Cryptomathic Blog

The European Commission, as part of the eIDAS 2.0 proposal promotes the European Digital Identity Wallet (EUDI Wallet) as an app that enables citizens and residents all over the EU to identify and authenticate themselves. EUDI Wallet users should also be able to store and selectively disclose, locally and remotely, digital travel credentials (ePassports), driver’s licenses, university diplomas, as well as personal information including medical records or bank account details. The wallet should also allow its users to access a variety of online services, and sign documents with qualified electronic signatures and seals (QES). The scope of this wallet app is described in some detail in The Common Union Toolbox for a Coordinated Approach Towards a European Digital Identity Framework, and a reference implementation is expected for September 2023.

Organizations responsible for the development of an EUDI wallet (or other apps with highly sensitive data), will be acutely aware of the importance of security throughout the entire digital wallet ecosystem. In addition, they will likely already have a skilled security function and have implemented industry-standard security policies and procedures.

However, implementing adequate proactive and reactive security measures to counter the threats to large-scale deployments of such sensitive mobile apps is a highly specialized field, especially when the mobile app is being executed on devices that cannot be managed. For this reason, organizations should strongly consider contracting with a mobile app security vendor.

The European Commission promotes the European Digital Identity wallet (EUDI wallet) as part of its effort to digitize the economy and help foster trust services. In practice, this means that from the end of 2023 each EU Member State will gradually offer a mobile-based wallet to their citizens, residents and businesses to identify and authenticate online. Here we look at the scope of the EUDI and some of the security challenges for the app.

Here we explain why additional security mechanisms, beyond the mobile OS security features, are needed to protect mobile banking applications from malware and related threats.

As the use of mobile phones for mobile banking and payment applications increases, corresponding security threats are increasing as well. The majority of smart phones use only two operating systems (Android and iOS) and, therefore, they represent prey of choice for criminal groups and malevolent hackers. 

In this article, we will explain some of the defense mechanisms and security techniques involved with protecting mobile banking applications.

Here we provide a short overview of why strong authentication is seriously needed to provide security for mobile banking and payment applications. 

With the introduction of PSD2, banks are forced to provide third party payment service providers (PSPs) with access to the bank’s customers’ account information for account servicing and payment initiation services, but only in the case where the user has granted access to these third-party players. This article explores a technical solution that leverages eIDAS to address the PSD2 requirements.

When developing an application for mobile banking, application hardening using code obfuscation is one possible way of protecting sensitive data. However, this may not be an acceptable solution in many different scenarios: when the data to protect must be (partially) displayed, linked to other accounts or other data, or sent to a remote network, etc. The general solution to this problem is data obfuscation.

Attacks on mobile banking and payment applications frequently begin with the use of an emulator for the mobile operating system, where the targeted application is run and analysed.