Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure element Access Control on ICS 4.0.4

Tags:

android

nfc

I updated my Android phone to 4.0.4 and i noticed that a new file nfcee access.xml appeared in the system folder. The idea of the file as far as i understood is the keep a list of signatures, and allow access to the SE and related intends only to the packages that are signed with one of this signatures. So far in this list is of course the signature of the Google Wallet.

Does anybody know how would be the process in future to enter this list? Do you need to ask for permission directly Google?

like image 937
Kamen Goranchev Avatar asked May 08 '12 07:05

Kamen Goranchev


3 Answers

If you root your phone, you can modify the file. The file contains the list of signatures and package names that are allowed access to the Secure Element (SE). The signatures is a hex-encoded X.509 certificate. To create one, simply include the tag <debug /> in the file and it will print to logcat the hex-encoded signature of applications that are denied SE access, for easy cut-and-paste into this file.

To create an app that can access the SE, you need to add this permission to the manifest:

<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" />

To actually access the SE, you need to access a hidden API by importing com.android.nfc_extras:

import com.android.nfc_extras.NfcAdapterExtras;
import com.android.nfc_extras.NfcAdapterExtras.CardEmulationRoute;
import com.android.nfc_extras.NfcExecutionEnvironment;

The easiest way to make this possible is to compile your app in the Android source code tree by placing it in packages/apps and building it from there. You need to add the following line to the Android.mk makefile to get access to the SE API:

LOCAL_JAVA_LIBRARIES := com.android.nfc_extras

The functions in com.android.nfc_extras allow enabling and disabling the SE, sending commands to it and receiving responses from it (comparable to IsoDep.transceive()).

like image 56
NFC guy Avatar answered Oct 31 '22 13:10

NFC guy


This is interesting indeed. If entering your certificate and package name in this file is all that is needed, you shouldn't need to talk to Google, just get whoever is building the ROM (yourself if custom ROM, or a particular carrier) to include it. The bigger problem though is, who do you need to talk to to get the CardManager keys. If it is the carrier, you can also get them to pre-install your applet, so you might not need the keys at runtime (unless you want to use a secure channel to your applet).

Update: Here's a summary of SE support in Android and some more info on how to use the embedded one. In short, it does work, but you can only query stuff of course. It runs JavaCard and is GP 2.1.1 compatible, uses 3DES keys for the secure channel.

http://nelenkov.blogspot.com/2012/08/accessing-embedded-secure-element-in.html

http://nelenkov.blogspot.com/2012/08/android-secure-element-execution.html

BTW, here's the currently allowed cert on my GN 4.0.4. A package is not specified, so any app signed with it will get access to the SE:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a8:cd:17:c9:3d:a5:d9:90
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Google NFC
        Validity
            Not Before: Mar 24 01:06:53 2011 GMT
            Not After : Aug  9 01:06:53 2038 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Google NFC
like image 6
Nikolay Elenkov Avatar answered Oct 31 '22 14:10

Nikolay Elenkov


With cavets: If you can get your application on the nfcee_access list you can do the following things:

  • Enable the UICC (sim card) and enable the embedded secure element (if present)
  • Open a communication channel to the embedded secure element and exchange data
  • Receive transaction data from the UICC (sim card) if the UICC wants to send you data (you'll be receiver only).

You can do all this if you root your phone. No need to hack the nfcee_access list to do so, you can just intercept all traffic to the nfc-chip to so so.

What you can't do, even with a rooted phone:

  • Install applets on the UICC / eSE
  • Log/Monitor/influence the data-transfer between the embedded secure element/UICC and an external reader, e.g. hack payment systems.

Caveat: You can do almost everthing if, and only if you have the knowledge and the secure access-keys to access the embedded SE. However, if you have these information you wouldn't ask on stack-overflow. :-)

This knowledge is a well kept secret and no one will tell you this secret unless you are a company as big as google, mastercard, visa, american-express and the like.

like image 2
Nils Pipenbrinck Avatar answered Oct 31 '22 15:10

Nils Pipenbrinck