All smartcards have embedded crypto capabilities and computation power.
Is is possible to take advantage of this with developed android application? For example, would I be able to sign a file using the public/private key stored on the SIM.
I heard about some standards and norms and initiatives (ETSI-MSS, Mobile PKI) but I do not see any application of such architecture.
Do someone has some clue on this?
No, you cannot access the SIM card directly in Android. All access to telephony-related services takes place in the TelephonyManager API and there is no API exposed to doing and cryptographic operations in the SIM.
My understanding is that SIM cards do not use standard crypto. The handle certains kinds of authentication and crypto for the network. Given the quality of say A3/5, I'm not sure you would want to. I doubt you can get AES or reven basic RSA out of them
Actually the above statement is somewhat incorrect: apparently there is work either to get SIM cards to have this functionality or to write generic libraries for exposing it. I cannot,however, for the life of me remember the article I read this in.
This appears at least to be a starting point https://stackoverflow.com/a/9364030/980922
Related
Native mobile apps can use the Secure Element (or Enclave), e.g. to generate and use private keys for encrypting and signing data. These private keys are stored in the hardware of the mobile device, inaccessible to even the phone manufacturer, giving them extremely strong security properties.
I'd like to have the same functionality in a web app (which would be more widely usable since it requires no installation). Is this possible?
I've scoured the web but haven't found any good information on this. In principle, it seems that mobile browsers (because they're native apps themselves) could use the Secure Element just like any other app. In fact, as one example, I'm pretty sure they're using it to enable authentication through WebAuthn, which uses key pairs with the private key stored on the device. But... as far as I know the browsers don't expose access to web apps.
Any information on this would be much appreciated! Thanks
While you can generate keys with the Web Crypto API, accessing special security hardware chips is not possible. There is an open Issue for the spec, where this feature request is being discusses. Feel free to chime in there if you want, or just subscribe to the Issue to be informed of progress.
The new Android Pixel 3 contains a secure element called Titan M.
First, I am wondering if it is possible to interact with this secure element by using the Open Mobile API (package android.se.omapi) now available on Android 9.
Secondly, I looked at this OMAPI and found that it allows to send APDU messages to applications using ISO 7816 protocol for smart cards. So I would like to know what kind of applications I can interact with.
If it is possible, my aim would be to insert a JavaCard applet into the Titan M secure element and to use OMAPI to send APDU to this applet. Has anybody tried to do that ? I would be happy to get any feedback on what it is possible to do with this API and Pixel 3.
Thanks.
Franck
First, I am wondering if it is possible to interact with this secure element by using the Open Mobile API (package android.se.omapi) now available on Android 9.
At first glance and doing some limited research (mainly because there is limited information available) it doesn't look like this would be the case. That API is mainly intended for SIM cards, and I sincerely doubt with a high level of confidence that a SIM API or functionality is present in the Titan M System-on-a-Chip (with ARM SC300 core, in all likelihood).
Secondly, I looked at this OMAPI and found that it allows to send APDU messages to applications using ISO 7816 protocol for smart cards. So I would like to know what kind of applications I can interact with.
SIM cards and embedded Secure Elements that support an APDU interface on devices that support OMAPI. However, although I would say that Titan M is an embedded Secure element, I would wage that it doesn't use OMAPI and because of that, it won't be available through the API. Actually, I would be surprised if it uses APDU's at all. ISO/IEC 7816-4 is a pain that you can do without if you're able to specify the transport layer yourself.
If it is possible, my aim would be to insert a JavaCard applet into the Titan M secure element and to use OMAPI to send APDU to this applet. Has anybody tried to do that ? I would be happy to get any feedback on what it is possible to do with this API and Pixel 3.
I would find it entirely unlikely that Google is willing to pay license costs to Oracle to be able to implement Java Card. I certainly don't see Google listed in the JCF, which you would expect if you would implement a native Java Card solution yourself.
Finally, there have been many posts that said that the Titan M "firmware" would be released as Open Source by Google. However, that promise never materialized. Note that it is extremely tricky to release such code for secure processors. If a security issue is found that requires a software fix then that fix might have to be applied all over the place, and details of the fix may help adversaries.
So, all said, you will have to do with the high level interfaces that Android offers - as far as I am able to find out.
I am asking the same question as here:
Secure contents in Documents directory
For android.
Are there equivalent concepts in android to what is presented here:
Protecting the app sandbox
My particular requirement is to protect files from rooted devices and also make them available only through application and for a certain lifetime.
Thanks
My particular requirement is to protect files from rooted devices
By definition, that is impossible.
First, anyone who has a rooted device has access to every file, anywhere in the device itself.
Second, encryption only helps the user protect their data from third parties. You, on the other hand, are trying to attack the user by preventing them from accessing their data. The only way you can try to do that via encryption is for you to be the only one with the decryption key, and since that decryption key has to be on the device for the device to be able to decrypt the file, any user who wishes to can rummage through your app, find the key, and decrypt the files themselves. The notion of encrypting files this way is called DRM, and there are two types of DRM: the ones that have been cracked and the ones that nobody has bothered trying to crack yet.
If you do not want the user to access this data, do not put it on their device.
Looking through Mighter's answers and given your concern over rooted phones it looks like its been discussed here.
http://source.android.com/tech/encryption/android_crypto_implementation.html
(a sub link i found somewhere in here http://source.android.com/tech/security/index.html)
Originally i was thinking you could use the ContentProvider and store your data in a database, i believe that can be protected, or you could at least encrypt the data within it. I wasn't sure that would answer your issue however. The android crypto implementation link i hope will cover your requirements. Though might be impractical due to version requirements.
Two notes:
Generally speaking your application could be only as secure as the operating system. In case the device is rooted, the operating system isn't secure anymore. So your application can't be secure either. For example there could be tweaks of operation system which will:
log keyboard input
subvert any calls (including calls to crypto API)
log any information which comes through HTTP(S).
Second note is that at some point you will need to provide your data (files) in clear (not encrypted) to 3rd party applications. As soon as you did this, they can copy it, send it to some server and you can't do anything about it. So, even if you provide access to these files for a limited time, they still can "leak".
That said, your simplest approach (as Emile pointed out) would be to use a ContentProvider, encrypt data within it and decrypt data when it's delivered to 3rd party apps.
An approach with higher complexity would be to use DRM (http://developer.android.com/reference/android/drm/package-summary.html) in case 3rd party apps support it.
Android utilizes Unix permissions to protect app sandbox. Each app runs under unique user and only that user has permissions to operate on /data/data/your.package.name folder. However, if target device is rooted, your app data can be compromised.
Some links:
http://source.android.com/tech/security/index.html
http://www.amazon.co.uk/dp/1430240628
http://developer.android.com/guide/topics/security/permissions.html
There is nothing safe about putting any kind of data onto an android device. They are ment to be open devices. If you are looking to protect your data again rooted users, then you would have to use a form of encryption. And depending on the sensitivity of the item, that may not even work (unless you use a real high end encryption which will then drain on performance). Dont trust Android with sensitive information is the only thing I can say.
I am developing an android application and I want to store my data securely.
There are two way for that
Storing Sim card
Mobile security card
I want to use second one but I don't want to buy this card before I make sure it is useful for me.
I am running Google's SmartcardSample(svn) application.
But I get an error like this.
See this answer for using the SIM as Secure Element https://stackoverflow.com/a/9364030/156477 (Its not scalable solution at present).
This isn't Google's code, and the SEEK API isn't part of Android (out of the box). Have a look at http://code.google.com/p/seek-for-android/wiki/SmartcardAPI. You'll see at the bottom you need to rebuild your own version of the Android OS, and flash it to your device.
I notice you haven't tagged the question with NFC. I wonder, do you really need SmartCard support or do you just need to store data securely? The typical SmartCard use case is to use the phone for payment, or building access - know as NFC Card Emulation mode.
The reason that this question was born is that I am totally lost, so please forgive the trivial and senseless parts.
I have an Android app, a web-service, a MicroSD smart card (mobile security card). I need to know how can I use the card with ssl to securely communicate with the web-service. Rebuilding and flashing the OS is not an option.
What I know:
The API used to communicate with the MSC
How to write/deploy applets to the MSC
How to call a web-service
What I don't know:
SSL
Too much about certificates and cryptography (only shady academic stuff from the university)
How things come together and what should I use to accomplish this
seek-for-android has an OpenSC tutorial and library, but the OS needs to be patched for that. Is there a way to avoid that and still use the solution?
I know I could be much further into this with a little research, but my deadline is quite close (a few days), so I need help, much help, and very soon.. Thank you in advance!
EDIT:
More specifically:
I have a Smart Card SD card from Giesecke & Devrient, with Java Card OS and fine applets and dev tools. I also recieved an android service to communicate with the card (the applets) with APDUs. This is quite low-level, it acceps byte codes as commands and data.
I need to call a web-service via SSL authentication. Now I know that SSL uses (can use) hardware tokens with PKCS#11 interfaces.
There is a project called seek-for-android with a guide to patch the OS and have a standard PKCS#11 interface over the smart card (I believe this would be OpenSC). I CAN'T patch the OS.
So the questions again:
Can the Android SSL implementation use (custom) PKCS#11 interfaces in some way, if yes, how? (e.g. possibly with some security providers)
Can I use OpenSC (and other stuff mentioned in the linked guide) without patching the OS (e.g. extract the libs and include it in my application)?
Overall, how should I link the gap between the low-level smart card and the high level SSL? I kindly ask you for any material regarding this.
As this is a special form of a Smart-Card encapsulated inside a microSD-card I assume that the API bases on special SD-Card read and write operations. Such operation may or may not be usable on Android without root access.
That depends on the certain implementation of the API. Usually such a microSD card already comes with Android libraries (as it is the most open relevant mobile platform) from the vendor. You should ask there for getting more information.
Use Bouncycastle (Spongycastle is the fork for Android) and implement your own Security Provider which uses the SmartCard instead of a file for stored certificates.
If you can access your card without patching the ROM, you can roll your own (requires knowledge of cryptography) SSL implementation on top of it.
If not, then AFAIK you need to patch Android to get access to the extra hardware. And the built-in SSL library has no support whatsoever for client-side "hardware tokens" AFAIK.