Following a Recommendation by the European Commission, from the end of 2023 each EU Member State will gradually offer the European Digital Identity (EUDI) wallet to their citizens, residents, and businesses. This mobile-based wallet will serve to manage access to verified sensitive personal information and to identify and authenticate the wallet's owner when interacting with financial services, medical institutions, government agencies, and other third-party services. Due to the high value of information and authentication capabilities provided by EUDI wallets, they are highly attractive targets for threat actors. This article explores secure development strategies for an EUDI wallet app. While being specific to the EUDI wallet, the methodology is equally applicable to the development of any IT asset.
For more in-depth insights, download the white paper "The European Digital Identity Wallet: Implementing Best-Practice Security for a High-Risk Asset".
Risk terminology and approaches
Organizations responsible for the development of European Digital Identity (EUDI) wallets will already have their own general in-house approach to protecting the many assets for which they are stakeholders. This approach likely includes various risk management and threat management techniques to be used depending on the type of asset and its status.
For example, a physical safe containing millions of Euros will face different threats and vulnerabilities than the intangible reputation of an organization’s brand. Therefore, when treating the associated risks of these two assets, the organization would use different approaches.
The objective of the EUDI Wallet is to achieve widespread usage, accessible to all EU citizens. The ultimate goal is to have the EUDI wallet available on millions of unmanaged mobile devices, with varying vulnerabilities that may change over time. As a result, the EUDI wallet will face constant threats from multiple sources.
For existing assets with known vulnerabilities, a risk-based assessment may be most appropriate to identify, evaluate and prioritize risks to be treated. The figure below depicts ‘risk’ in terms of a ‘threat’, ‘asset’ and ‘vulnerability’ as defined by ENISA.
When designing a new asset (in this case the EUDI wallet), the wallet has not been developed and therefore the vulnerabilities inherent to the asset, have not been identified. Further, it will almost certainly be a design criteria to minimize the vulnerabilities. Therefore it may be more appropriate to use a model focused on identifying the ‘attack surface’ of the asset in order to implement appropriate security controls. This article uses the NIST definition of ‘attack surface’.
There are many terms used to define a ‘security measure’ to protect the attack surface, whether protection is against a known risk or not. These terms include ‘control’, ‘mitigation’, ‘risk control’, and ‘countermeasure’. Since risks evolve over time as the threat landscape changes, new vulnerabilities are discovered and the asset is developed, these terms will be generalized as synonyms and used interchangeably. Finally, the term ‘vulnerability’ can also refer to an ‘absence of an effective control against a known risk’.
A risk assessment may be the most suitable method for improving the security of an asset that has known threats and established vulnerabilities.
In this case, the context for a risk assessment would likely be an existing EUDI wallet deployment and would include current threats and known vulnerabilities. The actual assessment could be triggered by a change to the threat landscape, the identification of new vulnerabilities, a planned enhancement of the wallet, or a scheduled / ad hoc review.
The first stage for the responsible parties is to identify the current and potential future risks associated with the EUDI wallet.
When analyzing identified risks, it is necessary to assign a probability of occurrence and associated impact. The Common Vulnerability Scoring System is a useful tool for quantifying vulnerabilities based on factors such as ease of exploit, attack surface, required access level, and impact of the exploit.
The analysis also considers existing controls or processes that are designed to minimize the risks. This stage of the risk assessment process is usually specific to the organization and is possibly based on, amongst other things, a mix of statistical analysis, empirical data, expert advice, and modeling. The output could be a risk rating (such as high, medium and low), or it could be expressed in impact (monetary, technical, operational, and societal). As ENISA states “......the specification of the risk level is not unique. Impact and likelihood may be expressed or combined differently, according to the type of risk and the scope and objective of the Risk Management process”.
Evaluate and treat risks
The organization can then evaluate which of these remaining risks to address and with which priority. For each residual risk, the organization will decide whether to:
- Improve, or optimize controls in the environment to further reduce the risk;
- Transfer the risk to another entity, such as insuring against the risk occurring or contracting another entity to treat the risk. It is worth noting that, even when transferring the risk, the organization is still responsible for the actual risk;
- Decide to avoid the risk entirely. In the case of the EUDI wallet, an example of risk avoidance could be the removal of a fully automated identity-proofing process from the wallet. The removal of this process would also remove the associated risks of false positives in the identification proofing; or
- Retain or accept the risk for a period of time. Risk-retention/acceptance could be an appropriate response to a risk with a low likelihood of occurring and a minimal impact in the event it does occur. However, it would be entirely inappropriate if the risk related to identity theft or data leakage.
The above diagram also includes a feedback loop since the:
- Features and/or the inherent value of the asset, in this case, the EUDI wallet, may change over time;
- Threat landscape will change based on geopolitical, social, and environmental factors;
- Discovery of vulnerabilities in technology, people, and processes is an ongoing process; and
- Risks inherent in the asset today can influence the digital wallet’s features, threats, and discovered vulnerabilities tomorrow.
For a new development where the vulnerabilities inherent to the asset have not been identified, threat modeling may be a more appropriate methodology and allows the developer to focus on the entire attack surface when developing and deploying security controls, and not just the risks.
Threat modeling likely precedes the initial development of a EUDI wallet but could also be triggered by an enhancement to the wallet, a change to the threat landscape, or a scheduled / ad hoc review.
The context in modeling will be the planned functionality of the wallet and the entire wallet ecosystem.
Identify and categorize applicable threats
The first stages of threat modeling typically involve identifying the attack surface of the wallet. In practice, and taking into consideration that NIST defines an attack surface in terms of a system, “…the boundary, a system element, or an environment…”, an effective way to achieve this is to deconstruct the wallet into multiple component parts that support the functionality. In essence, you would break the EUDI wallet down into the functionalities and interfaces of the EUDI wallet.
By analyzing potential threats to the EUDI wallet and common attack vectors, the organization can select a suitable threat model to categorize these risks.
Analyze and evaluate threats
During the analysis and evaluation of threats, the organization can then prioritize and group threats to devise a strategy to protect their EUDI wallet and ensure appropriate countermeasures (security controls) can be designed into the solution.
The three types of security control are:
- Preventive – designed to prevent an attack or minimize the likely success of an attack;
- Detective – designed to notify in real-time or near-real-time of an attack; and
- Corrective – (once notified) designed to restore the asset to normal operations following an attack.
Implement security controls
In practice, the overall security design of the EUDI wallet will require a blend of these types of security control to be implemented. Given the modular nature of the EUDI wallet and the interface, these security controls will be reused frequently. For example, preventing access to sensitive information is a common requirement across all functionalities and interfaces of the EUDI wallet; as is ensuring the runtime integrity of each component.
These controls will likely require the implementation of security tools, monitoring tools, and processes.
Validate controls and identify vulnerabilities
During the development phase of the wallet, there should be testing of the wallet to validate the effectiveness of these implemented controls and identify any vulnerabilities.
The ideal outcome of this methodology is an EUDI wallet with minimal known vulnerabilities over its entire attack surface, not just in the areas of known risk. In doing so, this provides additional assurance that the wallet will be more resilient to as yet unknown threats and attack vectors.
Cryptomathic is a leader in eIDAS solutions and strong mobile app defense mechanisms - our Mobile App Security Core (MASC) provides a comprehensive security solution for apps that store sensitive data. Download the white paper on mobile security or contact us for more information.