Many Android-powered devices that offer NFC functionality already support NFC card emulation. In most cases, the card is emulated by a separate chip in the device, called a secure element. Many SIM cards provided by wireless carriers also contain a secure element. Show
Android 4.4 and higher provide an additional method of card emulation that doesn't involve a secure element, called host-based card emulation. This allows any Android application to emulate a card and talk directly to the NFC reader. This topic describes how host-based card emulation (HCE) works on Android and how you can develop an app that emulates an NFC card using this technique. Card emulation with a secure elementWhen NFC card emulation is provided using a secure element, the card to be emulated is provisioned into the secure element on the device through an Android application. Then, when the user holds the device over an NFC terminal, the NFC controller in the device routes all data from the reader directly to the secure element. Figure 1 illustrates this concept: Figure 1. NFC card emulation with a secure element. The secure element itself performs the communication with the NFC terminal, and no Android application is involved in the transaction. After the transaction is complete, an Android application can query the secure element directly for the transaction status and notify the user. Host-based card emulationWhen an NFC card is emulated using host-based card emulation, the data is routed directly to the host CPU instead of being routed to a secure element. Figure 2 illustrates how host-based card emulation works: Figure 2. NFC card emulation without a secure element. Supported NFC cards and protocolsFigure 3. Android's HCE protocol stack. The NFC standards offer support for many different protocols, and there are different types of cards that you can emulate. Android 4.4 and higher supports several protocols that are common in the market today. Many existing contactless cards are already based on these protocols, such as contactless
payment cards. These protocols are also supported by many NFC readers in the market today, including Android NFC devices functioning as readers themselves (see the Specifically, Android 4.4 and higher supports emulating cards that are based on the NFC-Forum ISO-DEP specification (based on ISO/IEC 14443-4) and process Application Protocol Data Units (APDUs) as defined in the ISO/IEC 7816-4 specification. Android mandates emulating ISO-DEP only on top of the Nfc-A (ISO/IEC 14443-3 Type A) technology. Support for Nfc-B (ISO/IEC 14443-4 Type B) technology is optional. Figure 3 illustrates the layering of all of these specifications. HCE servicesThe HCE architecture in Android is based around Android Service selectionWhen the user taps a device to an NFC reader, the Android system needs to know which HCE service the NFC reader wants to communicate with. The ISO/IEC 7816-4 specification defines a way to select applications, centered around an Application ID (AID). An AID consists of up to 16 bytes. If you are emulating cards for an existing NFC reader infrastructure, the AIDs that those readers look for are typically well-known and publicly registered (for example, the AIDs of payment networks such as Visa and MasterCard). If you want to deploy new reader infrastructure for your own application, you must register your own AIDs. The registration procedure for AIDs is defined in the ISO/IEC 7816-5 specification. We recommend registering an AID as per 7816-5 if you are deploying a HCE application for Android, because it avoids collisions with other applications. AID groupsIn some cases, an HCE service may need to register multiple AIDs and be set as the default handler for all of the AIDs in order to implement a certain application. Some AIDs in the group going to another service isn't supported. A list of AIDs that are kept together is called an AID group. For all AIDs in an AID group, Android guarantees one of the following:
In other words, there is no in-between state, where some AIDs in the group can be routed to one HCE service, and some to another. AID groups and categoriesYou can associate each AID group with a category. This allows Android to group HCE services together by category, and that in turn allows the user to set defaults at the category level instead of the AID level. Avoid mentioning AIDs in any user-facing parts of your application, because they don't mean anything to the average user. Android 4.4 and higher supports two categories:
Implement an HCE serviceTo emulate an NFC card using host-based card
emulation, you need to create a Check for HCE supportYour application can check whether a device supports HCE by checking for the Service implementationAndroid 4.4 and higher provides a convenience The first step is to extend
As mentioned previously, Android uses the AID to determine which HCE service the reader wants to talk to. Typically, the first APDU an NFC reader sends to your device is a You can send a response APDU by returning the
bytes of the response APDU from Android keeps forwarding new APDUs from the reader to your service, until either of the following happens:
In both of these cases, your class's If you are working with existing reader infrastructure, you must implement the existing application-level protocol that the readers expect in your HCE service. If you are deploying new reader infrastructure which you control as well, you can define your own protocol and APDU sequence. Try to limit the amount of APDUs and the size of the data to exchange: this makes sure that your users only have to hold their device over the NFC reader for a short amount of time. A reasonable upper bound is about 1 KB of data, which can usually be exchanged within 300 ms. Service manifest declaration and AID registrationYou must declare your service in the manifest as usual, but you must add some additional pieces to the service declaration as well:
The following is an example of a <service android:name=".MyHostApduService" android:exported="true" android:permission="android.permission.BIND_NFC_SERVICE"> <intent-filter> <action android:name="android.nfc.cardemulation.action.HOST_APDU_SERVICE"/> </intent-filter> <meta-data android:name="android.nfc.cardemulation.host_apdu_service" android:resource="@xml/apduservice"/> </service> This meta-data tag points to an <host-apdu-service xmlns:android="http://schemas.android.com/apk/res/android" android:description="@string/servicedesc" android:requireDeviceUnlock="false"> <aid-group android:description="@string/aiddescription" android:category="other"> <aid-filter android:name="F0010203040506"/> <aid-filter android:name="F0394148148100"/> </aid-group> </host-apdu-service> The The
Your application also needs to hold the AID conflict resolutionMultiple For some categories, such as payment, the user might be able to select a default service in the Android settings UI. For other categories, the policy might be to always ask the user which service to invoke in case of conflict. For information about how to query the
conflict resolution policy for a certain category, see Check if your service is the defaultApplications can check whether their HCE service is the default service for a certain category by using the
If your service isn't the default, you can request it to be made the default using Payment applicationsAndroid considers HCE services that have declared an AID group with the payment category as payment applications. Android 4.4 and higher contains a top-level Settings menu entry called tap & pay, which enumerates all such payment applications. In this settings menu, the user can select the default payment application to invoke when a payment terminal is tapped. Required assets for payment applicationsTo provide a more visually attractive user experience, HCE payment applications are required to provide a service banner. Android 13 and higherTo better fit the default payment selection list in the Settings UI, adjust the banner requirement to a square icon. Ideally, it should be identical to the application launcher icon design. This adjustment creates more consistency and a cleaner look. Android 12 and lowerSet the service banner's size to 260x96 dp, then set the service banner's size in your metadata XML file by adding the <host-apdu-service xmlns:android="http://schemas.android.com/apk/res/android" android:description="@string/servicedesc" android:requireDeviceUnlock="false" android:apduServiceBanner="@drawable/my_banner"> <aid-group android:description="@string/aiddescription" android:category="payment"> <aid-filter android:name="F0010203040506"/> <aid-filter android:name="F0394148148100"/> </aid-group> </host-apdu-service> Screen off and lock-screen behaviorThe behavior of HCE services varies based on the version of Android running on the device. Android 12 and higherIn apps that target Android 12 (API level 31) and higher, you can enable NFC payments without the device's screen on by setting Android 10 and higherDevices running Android 10 (API level 29) or higher support Secure NFC. While Secure NFC is on, all card emulators (host applications and off-host applications) are unavailable when the device screen is off. While Secure NFC is off, off-host applications are available when the device screen is off. You can check for Secure NFC support using
On devices running Android 10 and higher, the same functionality for setting Android 9 and lowerOn devices that run Android 9 (API level 28) and lower, the NFC controller and the application processor are turned off completely when the screen of the device is turned off. HCE services therefore don't work when the screen is off. Also on Android 9 and lower, HCE services can function from the lock screen. However, this is controlled by the If you set the
After unlocking, Android shows a dialog prompting the user to tap again to complete the transaction. This is necessary because the user may have moved the device away from the NFC reader in order to unlock it. Coexistence with secure element cardsThis section is of interest for developers who have deployed an application that relies on a secure element for card emulation. Android's HCE implementation is designed to work in parallel with other methods of implementing card emulation, including the use of secure elements. This coexistence is based on a principle called AID routing. The NFC controller keeps a routing table that consists of a (finite) list of routing rules. Each routing rule contains an AID and a destination. The destination can either be the host CPU, where Android apps are running, or a connected secure element. When the NFC reader sends an APDU with a Figure 4 illustrates this architecture: Figure 4. Android operating with both secure element and host-card emulation. The NFC controller typically also contains a default route for APDUs. When an AID is not found in the routing table, the default route is used. While this setting might be different from device to device, Android devices are required to ensure that the AIDs being registered by your app are properly routed to the host. Android applications that implement an HCE service or that use a secure element don't have to worry about configuring the routing table; that is handled by Android automatically. Android merely needs to know which AIDs can be handled by HCE services and which ones can be handled by the secure element. The routing table is configured automatically based on which services are installed and which the user has configured as preferred. The following section explains how to declare AIDs for applications that use a secure element for card emulation. Secure element AID registrationApplications using a secure element for card emulation can declare an off-host service in their manifest. The declaration of such a service is almost identical to the declaration of an HCE service. The exceptions are as follows:
The following is an example of the corresponding <offhost-apdu-service xmlns:android="http://schemas.android.com/apk/res/android" android:description="@string/servicedesc"> <aid-group android:description="@string/subscription" android:category="other"> <aid-filter android:name="F0010203040506"/> <aid-filter android:name="F0394148148100"/> </aid-group> </offhost-apdu-service> The The Off-host service invocationAndroid never starts or binds to a service that is declared as "off-host," because the actual transactions are executed by the secure element and not by the Android service. The service declaration merely allows applications to register AIDs present on the secure element. HCE and securityThe HCE architecture provides one core piece of security: because your service is protected by the The last remaining concern is where you get your data that your app sends to the NFC reader. This is intentionally decoupled in the HCE design; it does not care where the data comes from, it just makes sure that it is safely transported to the NFC controller and out to the NFC reader. For securely storing and retrieving the data that you want to send from your HCE service, you can, for example, rely on the Android Application Sandbox, which isolates your app's data from other apps. For more details about Android security, read Security tips. Protocol parameters and detailsThis section is of interest for developers who want to understand what protocol parameters HCE devices use during the anti-collision and activation phases of the NFC protocols. This allows building a reader infrastructure that is compatible with Android HCE devices. Nfc-A (ISO/IEC 14443 type A) protocol anti-collision and activationAs part of the Nfc-A protocol activation, multiple frames are exchanged. In the first part of the exchange, the HCE device presents its UID; HCE devices should be assumed to have a random UID. This means that on every tap, the UID that is presented to the reader is a randomly generated UID. Because of this, NFC readers should not depend on the UID of HCE devices as a form of authentication or identification. The NFC reader can subsequently select the HCE device by sending a ISO-DEP activationAfter the Nfc-A protocol is activated, the NFC reader initiates the ISO-DEP protocol activation. It sends a RATS (Request for Answer To Select) command. The NFC controller generates the RATS response, the ATS; the ATS isn't configurable by HCE services. However, HCE implementations must meet NFC Forum requirements for the ATS response, so NFC readers can count on these parameters being set in accordance with NFC Forum requirements for any HCE device. The section below provides more details on the individual bytes of the ATS response provided by the NFC controller on a HCE device:
Note that many HCE devices are likely made compliant with protocol requirements that the payment networks united in EMVCo have specified in their "Contactless Communication Protocol" specification. In particular:
APDU data exchangeAs noted earlier, HCE implementations support only a single logical channel. Attempting to select applications on different logical channels doesn't work on a HCE device. What functionality is provided by emulators in virtualization?Emulation lets us model older hardware and software and re-create them using current technology. Emulation lets us use a current platform to access an older application, operating system or data while the older software still thinks it's running in its original environment.
Which component of a virtualized workstation should generally be given the most consideration in terms of performance and application needs?CPU. The three elements to consider when selecting virtualization hardware include the CPU, memory, and network I/O capacity. They're all critical for workload consolidation.
What type of output is required for a virtual printer?A virtual printer is a printer driver that resembles the functionalities of a physical printer, but is not actually associated with one. Instead, a virtual printer sends its output to a file, normally in PDF format or in other image formats like JPEG, TIFF or PostScript.
Which examples of laptop user accounts would be considered to be a Microsoft account?Outlook.com, hotmail.com, live.com, or msn.com accounts are managed my Microsoft and are automatically considered Microsoft accounts. This means any changes you make to this account is carried through all Microsoft services such as XBox, Skype, or Onedrive where you also use this account.
|