ComputerEngineer88 ComputerEngineer88 - 1 month ago 45
Android Question

Sign App with UICC Carrier Privileges Certificates

I was reading information on this link in regards to signing an application with carrier privileges.

I am aware of how to sign an application using a keystore for production releases, but how do I add UICC certificates to my app so it gets carrier privileges?

My main goal is to be able to call TelephonyManager functions like:

iccOpenLogicalChannel
iccCloseLogicalChannel
iccTransmitApduLogicalChannel
iccTransmitApduBasicChannel


This is the stack trace I get when calling one of the above functions:

E/AndroidRuntime: FATAL EXCEPTION: main
E/AndroidRuntime: Process: com.xxxx, PID: 2668
E/AndroidRuntime: java.lang.SecurityException: No modify permission or carrier privilege.
E/AndroidRuntime: at android.os.Parcel.readException(Parcel.java:1599)
E/AndroidRuntime: at android.os.Parcel.readException(Parcel.java:1552)
E/AndroidRuntime: at com.android.internal.telephony.ITelephony$Stub$Proxy.iccOpenLogicalChannel(ITelephony.java:2966)
E/AndroidRuntime: at android.telephony.TelephonyManager.iccOpenLogicalChannel(TelephonyManager.java:2914)
E/AndroidRuntime: at android.view.View.performClick(View.java:5198)
E/AndroidRuntime: at android.view.View$PerformClick.run(View.java:21147)
E/AndroidRuntime: at android.os.Handler.handleCallback(Handler.java:739)
E/AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:95)
E/AndroidRuntime: at android.os.Looper.loop(Looper.java:148)
E/AndroidRuntime: at android.app.ActivityThread.main(ActivityThread.java:5417)
E/AndroidRuntime: at java.lang.reflect.Method.invoke(Native Method)
E/AndroidRuntime: at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726)
E/AndroidRuntime: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)


Thanks in advance!

Answer

The question that you should ask yourself is actually a different one: How do I get the certificate for my app signing key into the UICC? Once you have that, the actual signing process is no different than with any other keystore.

So, you would have a keystore containing your signing key pair and a certificate for that key. The certificate could either be a self-signed certificate (that's typically the case for Android app signing keys) or a certificate issued to you by the UICC owner (MNO/carrier). In the first case, you would need to convince the UICC owner to add that self-signed certificate to the access control list(/application) on your UICC. In the second case, the carrier would typically include the root certificate corresponding to the certificate issued to you to the UICC.

You could then use that keystore to sign an app (just as you usually do).