li><code>onSendDataSms</code></li>
172  <li><code>onSendMultipartTextSms</code></li>
173  <li><code>onSendMms</code></li>
174  <li><code>onDownloadMms</code></li>
175</ul>
176
177<h3 id=telephonyprovider>TelephonyProvider</h3>
178
179<p>Content provider APIs to allow modifications (insert, delete, update, query)
180to the telephony database. Values fields are defined at
181<a href="https://developer.android.com/reference/android/provider/Telephony.Carriers.html"><code>Telephony.Carriers</code></a>;
182for more details, refer to
183<a href="https://developer.android.com/reference/android/provider/Telephony.html">Telephony</a>
184API reference on developer.android.com.</p>
185
186<h2 id=android_platform>Android platform</h2>
187
188<p>On a detected UICC, the platform will construct internal UICC objects that
189include carrier privilege rules as part of the UICC.
190<a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/master/src/java/com/android/internal/telephony/uicc/UiccCarrierPrivilegeRules.java"><code>UiccCarrierPrivilegeRules.java</code></a>
191loads rules, parses them from the UICC card, and caches them in memory. When
192a privilege check is needed, <code>UiccCarrierPrivilegeRules</code> compares the
193caller certificate with its own rules one by one. If the UICC is removed, rules
194are destroyed along with the UICC object.</p>
195
196<h2 id=validation>Validation</h2>
197<p>The Android 7.0 CTS includes tests for carrier APIs in
198<code>CtsCarrierApiTestCases.apk</code>. Because this feature depends on
199certificates on the UICC, you must prepare the UICC to pass these tests.</p>
200
201<h3 id=prepare_uicc>Preparing the UICC</h3>
202<p>By default, <code>CtsCarrierApiTestCases.apk</code> is signed by Android
203developer key, with hash value
204<code>61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81</code>. The
205tests also print out the expected certificate hash if certificates on UICC
206mismatch.</p>
207<p>Example output:</p>
208<pre>
209junit.framework.AssertionFailedError: This test requires a SIM card with carrier privilege rule on it.
210Cert hash: 61ed377e85d386a8dfee6b864bd85b0bfaa5af81
211</pre>
212
213<p>In order to validate the implementation via CTS using
214<code>CtsCarrierApiTestCases.apk</code>, you must have a developer UICC with
215the correct UICC rules or ARF support. You may ask the SIM card vendor
216of your choice to prepare a developer UICC with the right ARF as described in
217this section and use that UICC to run the tests. The UICC does not require
218active cellular service to pass CTS tests.</p>
219
220<h3 id=run_tests>Running tests</h3>
221<p>For convenience, the Android 7.0 CTS supports a device token that restricts
222tests to run only on devices configured with same token. Carrier API CTS tests
223support the device token <code>sim-card-with-certs</code>. For example, the
224following device token restricts carrier API tests to run only on device
225<code>abcd1234</code>:</p>
226<pre>cts-tradefed run cts  --device-token abcd1234:sim-card-with-certs</pre>
227
228<p>When running a test without using a device token, the test runs on all
229devices.</p>
230
231<h2 id=faq>FAQ</h2>
232
233<p><strong>How can certificates be updated on the UICC?</strong></p>
234
235<p><em>A: Use existing card OTA update mechanism.</em></p>
236
237<p><strong>Can it co-exist with other rules?</strong></p>
238
239<p><em>A: It’s fine to have other security rules on the UICC under same AID; the
240platform will filter them out automatically.</em></p>
241
242<p><strong>What happens when the UICC is removed for an app that relies on the
243certificates on it?</strong></p>
244
245<p><em>A: The app will lose its privileges because the rules associated with the
246UICC are destroyed on UICC removal.</em></p>
247
248<p><strong>Is there a limit on the number of certificates on the UICC?</strong>
249</p>
250
251<p><em>A: The platform doesn’t limit the number of certificates; but because the
252check is linear, too many rules may incur a latency for check.</em></p>
253
254<p><strong>Is there a limit to number of APIs we can support via this method?
255</strong></p>
256
257<p><em>A: No, but we limit the scope of APIs to carrier related.</em></p>
258
259<p><strong>Are there some APIs prohibited from using this method? If so, how do
260you enforce them? (i.e. Will you have tests to validate which APIs are supported
261via this method?)</strong></p>
262
263<p><em>A: See the "API Behavioral Compatibility" section of the
264<a href="{@docRoot}compatibility/cdd.html">Android Compatibility Definition
265Document (CDD)</a>. We have some CTS tests to make sure the permission model of
266the APIs is not changed.</em></p>
267
268<p><strong>How does this work with the multi-SIM feature?</strong></p>
269
270<p><em>A: The default SIM that gets set by the user will be used.</em></p>
271
272<p><strong>Does this in any way interact or overlap with other SE access
273technologies, e.g. SEEK?</strong></p>
274<p><em>A: As an example, SEEK uses the same AID as on the UICC. So the rules
275co-exist and are filtered by either SEEK or UiccCarrierPrivileges.</em></p>
276
277<p><strong>When is it a good time to check carrier privileges?</strong></p>
278<p><em>A: After the SIM state loaded broadcast.</em></p>
279
280<p><strong>Can OEMs disable part of carrier APIs?</strong></p>
281
282<p><em>A: No. We believe current APIs are the minimal set, and we plan to use
283the bit mask for finer granularity control in the future.</em></p>
284
285<p><strong>Does setOperatorBrandOverride override ALL other forms of operator
286name strings? For example, SE13, UICC SPN, network based NITZ, etc.?</strong>
287</p>
288
289<p><em>A: Refer to the SPN entry in
290<a href="http://developer.android.com/reference/android/telephony/TelephonyManager.html">TelephonyManager</a>
291</em></p>
292
293<p><strong>What does the injectSmsPdu method call do?</strong></p>
294
295<p><em>A: This facilitates SMS backup/restore in the cloud. The injectSmsPdu
296call enables the restore function.</em></p>
297
298<p><strong>For SMS filtering, is the onFilterSms call based on SMS UDH port
299filtering? Or would carrier apps have access to ALL incoming SMS?</strong></p>
300
301<p><em>A: Carriers have access to all SMS data.</em></p>
302
303<p><strong>Since the extension of DeviceAppID-REF-DO to support 32 bytes appears
304incompatible with the current GP spec (which allows 0 or 20 bytes only) why are
305you introducing this change? Do you not consider SHA-1 to be good enough to
306avoid collisions? Have you proposed this change to GP already, as this could
307be backwards incompatible with existing ARA-M/ARF?</strong></p>
308
309<p><em>A: For providing future-proof security this extension introduces SHA-256
310for DeviceAppID-REF-DO in addition to SHA-1 which is currently the only option
311in the GP SEAC standard. It is highly recommended to use SHA-256.</em></p>
312
313<p><strong>If DeviceAppID is 0 (empty), would you really apply the rule to all
314device applications not covered by a specific rule?</strong></p>
315
316<p><em>A: Carrier apis require deviceappid-ref-do be non-empty. Being empty is
317intended for test purpose and is not recommended for operational deployments.
318</em></p>
319
320<p><strong>According to your spec, PKG-REF-DO used just by itself, without
321DeviceAppID-REF-DO, should not be accepted. But it is still described in Table
3226-4 as extending the definition of REF-DO. Is this on purpose? What will be the
323behavior of the code when only a PKG-REF-DO is used in a REF-DO?</strong></p>
324
325<p><em>A: The option of having PKG-REF-DO as a single value item in REF-DO was
326removed in the latest version. PKG-REF-DO should only occur in combination with
327DeviceAppID-REF-DO.</em></p>
328
329<p><strong>We assume we can grant access to all carrier-based permissions or
330have a finer-grained control. What will define the mapping between the bit mask
331and the actual permissions then? One permission per class? One permission per
332method specifically? Will 64 separate permissions be enough in the long run?
333</strong></p>
334
335<p><em>A: This is reserved for the future, and we welcome suggestions.</em></p>
336
337<p><strong>Can you further define the DeviceAppID for Android specifically?
338Since this is the SHA-1 (20 bytes) hash value of the Publisher certificate used
339to signed the given app, shouldn't the name reflect that purpose? (The name
340could be confusing to many readers as the rule will be applicable then to all
341apps signed with that same Publisher certificate.)</strong></p>
342
343<p><em>A: The deviceAppID storing certificates is already supported by the
344existing spec. We tried to minimize spec changes to lower barrier for adoption.
345For details, see <a href="#rules_on_uicc">Rules on UICC</a>.</em></p>
346