Organizations responsible for the development of an EUDI wallet (or other apps with highly sensitive data), will be acutely aware of the importance of security throughout the entire digital wallet ecosystem. In addition, they will likely already have a skilled security function and have implemented industry-standard security policies and procedures.
However, implementing adequate proactive and reactive security measures to counter the threats to large-scale deployments of such sensitive mobile apps is a highly specialized field, especially when the mobile app is being executed on devices that cannot be managed. For this reason, organizations should strongly consider contracting with a mobile app security vendor.
Terminology (RASP vs App Shielding vs In-App Protection)
The importance of implementing appropriate security mechanisms within the EUDI wallet is clear, but it can be confusing to determine exactly what protections are needed when researching vendors and solutions. As a starting point, Gartner defines three categories of mobile app security solutions:
- Runtime application self-protection (RASP) – A security technology that is built or linked into an application or application runtime environment that can control application execution while detecting and preventing real-time attacks.
- Application shielding – This refers to protection capabilities that are implemented directly within the application, rather than inline or on the hosting system, to prevent and detect attacks such as tampering and reverse engineering. Application shielding can be used for any type of application, but there is currently a particular focus on mobile apps.
- In-App protection – These are security solutions implemented within the application (instead of the network or the operating system, for example) to make the application more resistant to attacks such as malicious data exfiltration, intrusion, tampering, and reverse engineering.
As can be seen from these definitions, it is not immediately clear what differences exist between these categories.
The two types of mobile app security solutions
Solutions classified as providing RASP, app shielding or in-app protection all offer some level of safeguard against reverse engineering and tampering. However, irrespective of category, they all fall into one of two key types:
1. It secures the app after development: Once development is complete and the app is tested and functional, it is submitted to a service to have software protection mechanisms added to the final code and have its structure altered to make it difficult to reverse engineer and tamper. During this process, configuration settings determine which protections to enable.
Figure - Mobile app security solution as a service: often known as “App Shielding” or “App Guarding”.
Solutions described with terms like ‘app shielding’, ‘app guarding’ or similar tend to offer this service. This type of solution is relatively easy to implement.
2. This includes a toolkit to secure the app during development: At the outset of the development, a software development kit (SDK) is incorporated to the development environment. The SDK is essentially a suite of security tools that prevent reverse engineering and tampering of the app. The developer can then focus on developing the functional requirements of the mobile app while leaving the specialist and security-critical parts to the SDK.
Figure - Mobile app security solution includes a toolkit: often known as “In-App Protection” or “Security Core".
Such solutions are aligned with the ‘shift left’ approach whereby security is a central design consideration at an earlier stage in the development lifecycle rather than an afterthought. Solutions described with terms like ‘in-app protection’, ‘security core’ or similar tend to offer an SDK. They tend to offer increased security coverage, flexibly tailored the specific functionality of the app.
Table - Comparison of two types of mobile app security solutions.
What to look for in your mobile app security solution
In advance of starting your development, you will likely have performed a risk assessment or threat modeling to inform the security measures that are necessary for your EUDI wallet mobile app. For this example, assuming you have used the STRIDE model, whilst analyzing each threat you will start to see a pattern emerging for required security measures.
- For the threats classified as Spoofing, you will require a security measure that provides authenticity. Such an authentication mechanism requires a tamper-resistant environment (integrity protected) in which to run, as well as access to secrets that are protected against Information disclosure.
- For threats classified as Repudiation, you will require a non-repudiation countermeasure. Such a security measure requires that the information is integrity-protected and authenticated (using public key cryptography). Again, this points to a security measure that runs in a tamper-resistant and confidentiality-protected environment.
- Threats classified as Elevation of privilege will require the development of appropriate authorization mechanisms. Again, to be robust, they will need to be protected from tampering and information disclosure.
- There are few threats that can be categorized as Denial of service for the mobile app itself, however, a standard countermeasure is to ensure connections are appropriately authenticated. Again, this requires mechanisms that are protected from tampering and information disclosure.
Thus, the foundation of secure mobile app development is mechanisms that protect the integrity and confidentiality of the app and its contents, essentially protecting against information disclosure (using anti-reverse engineering security measures) and tampering (using anti-tampering security measures).
Therefore, you should choose a mobile app security solution that has comprehensive coverage of security measures against information disclosure and tampering, both while the app is running (dynamic) or not running (static). Using such a mobile app security solution as the foundation, the EUDI wallet developer can feel confident in implementing the other security measures directly into the app.
The following table describes the security measures to look for when selecting your mobile app security solution and the rationale for each.
Table - Security measures relevant for selecting a mobile app security solution
Certain of the security measures in the above table can be classified as protection against information disclosure, against tampering, or both. Further, security measures can provide protection while the app is running (dynamic), dormant (static), or both. The following diagram depicts which security measures fall into which classification.
How Cryptomathic can help
Cryptomathic's Mobile App Security Core (MASC) is a security software development kit (SDK) for the EUDI wallet, eID apps, mobile banking apps etc., comprising of multiple layers of mutually reinforcing mobile app security components that are provided with a simple, easy-to-use API. It enables app developers to focus on developing excellent business applications while leaving the specialist security-critical parts to MASC.
Protecting applications in a hostile environment is a cat-and-mouse game with attackers. Released over 10 years ago, MASC stays ahead by providing an evolutionary security framework through regular defense mechanism refinement and updates and randomized protections, disrupting the business model of fraudsters attempting to exploit the protection of targets long-term.
MASC features multiple layers of security, including: libraries for security protocols, TLS authentication with pinned certificates and third-party libraries integrated for malware detection and device fingerprinting.
MASC offers technology for reverse-engineering resistance, jailbreak / root detection and secure configuration and operation of generic mobile apps.
To provide 360-degree protection, there are additional mechanisms for obfuscation, anti-tamper and anti-debug, as well as a reporting scheme allowing for live monitoring and dynamic analysis of the current threat landscape.
A central part of MASC is the ability to provide the application with secure storage and independent cryptographic functions. The storage builds on and extends key stores offered by the device or OS and can be used to protect critical cryptographic keys, for instance application keys or communication keys for entities like the backend services.
For more information, visit https://www.cryptomathic.com/products/mobile-app-security-core-overview or download the white paper on Mobile app security for the European Digital Identity Wallet.
Contact Cryptomathic to see how we can help you with your mobile app security needs.