SIM cards can do more than just authenticate your phone with your carrier. Small apps can be installed and run directly on the SIM separate from and without knowledge of the phone OS. Although SIM Applications are common in many parts of the world, they are mostly unknown in the U.S. and the closed nature of the ecosystem makes it difficult for hobbyists to find information and experiment. This talk, based on our experience building SIM apps for the Toorcamp GSM network, explains what (U)SIM Toolkit Applications are, how they work, and how to develop them. We will explain the various pieces of technology involved, including the Java Card standard, which lets you write smart card applications using a subset of Java, and the GlobalPlatform standard, which is used to load and manage applications on a card. We will also talk about how these applications can be silently loaded, updated, and interacted with remotely over-the-air. Karl Koscher (@supersat) is a PhD student studying security and privacy at the University of Washington. His research covers a wide variety of areas, but he primarily focuses on security for embedded systems. Most recently, he was one of the primary researchers that demonstrated that modern cars are vulnerable to multiple remote exploits, which can affect nearly every physical system in the car. Eric Butler (@codebutler) is a software engineer with an interest in security, privacy, and usability. He's known for creating Firesheep, an easy to use tool that clearly demonstrated the risks of HTTP session hijacking attacks, and prompted major websites including Facebook, Twitter, and Hotmail to improve their security. He also created FareBot, an Android app that reads data from common NFC transit cards sparking a discussion around the privacy of these systems.