I’m posting this here in the hope that it will attract interest by some of the people involved in the eSIM/eUICC related industry in order to resolve a problem that (I think) currently has no solution yet, and requires collaboration of MNOs/MVNOs, eUICC card issuers as well as potentially Smartphone OS vendors.
UICC Carrier Privileges + Android
So Android (since 5.1) has this mechanism called UICC Carrier Privileges which was originally designed so that a [pyhsical] USIM/UICC-card-issuing MNO/MVNO can distribute Android Apps which get elevated privileges to access interfaces that no ordinary app can access. For example: it enables an app to open a logical channel to the USIM/UICC and then exchange raw APDUs via that channel.
The way how this works is
- a special card applet called ARA-M is installed on the UICC/USIM, identified by a well-known AID of
A00000015141434C00
- this applet contains Access Rules which in turn contain (in the case of Android) the hashes of the APK singer key of the card-issuing MNO/MVNO
- when an APK is signed with a key whose digest matches one of the Access Rules in the ARA-M applet, it gets those elevated privileges / access to those normally restricted APIs.
This all worked fine for many years now, and is extensively used in cellular research and testing, for example to enable VoLTE/IMS on private PLMNs as described in the CoIMS wiki.
Problem arises with eSIM/eUICC
Now let’s see what happens with eUICCs, the physical chip used to host the virtualized SIM cards called eSIM profiles.
With eUICCs we now have potentially two competing parties that both want to use the ARA mechanism to get Carrier Privileges:
- the eUICC itself, for example to permit a third-party LPAd (Local Profile Assistant, that’s the name of the application that manages your eUICC and downloads/activates/deactivates/removes eSIM profiles on it)
- the currently active eSIM profile, where the MNO/MVNO that has issued it might still want to use the same UICC Carrier privilges just like in the prior situation with physical cards.
So if both the eUICC (ISD-R) and the eSIM profile (ISD-P) provide an ARA-M applet, the desired result should be that the access rules of both are somehow magically merged, and concurrently active.
The reality however shows that at least several implementations of eUICCs with pre-installed ARA-M applet (including the sysmoEUICC1-C2GsysmoEUICC1-C2G as well as [reportedly] the eSIM.me fail to install eSIM profiles that contain their own ARA-M applet. One prominent example of such an eSIM a profile is that of Vodafone Germany.
Solutions?
Sadly, as far s I can tell, no standards body has so far properly adressed how this should be resolved.
- The GSMA eSIM RSP specifications say nothing about it, I could not find any statement on how AID conflichts between ISD-R (eUICC) and ISD-P (eSIM profile) should be resolved. They appear to ignore it.
- The Google/Android/AOSP documentation doesn’t say anything specific about eUICCs in the context of UICC Carrier Privileges.
- The SIMalliance (now TCA) doesn’t say anything about it
- The GlobalPlatform also doesn’t really have a clear solution - other than that they vaguely describe a situation with ARA-M and ARA-C in their Global Platform Secure Element Access Control v1.1 Section 2.2, where the CardOS provides the ARA-M and the Profiles provide the ARA-C. However, they do not specify the ARA-M vs. ARA-C interface.
Workarounds?
- Android (since 7.0) alternatively adds support for reading access rules from the ARF (Access Rule File). It first tries to use the ARA-M at its well-known AID, and then falls back to selecting another AID (
A000000063504B43532D3135
) where it uses another mechanism to obtain acces rules.
So the eUICC/ISD-R could use the ARF mechanism, while the eSIM Profile/ISD-P could bring an ARA-M applet.
Disadvantage: the eUICC acess rules are effectively disabled as soon as an eSIM profile includes an ARA applet. So if you enable such an eSIM profile, your LPAd application suddenly can no longer talk to the eUICC anymore, and you can never switch to another profile - The eUICC could provide a combined ARA-M and ARA-C load file, which would be instantiated as ARA-M by the ISD-R and as ARA-C by the ISD-P. It would internally merge the access rules and expose the merged rules when the Smartphone/Android reads the access rules. This would require support for that from the eUICC manufacturer, and would require some kind of standardized load file that eSIM profile issuers (MNOs/MVNOs) would instantiate as their ARA-C.
Maybe there are other options I haven’t thought about yet? I’m most welcome to see what other people working in this area have to say about it. Let’s see if I can get anyone to comment/reply here…