Secure Authentication for Radio Operators

Authenticating Amateurs over the Internet is a problem that is hard to solve. For APRS-IS, the insecure passcode system is in place. However, it is trivial for an attacker to generate the passcode for any existing (or imagined) callsign. Therefore, a new secure authentication mechanism, based on Internet standards (SSL/TLS) has been integrated into APRSdroid and the aprsc APRS-IS server software. Some servers already run experimental support for SSL logins without a passcode, based on LotW certificates.

Required Ingredients

  1. APRSdroid 1.2.3 or latest nightly
  2. TrustedQSL application from LotW (tested on Linux, apt-get install trustedqsl)
  3. Valid LotW certificate installed in TrustedQSL (currently, the aprs2 servers only accept LotW)

Certificate Export from TQSL

  1. Launch TrustedQSL Cert Manager (tqslcert on Linux)
  2. Select the entry with your callsign and country
  3. From the menu, choose "Certificate" -> "Save"
  4. Save the file (CALLSIGN.p12) to your disk
  5. Remember the export password you entered

Transmit the File to the Android

Here, you are free to choose the way (Dropbox, e-mail, USB, whatever you prefer).

WARNING: The file contains your LotW credentials, so you should not give it to third-parties!

APRSdroid Configuration

  1. Tap on the CALLSIGN.p12 file (in the e-mail app, or using a file manager)
  2. If a "Complete action using..." dialog appears, select "SSL keyfile import" (with APRSdroid logo)
  3. You will be asked for the password (this is what you entered in step 5. of the export above)
  4. A short "Imported keyfile for CALLSIGN." message should appear.
  5. Launch APRSdroid
  6. Configure the app as follows:
    • Connection Protocol: TCP connection
    • Connection Preferences -> Server:
    • Connection Logging: enabled


Open the Log from Menu -> Show Log. Push "Start tracking" and watch the Log view. If everything was successful, you should see the following lines appearing in reverse order:

APRS Service started: SmartBeaconing™ Position, TCP connection.
Connecting to
Loaded key: OID.1.2.840.113549.1.9.1=#160E67656F7267406F702D636F2E6465, CN=Georg Lukas, CALLSIGN=DO1GL
# aprsc 2.0.3-g898e4b5
# logresp DO1GL-10 verified, server T2FINLAND

If the "Loaded key" line does not appear, something went wrong. Please follow the instructions to submit a bug report.