In today’s interconnected digital world, the concept of digital identity plays a central role in ensuring secure and seamless online interactions. From authenticating users to protecting personal data, the development and implementation of robust standards are critical to establishing trust and reliability in digital identity systems.
To help navigate this complex ecosystem, the European Union Agency for Cybersecurity (ENISA) has compiled a comprehensive document entitled ‘Digital Identity Standards’, published on 3 July 2023. This report provides an overview of the main standards and standardisation organisations in the field of digital identities. By reading this report, readers will gain a comprehensive understanding of the various means that support digital identity, including trust services, electronic means of identification and the EU Digital Identity Wallet.
In this article, we will explore ENISA’s extensive report, gaining a comprehensive understanding of the various means that support and safeguard digital identities.
Security – where are you?
Readers of ENISA’s “Digital Identity Standards” will notice that the standards in the context of the proposed eIDAS 2.0 Regulation are at various levels of maturity: only 60% of the standards have so far reached the maturity level “high” (see chapter 4.5). The same applies to the security and certification aspects: for most standards, the security and certification requirements are not fully specified yet. In general, the “what” is already known and the “how” is still under discussion.
Regarding Mobile Apps, this lack of clarity is obvious. The publication calls in its recommendation 3 (chapter 5.1) that “EU policy should consider the need for an EU methodology for evaluating the security and privacy of Mobile Apps as a strategic issue and not just a technical one”. This means that a harmonised approach to Mobile App security across EU standards and norms has yet to be established.
EUDI Wallet security
Slawomir Gorniak, a Senior Cybersecurity Expert at ENISA, said during his presentation “EUDI WALLETS CERTIFICATION” at the Bitkom eIDAS Summit on 10 May 2023 that it will probably take up to two more years to become fully operational: First the security and certification requirements have to be defined and then implemented in a certification scheme for the EUDI wallet. Currently, the EUDI wallet lacks functional testing requirements for all but two elements.
ENISA has been asked by the European Commission to work on the certification scheme, which is likely to be a transitional scheme based on a best of breed approach of several other EU standards, such as EUCC (European Cybersecurity Certification Scheme based on Common Criteria), EUCS (EU Cloud Service Scheme) and EU5G (EU 5G Cybersecurity Certification Scheme).
One key question remains: What security requirements will mobile developers, security professionals and compliance managers face in the digital identity landscape? So, let us learn and anticipate from Mobile App security best practices and requirements in other industries.
Existing Mobile App Security requirements – a look into EU Standards Future
Since the EU Digital Identity Standards do not yet specify what mobile developers must provide and what service providers must comply with, let us take a closer look at existing Mobile App security requirements from different industries, issued by industry associations or government bodies.
For the financial industry and the mobile payment world, we provide a brief overview of PCI MPoC , for mobile eHealth applications we look at BSI TR-03161-1 [TLB1] and for the mobile driving licence (mDL) we look at ISO 18013-5.
All the aforementioned Mobile App security requirements have one thing in common: they shall preserve the triad of confidentiality, integrity, and authenticity by design and by default.
Mobile payments – PCI MPoC
The PCI MPoC standard is a new specification designed to meet the growing demand for secure, faster, and more integrated payment processing solutions. It integrates the existing use cases of the CPoC and SPoC standards, adding new payment functionality and new certification pathways. It is also arguably the most advanced standard with the most stringent security requirements for Mobile Apps. In particular, it requires a dual security model, which requires a deep understanding of state-of-the-art Mobile App protection and back-end security.
The security model of an MPoC solution relies heavily (but not exclusively) on mechanisms that support attestation and monitoring (to ensure that security mechanisms are intact and operational), detection (to report when anomalies occur) and response (controls to alert and act). The MPoC security and testing requirements explain what needs to be implemented, how the tester verifies the implementation and how an MPOC solution is finally certified.
For the security of the MPoC application, RASP technology, including rooting detection, emulator detection, etc., must be implemented in the Mobile App, which is then controlled by a back-end component, the attestation and monitoring component. All Mobile Apps are subject to lifecycle management. Overall, the security requirements are far reaching, in the breadth as well as the depth of implementation.
Mobile eHealth Applications – BSI TR-03161-1
Compliance with security requirements is particularly important for Mobile Apps in the healthcare sector. For example, the unintentional disclosure of health information can have unwanted social and professional consequences. If an attacker can manipulate a third party’s sensitive data and violate its integrity, he or she could have a significant impact on treatment decisions and ultimately the health of the individual. For this reason, the German Federal Office for Information Security (BSI) has defined this Technical Requirement (TR) document, which includes both implementation and testing requirements.
To protect a Mobile eHealth Application, a number of resilience requirements are defined, including root and jailbreak detection, debugger detection, among others. They also include more advanced mechanisms such as Trust of First Use (TOFU), which means that the start of the Mobile App must be aborted if the runtime environment of a mobile device does not meet the security requirements. The Mobile App must include a tamper-proofing mechanism, i.e., its integrity must be always guaranteed.
Mobile Driving License – ISO 18013-5
ENISA considers this ISO specification to be at a medium level of maturity as described in the Digital Identity Standards document. The security architecture aims to achieve four different goals: protection against forgery, protection against cloning, protection against eavesdropping and protection against unauthorised access. In addition, several privacy goals and principles must be implemented, such as end-to-end protection of the entire identity lifecycle. Interoperability testing is mandatory, while security testing is considered optional.
In terms of Mobile App Protection, this means that the Mobile Apps and its data must be protected against cloning by strong app-device binding, mutual TLS is used to prevent MITM attacks, and Secure Story and other runtime mechanisms are used to protect the mDL data at rest, in use and in motion.
Embark with Build38 on your digital identity journey
Build38 already provides the needed Mobile Apps Protection solutions for many markets today, enabling you to get security tested or certified. By leveraging our market-tested solutions, you can significantly reduce your time-to-market and stay ahead of mobile security threats.
In the ever-evolving digital landscape, the significance of secure and trusted digital identities cannot be overstated. As a forward-thinking company, we understand the importance of adhering to established standards and are fully prepared to tackle future regulatory requirements.
If any of the topics or standards mentioned in this blog post pique your interest, or if you have any questions, our dedicated support team is here to help. We value open communication and encourage you to contact us for guidance, clarification, or any additional information you may require.
Relevant sources:
- EUDI Wallets Certification Video: https://www.youtube.com/watch?v=p5mw0h0R1G0
- More information about the Bitkom eIDAS Summit: https://app.bitkom-events.de/event/eidas-summit-2023
