Cryptomathic Mobile App Security Core (MASC) is a comprehensive security software solution for the European Digital Identity (EUDI) wallet, eID apps, mobile banking apps, etc., comprised of multiple layers of mutually reinforcing mobile app security components that are provided with a simple, easy-to-use API. It enables app developers to focus on developing excellent business applications while leaving the specialist security-critical parts to MASC.
MASC features multiple layers of security, including libraries for security protocols, TLS authentication with pinned certificates, and third-party libraries integrated for malware detection and device fingerprinting. MASC offers technology for reverse engineering resistance, jailbreak/root detection, and secure configuration and operation of generic mobile apps.
To provide 360-degree protection, there are additional mechanisms for obfuscation, anti-tamper, and anti-debug; as well as a reporting scheme allowing for live monitoring and dynamic analysis of the current threat landscape.
A central part of MASC is the ability to provide the application with secure storage and independent cryptographic functions. The storage builds on and extends key stores offered by the device or OS and can be used to protect critical cryptographic keys, for instance, application keys or communication keys for entities like the backend services.
Protecting applications in a hostile environment is a cat-and-mouse game with attackers. Released over 10 years ago, MASC stays ahead by providing an evolutionary security framework through regular defense mechanism refinement and updates and randomized protections, disrupting the business model of fraudsters attempting to exploit the protection of targets long-term.
Supporting the ENISA Guidelines
The ENISA Smartphone Guidelines Tool provides 152 security measures to address challenges and threats to mobile apps such as the EUDI wallet. Some measures apply to the server side, while others must be implemented within the app. Of these measures, 47 are applicable to the mobile app security solution space. As shown in the table below, MASC supports the implementation of 94% (or 46 out of 47) of the security measures.
The three ENISA Security Measures not covered by MASC are:
(*) “Make reverse engineering harder: Obfuscate code. Encrypt data to further obfuscate application logic.” The MASC code and the control and data flows are heavily obfuscated in production builds. However, it does not obfuscate a mobile app’s native code. Our customers use third-party obfuscation services integrated with their development pipeline.
(**) “Audit communication mechanisms to check for unintended leaks (eg image metadata).” Similarly, our customers choose to use third-party static analysis tools integrated with their development pipeline.
(***) “Database files that contain sensitive data (e.g., iOS WebView caches) must be manually removed from the file system. Deleting records using the database API will not necessarily lead to complete data removal from database structure.” Apple actively discourages third-party management of Web View and while MASC has limited support, customers tend not to implement it due to the associated complexity. MASC does support Web View management on Android.
OWASP MASVS support
OWASP Mobile Application Security Verification Standard (MASVS), as detailed in our white paper on Mobile App Security for the European Digital Identity Wallet, suggests a total of 84 security requirements to address the challenges and threats. Of these, 52 security requirements are relevant to the mobile app security solution space. MASC can support the implementation of 49 of these 52 requirements (94%), as detailed in
in the table below.
The three OWASP MASVS requirements not covered by MASC are:
(*) “All security controls have a centralized implementation.” While the security controls are located within the MASC library, the design strategy is to deliberately decentralize controls across the library to make it harder to hook or patch them out.
(**) “The app protects itself against screen overlay attacks. (Android only).” Screen overlay protection is outside the control of MASC. MASC detects screen mirroring and allows whitelisting of accessibility providers and 3rd party keyboards on Android.
(***) “Obfuscation is applied to programmatic defenses, which in turn impede de-obfuscation via dynamic analysis.” The MASC code and the control and data flows are heavily obfuscated in production builds. However, it does not obfuscate a mobile app’s native code. Our customers use third-party obfuscation services integrated with their development pipeline.
Maintaining secure operations and user confidence
The EUDI Wallet will likely be part of our daily life, whether it is used to access public services, open a bank account, board an airplane, purchase car insurance, apply for a new job, or some other function. Given the central role it will play, the EUDI wallet will likely be under constant attack from a variety of vectors, including hackers, state-sponsored entities, and organized cyber criminals.
To be regarded as a trust anchor, both on a national level but also in all EU member states, as mandated by the revised eIDAS regulation, the EUDI issuer needs to carefully consider its risk mitigation strategy and develop a defense model encompassing both proactive measures and reactive measures. For most issuers, issuing a mobile app with rich and security-sensitive functionality on such a large scale is new territory.
Foundational to the secure development and deployment of your EUDI wallet is a focused risk assessment and/or threat modeling to gain a comprehensive understanding of the associated risks and/or threats associated with the wallet. This process will be invaluable to ensure and maintain secure operations and user confidence in the mobile app, specifically to:
- Plan and implement the necessary preventive, detective and remediation measures.
- Identify requirements to enhance in-house technical resources & skills, processes, and security tooling. Mobile app security is a complex field and requires a skillset that differs from mobile app development and DevOps.
- Reference and update to reflect changes to the threat environment or prior to changes to the wallet app itself.
In addition to providing industry best practice, reputable online resources such as ENISA Smartphone Guidelines and OWASP Mobile Security Standard can be used to reconcile the coverage and effectiveness of your security measures.
The Cryptomathic Mobile App Security Core (MASC) fulfills key selection criteria for an effective mobile application security solution to complement your approach to secure software lifecycle development. This mobile security product featuring a mobile app security SDK and back-end assurance services offers an evolutionary security design, continuously enhanced and refined over 10 years, that provides protection measures to not only be resistant to the threats of today but also responsive to emerging ones. With 94% coverage against ENSIA security controls, MASC appears to be a highly valuable security solution for EUDI Issuers.
Furthermore, MASC does not come at the cost of sovereignty for an EU-based EUDI issuer. Cryptomathic develops, maintains and supports the MASC solution with no external dependencies. With the vast majority of mobile devices being manufactured in China and India, and the operating system owned and developed by US corporations, protecting the core of the wallet app with mobile app security developed and tested in the EU by an EU company provides you with reassurance that you will have control over security measures. The loyalty of MASC’s customer base over the past decade is a testament to its ongoing effectiveness.
For more insights, download the white paper "The European Digital Identity Wallet: Implementing Best-Practice Security for a High-Risk Asset".