Java Card Forum

The Java Card Forum is an industry association of companies from the smart card, secure operating system and secure silicon industry, working together to promote and develop Java as the preferred programming language for multi-application smart cards, secure devices and other execution environments.

Advancing eSIM Applet Security 

by

By Guido Abate, Chair of the Trusted Connectivity Alliance Board

Over recent years, exclusive market data from Trusted Connectivity Alliance (TCA) has highlighted how eSIM technology is being harnessed across the global digital economy to offer flexible connectivity, advanced security and enhanced experiences.

And as eSIM adoption continues to build, so too does industry demand for using the technology’s proven security capabilities to host the applets that enable various value-added mobile services. These include highly sensitive use-cases where security is paramount, including payments, identity management and IoT services.

The Critical Importance of Applet Security

Yet to maintain the highest level of security, applets must be developed correctly. This has become even more critical with the evolution to eSIM.

A single eSIM can host several profiles, each containing third-party applets that must securely share the resources of the eSIM and the mobile device. If one of these applets contains malicious software or can be used as a backdoor by hackers, other applets could be compromised and the security and privacy of the communication with that device could be at risk. 

The good news for Java Card developers is that clear, industry-recognised guidance already exists to support the development of secure, high-quality applets that enable the delivery of powerful eSIM-based value-added services. 

Stepping Stones for Java Card Applet Developers  

In 2024, Trusted Connectivity Alliance (TCA) published Stepping Stones for Java Card Applet Developers. It marked the latest release in its acclaimed ‘Stepping Stones’ series, which provides recommendations and guidelines to support the development and deployment of SIM-based technologies.

The latest edition addresses the unique considerations presented by Java Card technology, offering harmonised best practices and security recommendations to maximise interoperability and ensure eSIM applet assets are sufficiently protected. 

The guidance includes security measures applicable to all applets, such as ensuring Java Card applets pass byte code verification to confirm code integrity before execution, as well as using standard APIs. Additional recommendations for protecting sensitive applets are also provided. 

Importantly, the recommendations are widely recognised as industry best-practice. For instance, in response to a recent vulnerability disclosure related to a malicious Java Card application where researchers described how Test Profiles could be misused to install malicious Java Card applications within eSIM profiles, GSMA released guidance stating: “Java Card Application developers should comply with “TCA Stepping Stones for Java Card Applet Developers” recommendations.”

A Checklist for Secure Applet Development

To provide developers with practical guidance and to promote compliance, Stepping Stones for Java Card Applet Developers consolidates all security recommendations into a comprehensive, accessible checklist. This enables developers – particularly those who are newer to the eSIM market – to more effectively address common challenges. 

The checklist can also be used by quality and test engineers, as well as end customers, to verify proper implementations. This can help identify issues prior to deployment and promote increased trust across the ecosystem. 

Maximising eSIM Security and Interoperability

As the eSIM ecosystem continues to expand to encompass new use-cases and participants, TCA is committed to engaging with stakeholders across the industry on initiatives to maximise eSIM security and interoperability.  

For example, TCA recently participated in a joint session with the Java Card Forum to provide a technical deep-dive into how developers can utilise the recommendations and best-practices within ‘Stepping Stones for Java Card Applet Developers’ to advance the security of eSIM deployments. The session also explained how security can be bolstered by the TCALoader tool, which enables mobile operators and application developers to download, install and manage applications on the UICC / eUICC to test interoperability across different deployments.

Looking ahead – and as eSIM technology emerges as a key enabler of the global digital economy – TCA is exploring opportunities to bridge gaps across current standards and testing infrastructure to promote safe, reliable and consistent IoT deployments. 

‘Stepping Stones for Java Card Applet Developers’ is available to download here. To learn more about how TCA is advancing eSIM security, watch TCA’s webinar with the Java Card Forum here

Unknown's avatar

Author: Karen B

Karen has been working in the high-tech industry for over 30 years covering system support, event management, corporate publishing and secretariat support for special interest groups. As well as running the UK office, she is the Marketing & Operations Secretariat for the Java Card Forum. She is currently based in the UK.

Comments are closed.