Android HCE does not support select MF command?

Question

We are developing an app based on Android HCE. We found that HCE uses an AID-based mechanism to route communication to specific apps. This means that if I want to trigger my app, the first command must be a SELECT by name command.

This is a very big limitation on transport domain. In transport, many POS won't send a SELECT by name command as the first command. Instead they would send a SELECT MF (00A40000023F00) command as the first command. So HCE can't work in that case.

Is there any plan to add default select feature? Or do we have some other solution to support this use case?

Answer 1

I have encountered the same situation just like what you described. Unfortunately, after digging for several hours, I found out the offical document shows that:

The NFC controller typically also contains a default route for APDUs. When an AID is not found in the routing table, the default route is used.

When NFC controller receives a APDU which represents "00A40000023F00", it will consider the parts after Lc, which means "3F00", as the AID. However, you can't set up an AID filter that shorter than 5 bytes for your HCE service, otherwise Android will raise exception for that. Therefore, NFC controller finds out there's no routing target for "3F00", then it leads the APDU to the so-called "default route".

In the figure 4, as you can see, each of the APDUs is handled through NFC controller, whether it comes from inside or outside. And it's the NFC controller who decides the routing regulation, which is a default route, when there's a "unknown AID" APDU. I'd say that how NFC controller routes APDUs has been integrated into hardware, or it might not be programable in Android development.

Answer 2

Android uses an AID-based routing mechanism to dispatch communication in card emulation mode to specific application (HCE applications or SE applets). This is also what the NFC Forum designed as the primary means to support multiple independent card emulation applications on a single NFC device.

AID-based routing requires the first command to be a SELECT (by DF name/AID) command:

00 A4 0400 <Lc> <AID> [<Le>]

This is necessary in order to distinguish between different applications. Otherwise, Android would not be able to dispatch communication to the right HCE service.

However, this also prevents emulation of anything that precedes a successful application selection (such as selecting a master file using a SELECT (by file name, etc.) command). If this was allowed, Android would have no way to know which HCE application was responsible for handling that command. Consequently, it would be impossible to host multiple HCE applications that all require a master file on one device. Therefore, I don't expect this to be supported anytime soon.

On other mutli-application platforms that very same problem exists as well. For instance, typical Java Card smartcards also do not have a master file. On these platforms, the problem is usually overcome by allowing one default-selected application that handles all communication before the first SELECT (by DF name/AID) command. One can only speculate if such a mechanism would come in a future Android version...I would not count on it.

If rooted devices are an option, you may be able to use a framework like Xposed to adapt the NFC system service to dispatch communication to some default HCE service.

Answer 3

For transportation, Visa use its application qVSDC app as offline solution. It provides specific public keys for offline data authentication to limit those transactions on transportation. So default select is A0000000031010 for Visa not a specific AID for transportation. But Visa provides multi AID support meaning that you can develop 2. application to use on transportation. You must personalize your app to response specific "Select AID" command.