Wednesday, April 16, 2014

Host Card Emulation Series: Google Cloud Messaging

Notifications can be an integral part of securing cloud based payment transactions.  Most mobile OS platforms support notification resources that can be leveraged by the platform developers for different reasons.  In the case of cloud based payments, notifications can be used to help secure and enforce authentic transactions at the POS.

The only relevant mobile OS platform at the time of this publication that supports payments that are accepted by existing mainstream acquirers is the AOSP or Android.  HCE (Host Card Emulation) was released inside Android 4.4 last October, so this blog post will focus on using Google Cloud Messaging or GCM.

An overview of the GCM architecture:

As you can see above the GCM and mobile device form an independent channel from the application itself.  This is done because Android OS manages registration of any particular application and therefore managing the communication with that registration which includes OS and device level security precautions.  

For a third party system to send a notification using GCM, the system follows step (a) above and that notification message is expected to be delivered using GCM channels, that is it.

This architecture can be used as a security measure to protect data that is ultimately relayed to a POS from a mobile application.  This simple diagram can indicate how payment transactional data can be protected using 2 different delivery channels
As you see above, the message that is to be delivered to the mobile application is split and actually delivered over 2 different channels.  So now with contactless or EMV (Cloud Based) credentials, payment information can be protected by these means:

1)  Dynamic Transaction Data:  each transaction data delivered to the POS is dynamic or changing from transaction to transaction so that a single transaction data can't be used more than one time

2)  2 Channel Delivery:  each dynamic transaction data above is split and delivered to the mobile device using SSL as one channel and GCM as a separate channel


Using GCM with SimplyTapp Platform

The example below provides a hands-on approach to accomplishing these tasks on the SimplyTapp platform.  The platform has Notification messaging built into it so that you do not have to concern yourself with the technical details of delivering messages over the network.  The interface abstracts the complexity and simply offers a "send to agent" api taking a single message as a string from the card applet service api framework.  This message has a known destination of the matching card agent for the card applet service.  The SimplyTapp platform handles all the routing and delivery to the proper place.

First things first, After downloading the IssuerSdk, unpack it, and go into IssuerSdkBundle and edit CardAgentTesterApp/build.gradle directory and make sure the agentToTest flag is uncommented for "CardAgent-GCM":

//
//  Swap the line below if you wish to test CardAgent-PayPass or
//  CardAgent-VisaMSD-SwipeYours instead of the CardAgent directory's code
// 
//def agentToTest = "CardAgent"
//def agentToTest = "CardAgent-PayPass"
//def agentToTest = "CardAgent-VisaMSD-SwipeYours"
def agentToTest = "CardAgent-GCM"


then build for eclipse:
> gradle eclipse

CardApplet service:

Import CardApplet-GCM into eclipse as a java project.  In the CardApplet.java file look at the code:

private short ATC = 0;

public void process(APDU apdu) {
  // Good practice: Return 9000 on SELECT
  if (selectingApplet()) {
    //no perso required for this card, so enable on first select
    Calendar exp = Calendar.getInstance();
    exp.set(Calendar.YEAR, 2014);
    exp.set(Calendar.MONTH, 4);
    try {
      setStatePersonalized("5413123456784800", exp, """");
    } catch (IOException e) {
    }
    return;
  }

  byte[] buf = apdu.getBuffer();
  switch (buf[ISO7816.OFFSET_INS]) {
  case (byte) 0x01:  //command to send a message via GCM
    short len = apdu.setIncomingAndReceive();
    //convert bytes to ASCII
    byte[] bytes = new byte[len];
    Util.arrayCopy(apdu.getBuffer(), (short)5, bytes, (short)0, len);
    String msg = "";
    try {
      msg = new String(bytes, "UTF-8");
      //echo back the Google Cloud Messaging Notification
      this.sendToAgent("Applet Message No.: "+ATC+"\nData: " + msg);
      ATC++;
    } catch (IOException e) {
    }
    break;
  default:
    // good practice: If you don't know the INStruction, say so:
    ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
  }
}

The code above in the applet is pretty simple.  upon select, it switches the state of the card to personalized if it isn't personalized already.  Also it supports only one command (0x01) that is a simple echo of an incoming data message to the GCM service.  The key method to send a message via GCM is :

sentToAgent("this is a string destined to my agent over GCM");

An IOException() may be thrown in the event that the card agent has not yet been loaded by the mobile application.


CardAgent:

Import the CardAgent-GCM into eclipse as a java project.  In the CardAgent.java file look at the code:

@Override
public void messageFromRemoteCard(String msg)
{
  try {
    //post the message to the app, get the response back to message approval
    postMessage("GCM message from applet:\n"+msg+"\n\nTry Again?"truenull);
  } catch (IOException e) {
  }

}

when the card agent receives a message from the GCM server, this method posts the message to the mobile application.

the next code effectively collects a message from the application user and relays that message to the remote card applet service :

public void post()
{
  //post a message to the app, get a response back to message approval with approval data
  //the message must be less than 32 bytes as defined by the 32
  ApprovalData.StringData stringData = new ApprovalData.StringData((short)0,(short)32);
  ApprovalData approvalData = new ApprovalData(stringData);
  try {
    postMessage("Enter A GCM Message"false, approvalData);
  } catch (IOException e) {
  }
}

@Override
public void messageApproval(boolean approval, ApprovalData approvalData)
{
  if(approvalData!=null && approvalData.getApprovalData()!=null)
  {
    ApprovalData.StringData data = (ApprovalData.StringData)approvalData.getApprovalData();
    if(data!=null && data.getAnswer()!=null)
    {
      byte[] msg = data.getAnswer().getBytes();
      try {
        connect();
      } catch (IOException e) {
      }
      try {
        TransceiveData batchCommands = new TransceiveData(TransceiveData.NFC_CHANNEL);
        batchCommands.setTimeout((short) 5000);

        // In this example we just pack a single APDU command to send a message after card reset
        // and select of applet
        batchCommands.packCardReset(false);
        // select applet
        byte[] apduData = new byte[10];
        apduData[0] = 0x00;
        apduData[1] = (byte)0xa4;
        apduData[2] = 0x04;
        apduData[3] = 0x00;
        apduData[4] = 0x05;
        apduData[5] = 0x00;
        apduData[6] = 0x01;
        apduData[7] = 0x02;
        apduData[8] = 0x03;
        apduData[9] = 0x04;
        batchCommands.packApdu(apduData, false);
        //send message to applet to relay over GCM
        short len = (short)msg.length;
        apduData = new byte[5+len];
        apduData[0] = 0x00;
        apduData[1] = 0x01;
        apduData[2] = 0x00;
        apduData[3] = 0x00;
        apduData[4] = (byte)len;
        System.arraycopy(msg, 0, apduData, 5, msg.length);
        batchCommands.packApdu(apduData, true);  //make sure this completes before disconnecting
        transceive(batchCommands);
      } catch (IOException e) {
      }
      try {
        disconnect();
      } catch (IOException e) {
      }
    }
  }
  else if(approval)
    post();
}

@Override
public void create() {
  post();

}

the transceive function sends apdu commands to the card applet service for processing and the payload of the second APDU indicates the message to send in ascii format from  data.getAnswer().getBytes();


Running a test:

Now, let's try it out.  Import CardAgentTesterApp into eclipse as an android project.  After import is completed, browse to the com.simplytapp.config.Constants.java file and adjust the contents to match your PC settings that are running the CardApplet simulator when you start the card applet:

package com.simplytapp.config;

public class Constants {

    /*setup to communicate to the remoteSE simulator
     * make sure that you have the IsserSdk simulator 
     * running in order for the cardAgent to connect to it.
     * It is important that if you are using the same eclipse
     * client to run the SESDK as this card agent project that
     * you run the SESDK NOT in debug mode as it can tend to
     * slow the response from the SESDK down to non-realistic
     * latencies.  anyway, adjust the ipaddress and port 
     * for the running SESDK below accordingly for your environment
     */
  //address of a running SE simulator
  final public static String ip="192.168.1.66"
  //port address of a running SE simulator
  final public static int port=3000;            


}

Also, make sure your mobile device has WIFI on and is connected to your internal network so that it can reach the simulator config as defined above.

Next, you start the CardApplet project inside eclipse which will prompt you to enter commands in the command window.  First highlight the project "CardApplet-GCM" and click the debug button.  You may have to select the main class for the project.  if so select "com.simplytapp.cardwrapper.CardWrapper".  You should see this in the command window:

# SimplyTapp simulator running on port 3000
# gpjNG connected on port 3000
# Connected to card NFC interface
# using gpjNG!
# type: help
# to get started
#
Found card in terminal: SimplyTapp
ATR: 3B 00 
>

at the command prompt enter:

>/card
ATR: 3B 00 
Command  APDU: 00 A4 04 00 07 A0 00 00 01 51 00 00 
Response APDU: 6F 0F 84 08 A0 00 00 01 51 00 00 A5 04 9F 65 01 FF 90 00 
(16 ms)
Successfully selected Security Domain GP211 A0 00 00 01 51 00 00 
>auth
Command  APDU: 80 50 00 00 08 F4 AA A8 1A ED CB 4C 84 
Response APDU: 00 00 00 00 00 00 00 00 00 00 FF 02 00 00 6C 55 44 79 7A 91 94 AC C7 A2 F3 8D E7 1B 90 00 
(27 ms)
Command  APDU: 84 82 00 00 10 10 2F AA 11 12 B3 0C 93 52 3C 41 C3 46 65 5C 92 
Response APDU: 90 00 
(6 ms)
>install -i 0001020304 |com.st |CardApplet
Command  APDU: 80 E6 0C 00 1E 06 63 6F 6D 2E 73 74 0A 43 61 72 64 41 70 70 6C 65 74 05 00 01 02 03 04 01 00 02 C9 00 00 
Response APDU: 00 90 00 
(17 ms)
>exit-shell
exiting shell, leaving port open

this installs the new applet as AID 0001020304 which is the proper AID for this demo.  after installation you will see that we exit-shell which will leave the simulator running and ready to connect up to the card on the port 3000 as shown above in this configuration.

after the simulator is running the card applet service, you can then run the card applet tester app on your device.  

Once the app starts, you should get a prompt like this:  


After clicking the "Ok" button, the text will go to the card agent which will connect to the remote card applet and send the message to the remote card applet.  The card applet will then, in turn, add the message counter information setup in the example code to the message and send the message to GCM for delivery back to the card agent in the mobile application.  So you should end up seeing a full circle message delivery and notification from your mobile device that looks like this:


This test can be repeated as long as you like and it's only purpose is to demonstrate how to use GCM to transport information from the remote card applet service to its card agent.


62 comments:

  1. This maneuver is very effective not only due to the number of resources that are going to be made available, but because it allows them to market their goods and services in such a way that they gain efficiency and profitability that they will not have otherwise.
    cloud review from joe

    ReplyDelete
  2. Wonderful post.I aprreciate your post .For more queries related to Microsoft Outlook, you can visit these sites for more info.outlook customer care

    ReplyDelete
  3. if you are facing any technical problem with your PC or mobile you can visit us for a better solution Geek squad support provide the best technical support for all kinds of a technical problem
    Geek squad visit here for more information

    ReplyDelete
  4. Knowing how to write persuasive essay conclusions might be very useful for college. Examine the article closer.

    ReplyDelete
  5. dragon age inquisition won't launch windows 10 this erros occurs when the files and folders scatters down with different errors.

    ReplyDelete
  6. quickbooks technical support team is available 24x7 hours of week, and it also gives and instant response from them.
    QuickBooks technical support phone number
    QuickBooks tech support

    ReplyDelete
  7. If You are looking for something different, then I am ready.Escorts Service in GoaI am well educated, have an open mind and have the girlish charm that Is fun and easy to be found. You will always find me smart, clean and fresh as I am very conscientious about my hygiene and I expect all my clients to reciprocate in the same manner. Check our other Services...
    Escorts Service in Gomti Nagar, Lucknow
    Escorts Service in Greenfields, Faridabad
    Escorts Service in Greenfields, Faridabad
    Escorts Service in Greenfields, Faridabad
    Escorts Service in Greenfields, Faridabad
    Escorts Service in Greenfields, Faridabad
    Escorts Service in Gujarat

    ReplyDelete
  8. Finally found very interesting blog with valuable information wafting for next blog update.
    Data Analytics Course Online

    ReplyDelete
  9. Really nice and interesting article information shared was valuable, enjoyed reading this one. Thanks you.
    Data Science Training in Hyderabad

    ReplyDelete
  10. You actually make it seem like it's really easy with your acting, but I think it's something I think I would never understand. I find that too complicated and extremely broad. I look forward to your next message. I'll try to figure it out!. PMP Certification in Hyderabad

    ReplyDelete
  11. Writing in style and getting good compliments on the article is hard enough, to be honest, but you did it so calmly and with such a great feeling and got the job done. This item is owned with style and I give it a nice compliment. Better!
    Cyber Security Training in Bangalore

    ReplyDelete
  12. This is just the information I find everywhere. Thank you for your blog, I just subscribed to your blog. It's a good blog. PMP Certification in Hyderabad

    ReplyDelete
  13. "Very good article with very useful information. Visit our websitedata science training in Hyderabad
    "

    ReplyDelete
  14. I am overwhelmed by your article with excelllent topic and valuable information thanks for sharing.
    Data Science Course in Bangalore

    ReplyDelete

  15. This is a really very nice post you shared, I like the post, thanks for sharing...

    business analytics course

    ReplyDelete
  16. Thanks for sharing this knowledgeable post. What an excellent post and outstanding article. Thanks for your awesome topic . Really I got very valuable information here. For instant support related to Roadrunner Email Not Working Error then please contact our team for instant help.

    ReplyDelete

  17. I see some amazingly important and kept up to a length of your strength searching for in your on the site

    best data science institute in hyderabad

    ReplyDelete
  18. I will really appreciate the writer's choice for choosing this excellent article appropriate to my matter.Here is a deep description about the article matter which helped me more.

    best data science institute in hyderabad

    ReplyDelete
  19. First You got a great blog .I will be interested in more similar topics. I see you have really very useful topics, i will be always checking your blog thanks.

    best data science institute in hyderabad

    ReplyDelete
  20. I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts.

    best data science institute in hyderabad

    ReplyDelete
  21. your blog everyday and try to learn something from your blog. Thank you and I'm waiting for your new post.
    digital marketing courses in hyderabad with placement

    ReplyDelete
  22. I am impressed by the information that you have on this blog. It shows how well you understand this subject.
    Best Data Science courses in Hyderabad

    ReplyDelete
  23. Excellent effort to make this blog more wonderful and attractive.
    best data science institute in hyderabad

    ReplyDelete
  24. Thanks for the informative and helpful post, obviously in your blog everything is good..
    best data science institute in hyderabad

    ReplyDelete
  25. I've been looking for info on this topic for a while. I'm happy this one is so great. Keep up the excellent work
    best data science institute in hyderabad

    ReplyDelete
  26. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
    digital marketing courses in hyderabad with placement

    ReplyDelete
  27. Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing.
    data science course in malaysia

    ReplyDelete
  28. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!data science course fees in nagpur

    ReplyDelete
  29. First You got a great blog .I will be interested in more similar topics. i see you got really very useful topics, i will be always checking your blog thanks. cloud computing training in gurgaon

    ReplyDelete
  30. I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful.
    data analytics training in hyderabad

    ReplyDelete
  31. Extraordinary post I should state and a debt of gratitude is in order for the data. Instruction is unquestionably a clingy subject. Be that as it may, is still among the main subjects within recent memory. I value your post and anticipate more. machine learning course in lucknow

    ReplyDelete
  32. Excellent post.I want to thank you for this informative read, I really appreciate sharing this great post.Keep up your work
    data science course in malaysia

    ReplyDelete

  33. They are produced by high level developers who will stand out for the creation of their polo dress. You will find Ron Lauren polo shirts in an exclusive range which includes private lessons for men and women.data science institute in jaipur

    ReplyDelete
  34. Really, this article is truly one of the best in article history. I am a collector of old "items" and sometimes read new items if I find them interesting. And this one that I found quite fascinating and should be part of my collection. Very good work!cyber security course in nagpur

    ReplyDelete
  35. This is an awesome motivating article.I am practically satisfied with your great work.You put truly extremely supportive data. Keep it up. Continue blogging. Hoping to perusing your next post.ethical hacking course fees in jaipur

    ReplyDelete
  36. It is written very well so that the front can be cleared, it is quite attractive quickbooks install diagnostic tool Through a deep scan process, this remarkable tool detects and corrects the problem. Users of this assistance software can quickly identify and resolve issues with the help of this software.

    ReplyDelete
  37. Truly, this article is really one of the very best in the history of articles. I am an antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work!
    data science training institute in hyderabad

    ReplyDelete
  38. I have been searching to find a comfort or effective procedure to complete this process and I think this is the most suitable way to do it effectively. data analytics training in delhi

    ReplyDelete
  39. I’ve read some good stuff here. Definitely worth bookmarking for revisiting. I surprise how much effort you put to create such a great informative website. cloud computing training in delhi

    ReplyDelete
  40. I really enjoyed reading this post, big fan. Keep up the good work and please tell me when can you publish more articles or where can I read more on the subject?
    business analytics course in hyderabad

    ReplyDelete
  41. Hi! I just would like to give you a huge thumbs up for the great info you have got right here on this post. I'll be coming back to your site for more soon. Feel free to visit my website; 안전놀이터

    ReplyDelete
  42. I think this is an informative post and it is very beneficial and knowledgeable. Therefore, I would like to thank you for the endeavors that you have made in writing this article. All the content is absolutely well-researched. Thanks Feel free to visit my website; 온라인카지노

    ReplyDelete
  43. Impressive. Your story always bring hope and new energy. Keep up the good work. Data Analytics Course in Vadodara

    ReplyDelete
  44. I have bookmarked your site since this site contains significant data in it. You rock for keeping incredible stuff. I am a lot of appreciative of this site.

    ReplyDelete
  45. 360DigiTMG, the top-rated organisation among the most prestigious industries around the world, is an educational destination for those looking to pursue their dreams around the globe. The company is changing careers of many people through constant improvement, 360DigiTMG provides an outstanding learning experience and distinguishes itself from the pack. 360DigiTMG is a prominent global presence by offering world-class training. Its main office is in India and subsidiaries across Malaysia, USA, East Asia, Australia, Uk, Netherlands, and the Middle East.

    ReplyDelete
  46. Thank you so much for doing an impressive job here, everyone will surely like your post.
    cyber security course in malaysia

    ReplyDelete
  47. "If you are also one of them and want to know what the companies demand from the data scientists to do in their organization, you have come to the right place.data science course in kolkata"

    ReplyDelete
  48. Data mining helps the business grow more because it can predict the future of a product. Data mining is helpful inside the organization and outside of the organization.

    ReplyDelete


  49. In data analytics, you must learn all the aspects of data that can take you to the right hypothesis.
    data science course in borivali

    ReplyDelete
  50. 360DigiTMG offers the best Data Science certification course in the market with placement assistance. Get trained by IIT, IIM, and ISB alumni.


    Data Analytics Course in Calicut

    ReplyDelete
  51. Data Science Master class programhelps in combining the disruption into classes and communicating their potential, which permits knowledge and analytics leaders to drive better results.

    Data Science Training in Jodhpur

    ReplyDelete
  52. A good blog always contains new and exciting information and as I read it I felt that this blog really has all of these qualities that make a blog. buy coin payments verified account

    ReplyDelete
  53. Very interesting post and I want more updates from your blog. Thanks for your great efforts...
    VA Divorce Attorney
    VA Divorce Lawyers

    ReplyDelete
  54. I am glad to discover this page. I have to thank you for the time I spent on this especially great reading !! I really liked each part and also bookmarked you for new information on your site.
    We Provide Data Science Courses and Kindly Check This
    https://skillslash.com/data-science-course-in-noida

    ReplyDelete
  55. I'm so glad I found this webpage. I want to thank you for the enjoyable time I spent reading this exceptionally insightful content. I loved every section and have bookmarked your site for future reference. The information you provide here is extremely valuable. I especially appreciate the high-quality articles like this one. It was a fantastic read that I thoroughly enjoyed. Thank you for sharing such great material. We offer data science courses - please check them out!


    Bigg Boss

    ReplyDelete