How to make interoperable authentication applets on SIM cards?
The interoperability of SIM card applets (SIM Toolkit applications) is an important requirement in today’s mobile communication business. It is normal practice for MNOs to have SIM cards from different SIM vendors. These different cards come with different characteristics including differences in ETSI library versions, Java Card versions, GlobalPlatform API releases etc. The SIM cards are highly standardized in the ETSI Smart Card Platform (SCP) technical specifications. Cryptography and Java Card technologies are also highly standardized even though these technologies have been evolving for a long time. The common problem is that there are still small hidden obstacles and differences in the card platform implementations that every new software must be properly tested and verified.
For the purpose of this blog, we have identified two different legacy approaches to solving SIM toolkit application interoperability issues in mobile communication business.
The first approach is to write detailed specifications in ETSI or in other standardization forums. The GSMA Mobile Connect specification tries to solve CPAS8 applet interoperability in this way. The CPAS8 applet specification has only small number of options and the specification is very detailed. SIMalliance has also published corresponding “Mobile Connect SIM Applet Interoperability Stepping Stones” specification for the CPAS8 applet. The biggest pro of this approach is that the specifications become industry standards meaning anyone can use the specification to develop an authentication applet. This approach is good when a company has enough development resources to follow yet another specification and related conventions. However, the con of this approach is that industry specification and standardization endeavor often takes long, produces large documentation that is sometimes difficult to read/understand and often times, does not cover everything (covers only the most common interoperability issues).
The second approach is the one taken by some SIM card vendors. SIM card vendors have a slightly different approach for interoperability. Gemalto (GTO) has a VMAC applet certification procedure and Giesecke & Devrient (GD) has a WIB applet certification procedure. Pro of this approach is that someone makes some business by checking the applet interoperability and therefore quality control is higher than when vendors just follow new GSMA/SIMalliance specifications. Con in this model is that the applet issuer like GTO or GD will be better positioned in the applet (and SIM card) market than other players. They can control the speed of new certified cards and monitor the other vendor’s products etc.
Methics takes a new approach to the interoperability issues. The Alauda Applet was developed with interoperability in mind; hence the applet supports cards from all SIM card vendors. An accompanying testing tool – the AlaudaTool – is provided in the applet package for applet/card interoperability testing. The pro of this approach is that you can easily test various product combinations and get clear test reports quickly. It is also cost efficient to deploy applets on every possible new SIM platforms. Con is that the testing tool depends on the applet specification and it is quite hard to develop new tools. To minimize required new development work for each new applet specification we have developed an applet test framework and nowadays we can just define new applet functional tests by just adding new simple Java JUnit tests.