UICC: Can I trust proactive TIMER MANAGEMENT?

Question

UICC (SIM card) has no internal clock. If an applet loaded on the SIM card needs to know, whether some time interval has already elapsed, it has to allocate a timer in the device and start it using TIMER MANAGEMENT proactive command.

ETSI standard (102 223 V12.1.0) says:

"The precision of the returned value cannot be relied upon in all cases due to potential terminal activities"

Does it mean that the timer can fire the desired event even BEFORE it should?

Is there any protection provided by OS against the timer event fraud (an attacker pretending the timer event has been fired)?

Can I trust the timer even in some "serious" security applications, or is it just kind of a toy with a limited real world usage?

Answer 1

1. "The precision of the returned value cannot be relied upon in all cases due to potential terminal activities" means that the timer may be fired after the desired time, because the phone may be busy. But this is far more precise than using poll mechanism.
2. Using timer, poll, or provide local information (date & time) does not protect your application against fraud. Everything can be replied by terminal unsecuredly.
3. If you would like the time to be secured, perhaps you can send encrypted SMS submit to the network, which the server will count the time and send you envelope SMSPP securedly. Of course, this needs GSM connection.