Open in app

Sign in

Write

Sign in

Mastodon
Chris Mode51
2 min readDec 27, 2022

eSIM RSP Android App Privilege Elevation for WRITE_EMBEDDED_SUBSCRIPTIONS

Ubigi and Truphone are examples of eSIM providers that support provisioning using a client app. With Ubigi the QR code method (via email) is still supported if preferred, but in this article we will explore how eSIM activation using a downloaded client app works on Android.

The following eSIM activation methods exist:

  • user scans a QR code which sends the IP address of the SM-DP+ (Subscription Manager Data Preparation +) to the LPAd (Local Profile Assistant for Device)
  • a default SM-DP+ address can be configured in the eUICC at the factory
  • Discovery services including GSMA eSIM Discovery service, Apple Lookup Service and Custom discovery services can be polled for new profiles to be associated with the eUICC
  • Android apps can initiate an eSIM profile download by passing a message to the eUICC containing the SM-DP+’s address and an activation code

On Android a special privileged permission only granted to system (firmware) apps, WRITE_EMBEDDED_SUBSCRIPTIONS, is required to install a downloaded eSIM profile. Whereas the QR method invokes the built in OS eSIM client interface which comes with the firmware and is already granted this special permission, 3rd party apps are not granted this permission at install time. Therefore, how can a downloaded app install an eSIM profile without WRITE_EMBEDDED_SUBSCRIPTIONS?

During the negotation between the LPAd (Local Profile Assistant for Device) and the SM-DP+, and after the initial Common Mutual Authentication procedure has completed, GetBoundProfilePackage is invoked. As part of this procedure metadata describing the new profile is returned from the SM-DP+ to the LPAd. If this metadata contains a signature that matches the signature of the calling Android app then the app is granted carrier privileges prior to the installation:

The eUICC OS and SM-DP+ must support a proprietary tag BF76 in 
the profile metadata. 

The tag content should be the same carrier privilege rules as returned by 
the access rule applet (ARA) defined in UICC Carrier Privileges.

The installation itself requires the WRITE_EMBEDDED_SUBSCRIPTIONS permission that is only granted to a system or carrier app.

The ARA-M privilege elevation mechanism that is granted just in time prior to installation allows downloadable Android client apps to act as carrier apps and therefore become authorized by the SM-DP+ to install eSIM profiles.

Esim
Rsp
Sgp22
Android
E Sim Technology
Chris Mode51

Written by Chris Mode51

33 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams