APDU

Application Protocol Data Unit

Protocol
Introduced in Rel-4
APDU is a structured data unit used for communication between a smart card (e.g., UICC/USIM) and an external application or network entity. It enables secure, standardized commands and responses for operations like authentication, subscription management, and application execution, crucial for mobile security and services.

Description

An Application Protocol Data Unit (APDU) is the fundamental communication packet defined by ISO/IEC 7816-4 and adopted by 3GPP for interactions with smart cards, specifically the Universal Integrated Circuit Card (UICC) hosting the USIM application. It serves as the standardized format for command and response exchanges between a terminal (like a mobile device) and the card. An APDU consists of a mandatory command APDU (C-APDU) sent by the terminal and a corresponding response APDU (R-APDU) returned by the card. The C-APDU structure includes a header (CLA, INS, P1, P2) specifying the class, instruction, and parameters, and a variable-length body containing command data. The R-APDU contains a body with response data and a mandatory two-byte trailer (SW1, SW2) indicating the command processing status (e.g., success, error conditions).

In 3GPP systems, APDUs are primarily used over the interface between the Mobile Equipment (ME) and the UICC, as standardized in TS 31.101. They facilitate a wide range of USIM and card application toolkit (CAT) functions. For example, during network authentication, the ME sends an APDU command to the USIM to run the authentication and key agreement (AKA) algorithm, and the USIM returns an APDU response with the computed authentication vector. APDUs also enable secure OTA (Over-The-Air) updates for subscriber data, application provisioning (e.g., for eSIM management), and execution of value-added services via the SIM Toolkit.

The APDU mechanism operates within a master-slave model where the terminal initiates all commands. The protocol is session-less and stateless at the APDU level, though higher-layer applications may maintain state. APDU exchanges are transported over physical and logical channels on the UICC interface. Security is integral; sensitive commands (e.g., for personalization or key management) are protected by secure messaging, where APDU data is encrypted and integrity-protected using keys stored on the card. This ensures confidentiality and authenticity in operations like profile downloading for eSIM.

APDUs are critical for the modularity and interoperability of smart card systems in telecommunications. They allow diverse applications (from network authentication to payment applets) to coexist on a single UICC by providing a uniform command set. The strict formatting and status reporting enable robust error handling and debugging. In advanced use cases, such as IoT with embedded SIMs (eSIM), APDUs facilitate remote subscription management as defined in GSMA specifications, which build upon 3GPP's APDU framework for profile installation and management.

Purpose & Motivation

The APDU was introduced to standardize communication with smart cards, addressing the need for a universal, interoperable command set across different card vendors and applications. Prior to standardization, proprietary command interfaces hindered compatibility and increased complexity for device manufacturers and network operators. By adopting ISO/IEC 7816-4, 3GPP ensured that UICCs and USIMs from any supplier could work seamlessly with any compliant mobile device, fostering a competitive ecosystem and reducing integration costs.

In the context of 3GPP, APDUs solve the problem of secure and efficient data exchange for subscriber identity management and authentication. They enable the USIM to perform cryptographic computations locally on the secure card, keeping sensitive keys never exposed to the potentially compromised device environment. This is fundamental for network security in GSM, UMTS, and LTE/5G. Furthermore, APDUs support the dynamic nature of modern mobile services by allowing OTA updates, which are essential for provisioning, modifying subscriber data, or deploying new applications without physical card replacement.

The creation and evolution of APDU usage in 3GPP were motivated by the expansion of smart card capabilities beyond simple authentication. As UICCs evolved into multi-application platforms hosting payment, identity, and IoT services, a robust, extensible protocol was necessary. APDUs provide this foundation, allowing new instructions and data structures to be defined within the existing framework. They address limitations of earlier, less structured methods by offering precise control, standardized error reporting, and support for secure messaging, which are critical for trusted service execution and management in an increasingly digital and connected world.

Key Features

  • Standardized command-response structure per ISO/IEC 7816-4
  • Supports secure messaging for encrypted and integrity-protected data exchange
  • Enables authentication and key agreement (AKA) via USIM commands
  • Facilitates Over-The-Air (OTA) provisioning and management of card applications
  • Provides detailed status reporting through SW1-SW2 codes for error handling
  • Extensible for new instructions and applications on UICC platform

Evolution Across Releases

Rel-4 Initial

Introduced APDU as the standard mechanism for ME-UICC communication, adopting ISO/IEC 7816-4. Enabled basic USIM functions like authentication, file access, and card reset. Established the foundation for secure OTA updates and SIM Toolkit operations, supporting the transition to multi-application UICCs.

TS 21.905TS 23.057TS 29.078TS 31.131TS 31.213TS 33.835TS 34.131TS 51.013

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 23.057 3GPP TS 23.057
TS 29.078 3GPP TS 29.078
TS 31.131 3GPP TR 31.131
TS 31.213 3GPP TR 31.213
TS 33.835 3GPP TR 33.835
TS 34.131 3GPP TR 34.131
TS 51.013 3GPP TR 51.013