Mostowski Java Card Firewall 2007 Erratum
Some time after writing the paper we realised that we are not right about our claims in Section 4.6 on page 7 of the Testing the Java Card Applet Firewall technical report.
The key point is that an applet can be declared multiselectable. But an applet that is not declared multiselectable can still be selected on another logical channel. I.e. different non-multiselectable applets can be selected at the same time (multiselected) as long as each one of them resides in a separate package and each one is selected only once.
We write "In the multiselectable scenario the shareable interface method call is forbidden in the first place, thus the clear-on-deselect array access in the multiselectable scenario should never happen." But this is not true, the call to the server will be allowed if the server is declared to be multiselectable (implements the Multiselectable interface). The call is forbidden only if the server is not multiselectable. Thus the comment in the specification that we quote "also apply even if the attempting context is selected on another logical channel" is not redundant. I.e. "the attempting context" can be a sharebale interface server that is declared to be multiselectable.