Were I to ask you what a handwritten signature looks like, with an air of confidence will you grab a pen and scrawl your name on a piece of paper, or, with a flourish, will you grip your thumb and fingers together and, sign your name in the air? 'Voila!’
Organizations responsible for the development of an EUDI wallet (or other apps with highly sensitive data), will be acutely aware of the importance of security throughout the entire digital wallet ecosystem. In addition, they will likely already have a skilled security function and have implemented industry-standard security policies and procedures.
However, implementing adequate proactive and reactive security measures to counter the threats to large-scale deployments of such sensitive mobile apps is a highly specialized field, especially when the mobile app is being executed on devices that cannot be managed. For this reason, organizations should strongly consider contracting with a mobile app security vendor.
The European Digital Identity wallet (EUDI wallet) is proposed by the European Commission to provide a secure, safe and standardized digital identity for all EU citizens. It is based on the European Standard for Electronic Identification and Trust Services (eIDAS) and part of the proposed eIDAS 2.0 regulation. The EUDI wallet will be made available to its users as a mobile app that allows them to securely store and selectively share, locally or remotely, on request and under their sole control, identification data based on their national electronic IDs (eIDs), as well as other attestations of attributes such as digital travel credentials (ePassports), driver’s licenses, university diplomas, and also personal information including medical records or bank account details. The wallet should also allow them to access a variety of online services and sign documents with qualified electronic signatures and seals (QES).
With such valuable data stored on an app, the threats to the EUDI wallet will come from multiple diverse sources, all with varying motives. This article explores the threat landscape and considerations for protecting the digital wallet's sensitive data against threats.
Following a Recommendation by the European Commission, from the end of 2023 each EU Member State will gradually offer the European Digital Identity (EUDI) wallet to their citizens, residents, and businesses. This mobile-based wallet will serve to manage access to verified sensitive personal information and to identify and authenticate the wallet's owner when interacting with financial services, medical institutions, government agencies, and other third-party services. Due to the high value of information and authentication capabilities provided by EUDI wallets, they are highly attractive targets for threat actors. This article explores secure development strategies for an EUDI wallet app. While being specific to the EUDI wallet, the methodology is equally applicable to the development of any IT asset.
