Mobile identity (eID) is now at the heart of the mobile economy. We use mobile eID apps to replace passwords, protect medical records and bring greater convenience to financial transactions. We use mobile eID technologies to open doors and identify wanted people. These technologies, though complex in nature, are extremely broad in terms of areas of application. As most mobile eID apps only require PIN or fingerprint authentication – and no need for the end-user to provide a password – login credentials to remember are kept at a minimum. The ease of authentication combined with the reuse of authentication data for signing provides citizens with excellent user experience.
What about safety and security?
Fraudsters typically look for opportunities to attack on two sides: the client-side and the back-end. Organizations commonly have more control over the back-end side. By ensuring that infrastructure meets relevant security standards, they make successful attacks less likely. Mobile eID apps, however, reside on end-users’ mobile devices, which is an environment largely outside of the control of organizations. And despite efforts to secure the platform, citizens become the weak link.
The sensitive nature of unique identifiers such as passwords and social security numbers makes them an ideal target for malware. Malware can employ a plethora of techniques, all designed to find and exploit data in the eID apps they are targeting.
Tom Lysemose Hansen, CTO at Promon explains: «Cybercriminals use sophisticated tools to learn more about the inner workings of an eID app and its cryptographic key protection. Through these processes, hackers can plan their attack. By identifying entry vectors in an unprotected app, malware can steal sensitive user data through techniques such as keylogging and screenshots containing private password information. This approach, combined with efforts to steal cryptographic keys, make hackers a force to be reckoned with.»
Hackers also create malicious app software to compromise user data. This may result in cybercriminals exploiting weaknesses in the code of the eID app, enabling them to create a cloned (fake) version. Sensitive information can then be fetched and transmitted to the perpetrator’s server, which in turn can be used to carry out fraudulent activity.
Mr. Hansen believes mobile security threats like fake and malicious apps will become even more prevalent in 2019, with users increasingly subject to malicious activity pushing malware apps to their phones, tablets and other devices running Android and iOS.
According to research reports from G DATA Software in Germany, more than 3 million malicious apps have affected devices with Android operating systems during the first nine months of 2018. «There are more than 11,000 new malicious applications per day», Mr. Hansen says.
Why in-app protection is crucial
In-App Protection makes your mobile eID apps more resistant to scalable malware, intrusion, tampering and reverse engineering of the app. In addition, it provides cryptographic key protection and collects data to both identify attack vectors and help prevent future attacks. It is a critical link once your eID apps go live in untrusted environments.
Based on in-depth monitoring and control of the operating system, Promon’s in-app protection solution offers a proactive and whitelist-based technology, protecting both the app itself as well as app inputs and outputs. Your eID apps can be quickly uploaded and secured in minutes using an integration tool – or an SDK that is easily integrated into the app.
«The protection of mobile identities should be a key strategic priority for governments and businesses worldwide. It’s crucial that we implement in-app protection solutions to protect end-user data», Mr. Hansen says.
In the Nordics, some companies are now offering free eID. Earlier this year, Swedish Verisec announced a free version of its Freja eID – giving businesses, authorities and organizations access to a completely free of charge eID. Promon’s in-app protection technology provides an added layer of security by protecting the Freja ID users against malware.
«What businesses like Verisec now are doing is effectively removing the biggest obstacle to continued digitalization. Digital identity products need however to be accompanied by protective technologies. By utilizing In-App Protection Verisec are able to detect and prevent intrusions, including reverse-engineering, rooted and jailbroken devices and overlay attacks», Mr. Hansen says.
The building blocks
Mr. Hansen shares the most important security building blocks for mobile eID apps:
✓ They stop attackers from reverse-engineering or tampering with your eID apps to prevent repackaging and related attacks;
✓ Protect cryptographic keys and app data against prying eyes;
✓ Detect rooted and jailbroken devices that may put your mobile eID apps and end-users at risk; and they
✓ Establish the integrity of the app and device for trusted authentication of the end-user.
Promon’s in-app protection technology provides an added layer of security, and keeps sensitive user-data such as online banking credentials, passwords, medical records and social security numbers safe.