add info

Author: jqssun

.github/workflows/apk.yml

@@ -0,0 +1,98 @@
+# https://github.com/marketplace/actions/automated-build-android-app-with-github-action
+# https://github.com/marketplace/actions/publish-release
+
+name: Generate APK
+
+env:
+  main_project_module: app
+  target_owner: Xposed-Modules-Repo
+  target_repo: io.github.jqssun.seaccess
+  target_path: target_path
+
+on:
+  push:
+    branches:
+      - 'release/**'
+    tags:
+      - 'v*.*.*'
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'v*.*.*'
+        required: true
+        type: string
+  # schedule:
+  #   - cron: '0 0 1 */2 *'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set TAG
+        if: github.event_name == 'push'
+        run: |
+          echo "version=$(echo '${{ github.ref_name }}' | awk -F 'v' '{print $2}')" >> $GITHUB_ENV
+
+      - name: Set TAG
+        if: github.event_name == 'workflow_dispatch'
+        run: |
+          echo "version=$(echo '${{ inputs.version }}' | awk -F 'v' '{print $2}')" >> $GITHUB_ENV
+
+      - name: Set ENV
+        run: | 
+          echo "date_today=$(date +'%Y-%m-%d')" >> $GITHUB_ENV;
+          echo "repository_name=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
+
+      - name: Use JDK
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: '17' # 21
+          cache: 'gradle'
+
+      - name: Build
+        run: |
+          echo ${{ secrets.STORE }} | base64 -d > upload.jks
+          echo ${{ secrets.LOCAL }} | base64 -d > local.properties
+          chmod +x ./gradlew;
+          ./gradlew assembleRelease --stacktrace
+          rm upload.jks local.properties
+
+      - name: Publish (GitHub)
+        uses: softprops/action-gh-release@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          name: v${{ env.version }}
+          tag_name: v${{ env.version }}
+          files: |
+            ${{ env.main_project_module }}/build/outputs/apk/release/app-release.apk
+
+      - name: Publish (Xposed)
+        uses: softprops/action-gh-release@v2
+        with:
+          token: ${{ secrets.PAT }}
+          repository: ${{ env.target_owner }}/${{ env.target_repo }}
+          name: v${{ env.version }}
+          tag_name: v${{ env.version }}
+          files: |
+            ${{ env.main_project_module }}/build/outputs/apk/release/app-release.apk
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ env.target_owner }}/${{ env.target_repo }}
+          path: ${{ env.target_path }}
+          token: ${{ secrets.PAT }}
+      
+      - name: Sync
+        run: |
+          cd ${{ env.target_path }}
+          cp ../README.md ../LICENSE .
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+          git add README.md
+          git add LICENSE
+          git commit --amend --no-edit
+          git push --force

.gitignore

@@ -1,4 +1,5 @@
 *.iml
+*.jks
 .DS_Store
 .cxx
 .externalNativeBuild

README.md

@@ -1,12 +1,39 @@
-# OMAPI Bypass
+# Secure Element Access
 
-**USE AT YOUR OWN RISK**  
-**Need Xposed**  
-Bypass ARA,ARF limit in `AccessControlEnforcer` and grant FullAccess.  
+[![Stars](https://img.shields.io/github/stars/jqssun/android-se-access)](https://github.com/jqssun/android-se-access/stargazers)
+[![LSPosed](https://img.shields.io/github/downloads/Xposed-Modules-Repo/io.github.jqssun.seaccess/total?label=LSPosed&logo=Android&style=flat&labelColor=F48FB1&logoColor=ffffff)](https://github.com/Xposed-Modules-Repo/io.github.jqssun.seaccess/releases)
+[![GitHub](https://img.shields.io/github/downloads/jqssun/android-se-access/total?label=GitHub&logo=GitHub)](https://github.com/jqssun/android-se-access/releases)
+[![release](https://img.shields.io/github/v/release/jqssun/android-se-access)](https://github.com/jqssun/android-se-access/releases)
+[![build](https://img.shields.io/github/actions/workflow/status/jqssun/android-se-access/apk.yml)](https://github.com/jqssun/android-se-access/actions/workflows/apk.yml)
+[![license](https://img.shields.io/github/license/jqssun/android-se-access)](https://github.com/jqssun/android-se-access/blob/master/LICENSE)
+[![issues](https://img.shields.io/github/issues/jqssun/android-se-access)](https://github.com/jqssun/android-se-access/issues)
+  
+A module to explicitly give trusted apps access to the secure element (eSE) by using a safer application ID based implementation, regardless of the ARF configuration on the eUICC.
 
-**How it works**  
-It hooks `com.android.se.security.AccessControlEnforcer.readSecurityProfile`, disables `mUseArf` and `mUseAra`, and grants `mFullAccess`.  
-Note: You may need to kill `com.android.se` by running `su -c killall com.android.se` in adb shell to activate it.
+## Compatibility
+
+- Android 10+
+- Rooted devices with Xposed framework installed (e.g. LSPosed)
+- Access can be granted to any of the following Local Profile Assistant (LPA) apps:
+  - (OEM) [com.google.android.euicc](https://play.google.com/store/apps/details?id=com.google.android.euicc)
+  - (FOSS) [chat.jmp.simmanager](https://f-droid.org/sq/packages/chat.jmp.simmanager/)
+  - (FOSS) [im.angry.easyeuicc](https://gitea.angry.im/PeterCxy/OpenEUICC)
+
+## Implementation
+
+On Android, eUICC APIs are by default restricted to whitelisted apps. This makes sense because most eUICC chips are integrated to the device. If someone wants to access the chip, say for instance to provision a profile, they generally need to do so through a [Local Profile Assistant (LPA) app](https://source.android.com/docs/core/connect/esim-overview#making_an_lpa_app), which can either be
+- [a system app that provides EuiccService](https://source.android.com/docs/core/connect/esim-overview#making_an_lpa_app) (in the case of an integrated eUICC), or 
+- [a carrier app signed by a certificate](https://source.android.com/docs/core/connect/uicc#arf) whose hashes match the [ARF/ACCF stored in the eUICC](https://source.android.com/docs/core/connect/uicc#validation)
+
+In the case of a removable eSIM (such as those from [sysmocom](https://sysmocom.de/products/sim/sysmocom-euicc/), [estk.me](https://www.estk.me/) or [esim.me](https://esim.me/)), the options are limited as they do not have control over device firmware. Users also have to rely heavily on carrier support for their apps as the ARF is baked into the eUICC itself.
+
+However, there is a caveat. Probably to faciliate Android vendor testing, full access to the eUICC can _also_ be granted if the ROM firmware is built with a debuggable flag, i.e. `ro.debuggable=1`, whilst configured to accept all channel access requests, `persist.service.seek=fullaccess`. Effectively, this translates to setting `mUseAra` and `mUseArf` fields to false while granting `mFullAccess` in `com.android.se.security.AccessControlEnforcer` according to [the sources](https://android.googlesource.com/platform/packages/apps/SecureElement/+/refs/heads/main/src/com/android/se/security/AccessControlEnforcer.java).
+
+A previous version of this module enables eSE access to third-party apps by exactly patching these 3 flags in `AccessControlEnforcer`. However the approach is more of a one-size-fits-all solution that does not disciminate potentially malicious apps from legitimate ones, posing a significant risk when enabled.
+
+Tracing [the source code](https://android.googlesource.com/platform/packages/apps/SecureElement/+/refs/heads/master/src/com/android/se/Terminal.java) to see how access can be more granularly provided, I found that app eligibility eventually comes down to the check at `isPrivilegedApplication` method in `com.android.se.Terminal`. There is no need to touch `AccessControlEnforcer` at all, as the check directly operates on one of the default steps intended for carrier applications. 
+
+Therefore, this module instead modifies the response there without any drastic changes in terms of how `AccessControlEnforcer` behaves. Of course, it is also possible to be even more specific with the patching, down to the exact application signature rather than using application ID, but this may be a bit more cumbersome to support and maintain.
+
+For users that are still not entirely convinced with how secure this is, you are welcome to cut down the list even further and include your own application ID in your build. Since Android by default does not allow app signatures to be overwritten duing updates, you should be protected so long as your custom LPA app is signed properly 👍
 
-Logcat TAG: `SecureElementAccess`  
-see: [AccessControlEnforcer.java](https://cs.android.com/android/platform/superproject/main/+/main:packages/apps/SecureElement/src/com/android/se/security/AccessControlEnforcer.java;l=129)  

app/build.gradle

@@ -12,13 +12,26 @@ android {
         targetSdk 35
         versionCode 1
         versionName "0.0.1"
+    }
+
+    signingConfigs {
+        release {
+            def keystorePropertiesFile = rootProject.file("local.properties")
+            def keystoreProperties = new Properties()
+            keystoreProperties.load(new FileInputStream(keystorePropertiesFile))
 
+            keyAlias keystoreProperties['keyAlias']
+            keyPassword keystoreProperties['keyPassword']
+            storeFile file(keystoreProperties['storeFile'])
+            storePassword keystoreProperties['storePassword']
+        }
     }
 
     buildTypes {
         release {
             minifyEnabled true
             proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
+            signingConfig signingConfigs.release
         }
     }