Kortet dras ut ur läsaren?

Bakgrund

Under Windows har SecMaker länge arbetat med frågor kring att koppla händelser till ”kort i” och kort ur”.

Händelser kopplade till ”kort i” hanteras inte sällan via Net iD Watch där man kan konfigurera valfri händelse till ”kort i”. Andra sätta att lösa detta är att använda PC/SC direkt, PKCS#11 eller Net iDs Plugin.

Även händelser kopplade till ”kort ur” hanteras ofta via Net iD Watch men även här kan PC/SC, PKCS#11 eller Net iDs Plugin användas.

Det finns dock ett specialfall på Windows och det är funktionen Net iD NetControl som kan stänga applikationer som använts för dubbelriktad TLS/SSL med kortet. Se mer om detta här.

Under iOS blir det dock annorlunda. Vi kan inte utan vidare låta Net iD Access appen ligga i bakgrunden och monitorera korthändelser och rapportera tillbaka till tjänsten via Net iD Access Server. Det skulle påverka batteritiden negativt och kanske inte godkännas av Apple.

Lösningar

I ett scenario där man utvecklar en egen app baserat på konceptet med Net iD Access och Net iD Access Server kan man se till att den egna appen blir ”kort ur medveten” på flera sätt men mest flexibla sättet är att nyttja Net iD SDK på PKCS#11-nivå (kräver en licens för Net iD SDK) Se skiss. På så vis kan en applikation som körs själv ta makten över vad som ska ske om kortet avlägsnas. Gör man på det sättet skapar man en generisk lösning som fungerar för alla kortläsare.

Man kan även använda Precise iOS Toolkit på PC/SC-nivå. Se skisss

Utdrag ur ”Precise iOS Toolkit User Manual”

För att få tillgång till Precise iOS Toolkit och hela dokumentationen måste du skaffa ett konto hos Precise Biometrics via deras portal för utvecklare: http://www.idapps.com/developers

Smart card reader API

The Precise iOS Toolkit offers two different APIs to achieve the same thing, to communicate with a smart card from an iOS application. One is a port of the Microsoft de-facto standard ANSI C-implementation of the PCSC workgroup specifications which is also used on Linux and Mac OS X. The other is an objective-C API tailored for the iOS environment.

The PCSC C-API allows for quick and easy porting of existing smart card code. Note that even though all the functions are implemented not all are relevant for an iOS scenario. These functions will return an error code.

The Objective-C API is a proprietary API designed specifically for the iOS environment. This API makes it easy to get started with new projects and for developers not familiar with the full flavor of the PCSC API.

iOS External Accessory limitations – Background execution

The Tactivo smart card reader is designed according to a set of rules defined by Apple to ensure that the end-user experience will not be negatively affected when introducing an external accessory. Some of these rules affect when and how the accessory can draw power from the internal battery of the iOS device. A simplification of the iOS external accessory power management behavior is that the reader can draw power and communicate with an application when the application is in the foreground and when the screen is active. When the application is moved to the background the application is moved to a suspended state shortly after and when this happens the device cannot assume that there will be enough current available from the iOS device to continue to keep the state of the card. The device will therefore close the session to the card and power off the card.

An application that wants to keep an open session to a card for a prolonged time can ask the system to not be suspended when sent to the background. By doing so the device can be guaranteed power the card for as long as required by the application. How to prevent an application from being suspended is further described in the chapter “Background Execution and Multitasking” in the iOS Developer Library.

When an application is designed to execute in the background the smart card library needs to know not to act upon foreground/background notifications from the system. Remember that it is the responsibility of the application to ensure the user solution performance and the smart card behavior when the automatic power management of the smart card library is disabled. Having an application running in the background with a card powered will affect the battery performance.

Monitoring smart card reader slot events

Another result of the inability to implement system services on the iOS is revealed when attempting to track and monitor slot events in the smart card reader. In order to track the insertion and removal of a smart card in the accessory a session needs to be opened to the accessory via the External Accessory Framework. Once the session is in place the application can monitor the slot events. The library handles the opening and closing of sessions. With the PCSC API the session is initialized and opened when the application calls SCardEstablishContext() the first time and closed when the last context is released with SCardReleaseContext().

Shared card sessions

On a PC an application can choose to connect to a smart card in a shared mode meaning that other applications can share the access to the card. This permission is managed by a system service. Due to security concerns Apple has chosen not to allow 3rd party developers to implement a system service for iOS.

The PCSC-API operates in the application’s own context and not as a system wide service. This will result in that API-calls and parameters that are aimed for system operations, such as opening sessions to a card in shared mode in order to share the card over several applications is not supported. Attempting to use SCARD_SHARE_SHARED together with SCardConnect() will return the error SCARD_E_INVALID_PARAMETER.

Opening a session using SCARD_SHARE_EXCLUSIVE however guarantees that no other application will be able to access the smart card as long as the session is open.

Smart card slot notifications

Once successfully initialized the PBSmartCard API will send notifications when the state of the smart card slot changes. An application can choose to listen and act upon these events accordingly.

The following notifications are sent:
PB_CARD_INSERTED – is broadcasted when a smart card is inserted in the reader.
PB_CARD_REMOVED – is broadcasted when a smart card is removed from the reader.