I have an UICC (by Gemalto), which has some very strict APDU Access Rules. I would like to access an applet on UICC from an Android app, but these rules do not allow me to send any APDUs.
So I need to change these rules.
I tried following:
Sending "Store Data - Store AR-DO" command directly to ARA applet => I get status word "security status not satisfied"
Authenticating to Issuer Security Domain, sending Install For Personalization command to Issuer Security Domain and then sending Store Data through ISD. => The same result, "security status not satisfied".
Am I doing something wrong? Any idea? Do I need any extra authentication, passwords or keys to be able to change Access Rules? Is it even possible to change Access Rules once they are already set up?
Security Status Not Satisfied
error code occurs only when some pre-requisite authentication conditions are not satisfied before sending the APDU command.Updating APDU access rules (i.e. Access rules stored in ARA) required proper
authentication
, without doing proper authentication you can not update the AR in ARA applet, so only selecting applet and sending store data command is not enough, you need to do proper authentication, because in this case once the command routes to theUICC
(or application exist on UICC) from any terminal or sever, then first authentication and integrity are checked to verify that the command comes from authenticated server or terminal. If authentication fails then the APDU command will fail withSecurity Status Not Satisfied
error, which is happening in your case.The Access Rule (AR) is stored in the ARA and can be updated over the air with
standardized Global Platform Secure Messaging
orRemote Applet Management functionality
, i.e. you need to send the APDU command (i.e. Store Data) under the security of Secure Channel Protocol (SCP02
) orSCP80
. Please referGlobal Platform
andETSI
specification for details of these protocols.After proper authentication, send
Install[For Personalisation]
command to the Security Domain, (generally the AR applet is associate to theISD
, so here the Security Domain may be ISD), then sendStore Data
command to change the ARA entry, as preceding command isInstall[For Personalisation]
so the nextStore Data
command will route to theARA Applet
.Please make it sure that all these APDU command should transfer after establishment of proper secure channel (in case of
SCP02
) or within proper secure envelope (in case ofSCP80
).Thanks, Happy to help.