Home » Android » android – JavaCard 3 in real world?

android – JavaCard 3 in real world?

Posted by: admin May 14, 2020 Leave a comment

Questions:

I’m currently working on my diploma work. Part of the work includes development of JavaCard applet for regular SIM cards. First option is to use JavaCard2.X API and use APDU commands to communicate with the applet. This might be very tricky as I need to develop client-app for android (which will be communicate with this applet) and that is so far possible only trough special – not so user friendly – API called Seek-for-android. (if I’m wrong, please correct me)

However, I also came across JavaCard3 Connected Edition, which provides much more options – for example web applets. Using webapps, deployed on SIM card and accessing them through browser in mobile device would be very convenient (of course developing such applet would be much easier as well). Problem is, that I can’t find any mentions of Javacard3 being used in real life, or even on real SIM cards. I can’t even find any mentions of possible date of release of such cards. Actually, there is almost no information on this topic.

So, my question is – do you know anything useful about this platform? Anything about real-life usage? Which card supports Javacard3? Are there any developers smart-cards, which are “JC3 enabled”? Will there be SIM cards with this platform in the future?

Thanks a lot for answers!!!

How to&Answers:

At JavaOne 2012 Moscow representatives of the JavaCard Oracle team demonstrated a prototype device with support for Java 3 Connected Edition based on Portable Security Token ES.

Answer:

There is no card in the field with JavaCard 3 right now. Everything under development.
But I recommend you to have a look to JSR 177. If Android supports it you can communicate with your applet by normal APDU commands.

Answer:

It’s 2018 when I am writing this and I think this question needs a new answer.

Java Card 3 Connected Edition is dead in the water. It requires a large amount of RAM, which is still expensive even in the latest editions of the chips. SRAM takes large amounts of memory, and high end chips often still contain 8-10KiB of RAM max.

Furthermore, it was generated with the idea that web-developers would easily connect with it. This doesn’t seem to have happened and it is questionable if a security device should be programmed by web-devs at all.

The additional overhead of the TLS protocol adds a heavy overhead without apparent benefit. The TLS protocol also requires a weird connection with the browser / end user. The idea that you can enter a PIN or password on a chip generated web page certainly has failed.

The idea of adding hardware support for browsers in general has failed. Before there were Java applets running in the browser, and the browser largely depended on add-ons. This has all gone away and it is very unlikely to return.

So even if RAM (or FRAM, MRAM, XCross or whatever hybrid memory solution will exist) ever comes cheap on a secure smart card processor, it is unlikely that JC 3 Connected will again see the light of day. Meanwhile Java Card Classic is still going strong although it is far from sexy at the moment – the OTN forum on Java Card is as good as dead (although OTN and sexy themselves are so far apart that they might as well exist on different poles, I certainly prefer SO).