Live from #esmart: CAP file decompilation

We have had a presentation from Cellnetrix about the decompilation of CAP files. Security specialists have been working on such tools for a while, and we have been using them extensively in software evaluation laboratories. We even have much more sophisticated analysis programs, since at least 2002. So, the presentation was not all that new.

However, Cellnetrix’ problem is new and interesting. They are Java Card application developers, who are trying to protect their intellectual property. So, for them, a “threat” is not a threat against the security of the application, but against the application itself, allowing competitors to recover mechanisms included in the card.

Today, the situation is not too bad, in particular when compared to other platforms. Getting access to a CAP file is actually quite difficult, because these files don’t really travel on Internet. They are delivered by developers to their customers, who in turn put them into their cards. There is no protection mechanism there, because all operations occur in a secure factory, or at least over a secure communications link. The real problem is here theft, were the customer actually breaks its contractual obligations and gives away the CAP file to a competitor of the developer. This is definitely better than what happens with MIDP applications, whose JAR files can be found directly on Internet, and in many cases, extracted from devices …

This problem is quite hard, but it is also becoming more common, thanks to NFC (even if NFC fails, it will have least made the technology advance in other fields). Because people are thinking about loading (sensitive) banking applications on SIM cards (owned by operators, not banks), banks are asking for a confidentiality protection of their code; officially for security, but IP could also be a good reason. GlobalPlatform has published an Amendment of the 2.2 specification that deals with Confidential Card Content management, and allows the actual content to be transmitted encrypted from the application developer to the actual card.

Still, it is refreshing to see that people are considering themselves Java Card developers, and that their applications have an intrinsic value …

One Comment

  • It would be awesome if there were a .net reflector like tool for cap files! :)

    I thought of trying to create one once tho…

Leave a Reply

Your email is never shared.Required fields are marked *