Assessing the EUDI Wallet Reference Implementation Code

The EUDI wallet reference implementation serves as a practical guide for developers to create secure digital identity management solutions based on the ARF (Architecture Reference Framework). This post delves into the details of the reference implementation code, highlighting mitigation strategies to address its vulnerabilities. 

Detailed Assessment and Mitigation Strategies 

The following diagram is a functional representation of the component from the reference code. Additional libraries used for Android and iOS are highlighted. 

1. Threat Model Considerations

• Actors and Motivation: Identifying potential threat agents, including external hackers, disgruntled employees, and opportunistic insiders, helps in mapping out the threat landscape and designing effective countermeasures. 

• Attack Surfaces: Key attack surfaces include the app’s configuration, storage, and third-party libraries. Each surface presents unique vulnerabilities that need addressing through comprehensive security measures. 

2. Anti-Reverse Engineering and Anti-Tampering

• Mitigation: Implementing dynamic and static protections such as code obfuscation, secure storage, and payload encryption helps prevent against reverse engineering and tampering attempts. 

3. Root and Jailbreak Detection

• Mitigation: The use of outdated libraries like RootBeer for root detection poses a risk. Continuous and advanced rooting and hooking detection techniques are recommended to enhance security. 

4. Configuration Management

• Mitigation: Configurations should not be in clear text within the code. Secure configuration management practices, including binding configurations to app code and using obfuscation, are crucial. 
  

5. Token Protection

• Mitigation: Ensuring special protection for OAuth2 and OpenIDConnect tokens to prevent exposure and misuse, including secure storage solutions and limited token exposure within the app. The tokens cannot be handled in plaintext to avoid exposure. This means when in rest the tokens are encrypted and when in memory they should be kept encrypted and wiped if decrypted to minimize the exposure window. 
  

Conclusion 

The assessment of the EUDI wallet reference implementation code reveals several critical vulnerabilities that must be addressed to ensure the security and integrity of the digital identity management solution. By implementing robust security measures and staying vigilant against potential threats, the EUDI wallet can maintain its reliability and protect sensitive user information.

how cryptomathic can help

Cryptomathic provides an SDK called Mobile Application Security Core (MASC) that addresses these vulnerabilities. If you plan to use the reference implementation contact Cryptomathic today to guide you in the mitigation strategy and how to best address these vulnerabilities. When it comes to protecting citizens and the personal data collected and shared from the wallet, there should be no compromises. 

stay up to date

This blog is the second in a series from our mobile application security expert, Jan Lindquist, covering the security and privacy of EUDI wallets. Future blogs will cover:

• Removing the stress of security concerns from developers
• Assessing the lack of ENISA security requirements and the negative impact this may have on EUDI wallet future

To be among the first to receive these expert insights, simply fill out this form and we'll let you know when each blog is published: