androidnfcsecurityexceptionopen-mobile-apisecure-element

Android Open Mobile API Release Difficulties


I am using the "org.simalliance.openmobileapi.jar" file from SDK. I copied it to my libs folder and added the dependency like this

Case #1: working fine (in debug mode)

In app Gradle file I have:

provided files('libs/org.simalliance.openmobileapi.jar')

Case #2: not working (in release mode - without minifyEnabled)

In app Gradle file I have:

compile files('libs/org.simalliance.openmobileapi.jar')

In case #2 I get the following exception:

(java.lang.SecurityException: Access Control Enforcer: no APDU access allowed!)

What could cause the problem?


Solution

  • First of all, you need to use the "provided" scope in your build.gradle file for both your debug and your release build:

    dependencies {
        [...]
        provided files('libs/org.simalliance.openmobileapi.jar')
    }
    

    UPDATE

    "provided" is obsolete and has been replaced with "compileOnly", so for current gradle versions, you need to use (as commented by TT):

    dependencies {
        [...]
        compileOnly files('libs/org.simalliance.openmobileapi.jar')
    }
    

    Moreover, you need to have a uses-library entry in your AndroidManifest.xml:

    <uses-library android:name="org.simalliance.openmobileapi"
                  android:required="true" />
    

    However, since you got a SecurityException with the reason "Access Control Enforcer: no APDU access allowed!", this is a clear indication that linking to and using the system-provided Open Mobile API library worked as expected and that you successfully connected to the SmartcardService system service on your device. Consequently, you seem to have your build working as expected.

    Therefore, the SecurityException already clearly tells you what the problem is:

    Access Control Enforcer: no APDU access allowed!

    This means that the access control list on the secure element is not properly configured. Since your debug build works, you probably did register the certificate for your debug environment with the ARA applet (and/or the ARF file) on the secure element. However, release builds are not signed with that same debug keys (certificate). Instead, they are signed with the release keys (certificate) that you chose when selecting "Generate Signed APK..." in Android Studio. Therefore, you have two options:

    1. Add the release certificate to the list of allowed applications for your applet on the secure element.

    2. Change access conditions on the secure element to ALLOW ALL in order to allow access to any applet from any device app.

    Depending on your secure element, you would typically need to update the ARA (GlobalPlatform Access Control) applet (AID A00000015141434C00) or the access rules file (ARF) located in a PKCS#15 application (AID A000000063504B43532D3135) or in the SIM file system with the new access conditions.