Ambimat GroupAmbimatAmbiSecureeSIM InitiativeEngineering BlogAhmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
Technology

JavaCard, in plain language.

JavaCard is the bytecode-based applet platform that runs on most modern secure elements. If you have ever held a smart card with FIDO, PIV, OpenPGP, or a banking applet on it, you have probably touched JavaCard. Here is what it actually is, and where it fits in the AmbiSecure stack.

What runs on the chip

A JavaCard is not running standard Java. It runs JavaCard bytecode — a strict subset compiled into a CAP file. The Java Card Runtime Environment (JCRE) on the chip provides applet lifecycle, transient and persistent memory, transactions, and a small standard library. JavaCard 3.x APIs cover most of what an applet needs: ISO/IEC 7816 APDU dispatch, ECDSA / ECDH / RSA / AES, hashes, secure messaging.

The chip itself is a Common-Criteria-certified secure element. The JCRE isolates applets from each other (firewall) and from the host. Keys live in tamper-resistant memory and are usable but not exportable.

Lifecycle of an applet

01

Compile

Java sources → class files → CAP file via the Java Card converter.

02

Load

CAP loaded onto the card over SCP03 via GlobalPlatform INSTALL [for load] + LOAD.

03

Install

INSTALL [for install] — instance created with install parameters; install() runs.

04

Selectable

INSTALL [for make selectable]. Applet now responds to SELECT-by-AID.

05

Personalised

Issuer keys / certs / configuration written under secure messaging.

Memory model: persistent vs transient

EEPROM and Flash on a smart-card chip have limited write cycles — treating them like RAM destroys the card. JavaCard exposes two transient-memory APIs (JCSystem.makeTransientByteArray, makeTransientShortArray, makeTransientObjectArray) that allocate from RAM and zero on reset / on deselect. Use them for session state. Use persistent fields only for things that must survive a power cut.

Get this wrong and the card will work fine in QA and silently die in the field after six months.

Where JavaCard appears in our work

OnePass Card

FIDO2 + PIV applets on a JavaCard 3.x chip. Resident credentials, NFC + USB, brandable.

View product →

JavaCard Applet Platform

FIDO, PIV, OpenPGP and custom applets, plus the personalisation tooling that makes them shippable.

View product →

JavaCard Development service

Custom applets designed, written, loaded over SCP03, and personalised. Both the standards-driven applets and the bespoke ones.

View service →

Tools and reference

APDU Parser

Inspect any APDU your applet emits.

Open tool →

SW1/SW2 Lookup

Decode the status word your applet returned.

Open tool →

GP Status Reference

Card and applet lifecycle states — what each transition allows.

Open tool →

JavaCard work for your team?

Tell us your target chip family, target applet (FIDO / PIV / custom), and the personalisation flow. We will tell you what is realistic.

Talk to engineers