Skip to content
JavaCard implementation of GlobalPlatform Access Rule Application Master Applet
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
oracle_javacard_sdks @ 2b36942
.gitmodules create repo aram-applet Sep 25, 2017
.travis.yml create repo aram-applet Sep 25, 2017
gradlew.bat create repo aram-applet Sep 25, 2017

ARAM Applet

Build Status Coverage Status

JavaCard implementation of Global Platform Access Rule Application Master (ARA-M) applet from Secure Element Access Control v1.0 specification.

What is this ?

ARA-M is an application (typically present on a SIM card) which manage access rules that are enforced by an Access Control Enforcer (typically present on Android device). The enforcer makes sure the rules from the ARAM are enforced. An access rule is composed of :

  • an AID
  • a certificate hash (sha1 of client application cert)
  • a set of rules

The Access Control enforcer will allow/deny a client application (for example an Android app) to send APDU to a SE applet based on these rules

More information : seek-for-android Access Control wiki


Get Data

  • get all
  • get specific REF-DO
  • get refresh tag
  • get next

Store Data

  • store REF-AR-DO
  • delete AID-REF-DO
  • delete REF-DO
  • delete REF-AR-DO
  • update refresh tag


  • store data can be accessed via install for personalization or via raw apdu STORE DATA
  • get data length is coded on 2 bytes max
  • get specific is not compatible with get next
  • rules are not stored as data object but as plain apdu AR-DO
  • format of APDU-AR-DO, NFC-AR-DO is not checked
  • deleting specific rules is not implemented (only aid/hash)


git clone
cd aram-applet
git submodule update --init
  • build
./gradlew build
  • build & install (will delete existing applet before install)
./gradlew installJavaCard


  • run simulation tests
./gradlew test
  • run tests on smartcard
./gradlew test -DtestMode=smartcard


Install for personalization

  • list rules
gp -acr-list

Use GlobalPlatformPro to send store data via the Security Domain with install comand + install for personalization :

  • add rule
gp -acr-add -acr-rule 01 -app D2760001180002FF49502589C0019B18 -acr-hash 1FA8CC6CE448894C7011E23BCF56DB9BD9097432
  • delete rule
gp -acr-delete -app D2760001180002FF49502589C0019B18 -acr-hash 1FA8CC6CE448894C7011E23BCF56DB9BD9097432


  • list rules
./gradlew list

The following task send store data command raw apdu via GlobalPlatformPro (for add & delete) :

  • add rule
./gradlew store


./gradlew test --tests fr.bmartel.aram.AramTest.storeDataValid
  • delete rule
./gradlew delete


./gradlew test --tests fr.bmartel.aram.AramTest.deleteByAid


The MIT License (MIT) Copyright (c) 2017 Bertrand Martel

You can’t perform that action at this time.