Softwares(such as Mozilla Firefox, Thunderbird) can load opensc module(opensc-pkcs11.so on linux and opensc-pkcs11.dll on windows)and use all smart cards supported by OpenSC for authentication, signing and decryption. My question is how can we do the same thing in android(where to store opensc module, how to access an external token etc.). For example how can an application use opensc module to access a smartcard token with nfc and/or bluetooth interface.
I dont like to flash my android like in seek for android.
I request for any suggestions or examples. Thanks in advance.
Related
Native mobile apps can use the Secure Element (or Enclave), e.g. to generate and use private keys for encrypting and signing data. These private keys are stored in the hardware of the mobile device, inaccessible to even the phone manufacturer, giving them extremely strong security properties.
I'd like to have the same functionality in a web app (which would be more widely usable since it requires no installation). Is this possible?
I've scoured the web but haven't found any good information on this. In principle, it seems that mobile browsers (because they're native apps themselves) could use the Secure Element just like any other app. In fact, as one example, I'm pretty sure they're using it to enable authentication through WebAuthn, which uses key pairs with the private key stored on the device. But... as far as I know the browsers don't expose access to web apps.
Any information on this would be much appreciated! Thanks
While you can generate keys with the Web Crypto API, accessing special security hardware chips is not possible. There is an open Issue for the spec, where this feature request is being discusses. Feel free to chime in there if you want, or just subscribe to the Issue to be informed of progress.
I am developing an Android app that selling mobile credits over the internet.
My app just keeps user credit card information and never saving any password.
I am in Iran and my country isn't accept any foreign banking system.So I can use only local payment system and I can't use any third party API out there over the Internet.
I'm struggling how to make my app secure according to PCI documentation.
I googling a lot and find some solution out there but I am not sure if it is an effective solution in Iran.
Here is some solutions that I found:
How to store data into Secure Element in android
Secure element Access Control on ICS 4.0.4
Java Card Applet and Host-based Card Emulation of Android Kitkat 4.4
PCI DSS compliant related to the Mobile Application payment
So any help will be appreciated.
Are there javax.smartcardio analogues on Android?
but not using Open Mobile API.
Thanks!
I'm using javax.smartcardio.* as a facade to IsoDep on Android in a project called SCUBA. Note that this is for trancieving APDUs to ISO14443 cards in the field of the NFC chip (in NFC capable Android phones), and not for communicating with SIM or SE.
(Main motivation was to be able to use the same JMRTD ePassport reading API jar both on J2SE and Android without changes.)
EDIT: If you're interested in communicating with a card in an external reader, have a look at this SCDroid project. Also ACS appears to have Android support for their ACR122U reader.
You can check out the com.android.nfc_extras packages in the AOSP tree. This will allow you to send APDU's to a secure element. It will also allow you to enable card emulation. This will only work on a rooted phone or an AOSP build. You wont be able to install anything on the secure element as you won't have access to the keys (unless you have a engineering sample with a different secure element). NFC extras is a private API so you may not be able to use it on a non-rooted phone.
This is for a research project at school so this is somewhat urgent. We need to know if this technology exists, or if it would require us to build something native for each device.
Is it possible to use any frameworks or tools to access Bluetooth sensors from a non-native application. For example, I gather that HTML5 applications will can access some sensors, but need bridging frameworks to access others (i.e. PhoneGap). Are there any other apps that have tackled this problem in the past that we can research?
With iOS you need to use it through GameKit, and even then there are big restrictions. With android your application has to specifically request access to bluetooth with permissions.
As far as I searched, it's not possible to use raw HTML5 to access to mobile native features such as Bluetooth on mobile devices. The only way so far that I have found is to use cross-platform mobile application development or native apps. Just keep in mind that not all cross-platform frameworks support all phone native features like Bluetooth. I think the one you mentioned, PhoneGap, does not support Bluetooth. It would be great to put comments if have you come up with any solution for your post.
Check this link to get some idea about different frameworks and their features.
The reason that this question was born is that I am totally lost, so please forgive the trivial and senseless parts.
I have an Android app, a web-service, a MicroSD smart card (mobile security card). I need to know how can I use the card with ssl to securely communicate with the web-service. Rebuilding and flashing the OS is not an option.
What I know:
The API used to communicate with the MSC
How to write/deploy applets to the MSC
How to call a web-service
What I don't know:
SSL
Too much about certificates and cryptography (only shady academic stuff from the university)
How things come together and what should I use to accomplish this
seek-for-android has an OpenSC tutorial and library, but the OS needs to be patched for that. Is there a way to avoid that and still use the solution?
I know I could be much further into this with a little research, but my deadline is quite close (a few days), so I need help, much help, and very soon.. Thank you in advance!
EDIT:
More specifically:
I have a Smart Card SD card from Giesecke & Devrient, with Java Card OS and fine applets and dev tools. I also recieved an android service to communicate with the card (the applets) with APDUs. This is quite low-level, it acceps byte codes as commands and data.
I need to call a web-service via SSL authentication. Now I know that SSL uses (can use) hardware tokens with PKCS#11 interfaces.
There is a project called seek-for-android with a guide to patch the OS and have a standard PKCS#11 interface over the smart card (I believe this would be OpenSC). I CAN'T patch the OS.
So the questions again:
Can the Android SSL implementation use (custom) PKCS#11 interfaces in some way, if yes, how? (e.g. possibly with some security providers)
Can I use OpenSC (and other stuff mentioned in the linked guide) without patching the OS (e.g. extract the libs and include it in my application)?
Overall, how should I link the gap between the low-level smart card and the high level SSL? I kindly ask you for any material regarding this.
As this is a special form of a Smart-Card encapsulated inside a microSD-card I assume that the API bases on special SD-Card read and write operations. Such operation may or may not be usable on Android without root access.
That depends on the certain implementation of the API. Usually such a microSD card already comes with Android libraries (as it is the most open relevant mobile platform) from the vendor. You should ask there for getting more information.
Use Bouncycastle (Spongycastle is the fork for Android) and implement your own Security Provider which uses the SmartCard instead of a file for stored certificates.
If you can access your card without patching the ROM, you can roll your own (requires knowledge of cryptography) SSL implementation on top of it.
If not, then AFAIK you need to patch Android to get access to the extra hardware. And the built-in SSL library has no support whatsoever for client-side "hardware tokens" AFAIK.