Issue with Secure Messaging in Android HCE App - Invalid Class (SW 6E00) during AID Selection

Question

I'm currently developing an Android Host Card Emulation (HCE) app targeting API level 34. My application handles the server-side implementation of PACE (Password Authenticated Connection Establishment) authentication and responds to APDU commands in secure messaging. This app manages two Applets:

1. The main Applet, with AID registered statically in "apduservice.xml." It triggers the application and executes PACE => this part works perfectly.

2. A second Applet intended to be selected within the PACE secure channel. The registration of this AID will occur after PACE takes place using "registerAidsForService."

The PACE authentication part is working as expected. However, I face an issue with the encrypted SELECT AID command that follows the PACE process. Specifically, I receive an SW 6E00 (invalid class) response. I suspect this is related to the CLA=0C in the SELECT command.

My question: Does Android HCE support AID selection with secure messaging? If so, could someone guide me on the correct approach to achieve this?

I understand that resolving the select issue is crucial, and once done, I'll need to explore how to dynamically register the encrypted AID of my second applet...

During my tests, I observed that when sending a READ BINARY in Secure Messaging, it consistently falls into the processCommandApdu. It means that only the SELECT command always returns 6E00.

When troubleshooting, I attempted to retrieve the entry point of the SELECT AID in Android API. My goal was to understand how this part is managed and gain insights into error handling. Unfortunately, I didn't find nothing.

Answer 1

I haven't made much progress, but I believe I've found the answer to my question so I'll share the result so it helps someone in the future.

I came across a code snippet from the Android Host Emulation Manager class com.android.nfc.cardemulation.HostEmulationManager.java.

In the findSelectAid method, there's a comment stating that secure messaging isn't supported.
Therefore, it seems impossible to achieve this using Android, now I'm exploring alternatives to Android HCE for my use case.

Answer 2

-Ensure that the SELECT AID command is correctly formatted with the CLA byte set to 0x00.

-Verify that the AID you're selecting is properly encoded and its length byte is correctly set.

-Check that your HCE service is correctly handling the SELECT AID command and supporting secure messaging.

-Use logging and debugging tools to inspect APDU commands and responses for any issues.

-Review Android documentation and examples for best practices in HCE and secure messaging.

Regarding dynamically registering the encrypted AID of your second applet, you'll typically handle this within your HCE service. After successfully establishing a secure channel with the terminal during the PACE authentication process, you can dynamically register additional AIDs with your HCE service using the setDefaultServiceForCategory() method in your HCE service's onCreate() method.

Ensure that your SELECT AID command is correctly formatted, your HCE service is properly configured to handle secure messaging, and you're following best practices for APDU command handling in your HCE application. With thorough testing and troubleshooting, you should be able to resolve the SW 6E00 response and successfully implement AID selection with secure messaging in your Android HCE app.