NOW LET US – AI RAG SaaS Studio TP.HCM
NOW LET US
Digital Product Studio
Back to news
DEV-TOOLS...19 min read

German implementation of eIDAS will require an Apple/Google account to function

Share
NOW LET US Article – German implementation of eIDAS will require an Apple/Google account to function

Germany's implementation of the eIDAS framework introduces a Mobile Device Vulnerability Management (MDVM) concept to ensure high security, effectively requiring Apple or Google services to verify device integrity.

Mobile Device Vulnerability Management Concept¶

Motivation¶

The Wallet Unit provides for authentication means which can be bound to multiple identification means, such as the PID, via a public/private key pair, see cryptography.

When issuing the PID, the WB confirms to the PP (via OpenID4VCI Key Attestation) that the keys to which a PID is to be bound are controlled by an authentication means(../05-cryptography.md) that meets certain security requirements with regard to resistance against attackers with a certain attack potential (see ISO/IEC 18045).

Furthermore, in the context of performing electronic identification at assurance level high, such as the PID, it is required that authentication of wallet users is done in accordance with, the requirements for the characteristics and design of electronic identification means at assurance level high, as set out in Implementing Regulation (EU) 2015/1502 (see CIR 2024/2979 Article 5 1. b/g).

Therefore, the authentication means provides two important assurances:

The authentication means protects against duplication and tampering attacks to the key store by attackers with high attack potential. Thus, the PP can be sure that it's issued credentials that are bound to the keys of the authentication mean cannot be duplicated by an attacker with high attack potential and thus the identification means itself cannot be duplicated in their entirety (see CIR 2015/1502 Annex 2.2.1).

The authentication means protects against attacks on the user’s authentication mechanism by attackers with high attack potential. Thus, the PP can be sure that it's issued credentials that are bound to the keys of the authentication mean cannot be misused by an attacker with high attack potential, e.g. for single presentations of a credential (see CIR 2015/1502 Annex 2.3.1).

The first assurance can be achieved by creating and processing the relevant keys in an RWSCD implemented as an HSM that has been appropriately evaluated and certified. This assurance can therefore be achieved independently of the user device.

The second assurance concerns the authentication mechanism of the user towards the relying party when presenting the credential. This includes two-factor authentication of the user towards the RWSCA. The security of the user authentication mechanism and the authentication factors depend on the security of the user device. The solution comprises a possession factor secured by the HKS of the mobile device and a knowledge factor entered via the mobile device.

The security of the possession factor depends on the existence of exploitable vulnerabilities in the HKS of the mobile device that allow the key to be extracted or misused.

The security of the knowledge factor, depends on the existence of exploitable vulnerabilities in the wallet instance and/or the operating system of the mobile device.

A preceding vulnerability analysis and certification of the HKS or the OS with regard to resistance to a specific attack potential, which would significantly reduce the likelihood of the existence of relevant vulnerabilities, is not available for mobile devices in practice. Rather, it can be observed that relevant vulnerabilities have become known for mobile devices in the past.

For this reason, the solution provides for monitoring identified vulnerabilities for the HKS and the operating system of user devices through a mobile device vulnerability management (MDVM) during operation to reduce the likelihood that existing relevant vulnerabilities can be exploited. This is achieved by ensuring that if vulnerabilities are known for a user device that could compromise the user's authentication mechanism towards the RWSCA with a attack potential of ‘high’ or lower, the use of keys secured by the RWSCA/RWSCD is prevented. Thus, the confirmation of the WB to the PP remains valid.

To achieve this goal, the MDVM provides for the following functions:

| Function | Description | |---|---| | Verify device/app security posture | Provides verified information regarding device integrity and authenticity, as well as wallet app integrity and authenticity for a specific user device/wallet instance. To achieve this, security functions from the platform of the user device are used, as well as platform independent solutions such as RASP (Runtime Application Self-Protection) solutions. | | Identify device class | Provides verified information regarding the device model, the operating system incl. version and patch level and the HKS. This could be achieved with the verified information from platform attestations and RASP attestations. | | Verify vulnerabilities for device classes | Provides up-to-date information on relevant vulnerabilities of the device operation system and HKS of a dedicated device class. | | Decide on device/app usage | Based on device/app security and vulnerability information, (1) prevent confirmation to the PP via OpenID4VCI Key Attestation if devices/wallet instances are not sufficient secure, (2) prevent the use of RWSCD keys by user authentication with insufficiently secure devices/wallet instances. |

The components and roles for providing these functions are introduced in the decomposition chapter of the architecture.

Collected Signals¶

This chapter provides an overview of the collected signals and their mapping to relevant threats. It also describes additional uses of these signals for plausibility checks and for determining the device class used to query the MDVM databases.

Overview¶

| Signal-Source | Threats | Synergies | Notes | |---|---|---|---| | KeyAttestation | rooting via unlocked bootloader, unknown system image (e.g. custom ROM), loss of root of trust (e.g. manipulated boot sequence), app repackaging & tampering & spoofing & downgrading, app cloning, device or HKS emulation attacks, Replay attacks, response reuse, device proxy used to spoof attestations | LPADB, RASP | Used as input for DCVDB, needs LPADB to increase resilience against non-publicly leaked KeyAttestation keys | | PlayIntegrity | app repackaging & tampering & spoofing, Replay attacks, response reuse, proxy attestations, app downgrade attacks, side-loaded older vulnerable app versions, rooting via unlocked bootloader, unknown system image (e.g. custom ROM), loss of root of trust (e.g. manipulated boot sequence) + Google proprietary backend MDVM verdict to identify compromised devices, Credential theft tools, input automation/bots, overlay attacks (e.g. tapjacking), can be used to enforce security update policies (MEETS_STRONG_INTEGRITY requires a security patch in the last 12 months) | KeyAttestation, RASP | Bootloader state needs to be checked to trust PlayIntegrity verdicts, Unsure how trustworthy → unclear how the evaluation in the google backend works (also known to be often targeted by open source rooting community using leaked KeyAttestation keys) | | iOS DC Device Check | Replay attacks, tampering with certificate, device proxy used to spoof attestations, app repackaging & tampering & spoofing, leaked debug builds, it's unclear from documentation what additional threats could be mitigated | RASP | DeviceCheck needs additional security measures as it does not attest to the integrity of the device → RASP | | Leaked Platform Attestation Key Database (LPADB) | rooting based on unlocking bootloader using publicly leaked attestation keys for obfuscation | KeyAttestation | - | | Device Class Vulnerability Database (DCVDB) | insecure user devices due to publicly known vulnerabilities e.g. rooting/local privilege escalation, TEE, bootloader/chain of trust exploits | KeyAttestation, RASP | DCVDB is only as effective as the identification of the correct device class | | Runtime Application Self-Protection (RASP) | App Hooking/debugging & Repackaging & tampering, UD rooting & emulation | - | RASP provides a way to continuously and dynamically monitor the app and the user’s device for integrity and authenticity while the app is running. Additionally, it provides an alternative detection framework that operates independently of the platform mechanisms. |

Android KeyAttestation Signals¶

| Signal | Enforcement | Details | Example Value | Mitigated Threats | Additional Usage | Plausibility Check | |---|---|---|---|---|---|---| | SecurityLevel | Hardwareenforced | identifies HKS type | TrustedEnvironment or StrongBox | emulation attacks e.g. emulation of devices or key stores | ensure the keys are stored in a secure key storage | used, must always be the same | | attestationIdModel | Hardwareenforced | identifies device model | e.g. "SM-A146P" for a Samsung Galaxy A14 5G | app cloning | used to identify device class | used, must always be the same | | attestationIdProduct | Hardwareenforced | identifies device model (alternative source attribute) | e.g. "a14xmeea" for a Samsung Galaxy A14 5G | app cloning | used to identify device class | used, must always be the same | | attestationIdDevice | Hardwareenforced | identifies device model (alternative source attribute) | e.g. "a14xm" for a Samsung Galaxy A14 5G | app cloning | used to identify device class | used, must always be the same | | osVersion | Hardwareenforced | identifies OS version | e.g. "130000" for Android 13 | app cloning, downgrade attacks | used to identify device class | used, can only increase, not decrease | | osPatchLevel | Hardwareenforced | identifies the current security patch level | e.g. "202508" for security patch level August 2025 | - | used to identify device class | used, can only increase, not decrease | | RootOfTrust. deviceLocked | Hardwareenforced | identifies the current boot loader state | e.g. "true" if device booted a signed image that was successfully verified by Verified Boot | rooting via unlocked bootloader, unknown system image (e.g. custom ROM), loss of root of trust (e.g. manipulated boot sequence) | - | not used | | RootOfTrust. verifiedBootState | Hardwareenforced | identifies the device's Verified Boot state | e.g. "Verified" for fully verified root of trust | rooting via unlocked bootloader, unknown system image (e.g. custom ROM), loss of root of trust (e.g. manipulated boot sequence), emulation attacks | - | not used | | attestationChallenge | Hardwareenforced | server-provided challenge | max 128 bytes length | Replay attacks, response reuse, device proxy used to spoof attestations | - | not used | | AttestationApplicationId. AttestationPackageInfo. package_name | Softwareenforced | identifies apps that are allowed to use the secret key material under attestation | e.g. "org.sprind.wallet" | app repackaging & tampering & spoofing | - | not used | | AttestationApplicationId. AttestationPackageInfo. version | Softwareenforced | identifies the apps "versionCode" from the build properties | e.g. "1" | app downgrade attacks, side-loaded older vulnerable app versions | - | used, can only increase, not decrease | | AttestationApplicationId. signature_digests | Softwareenforced | set of SHA-256 digests of the app's signing certificates | SHA-256 digests in Base64 encoding | app repackaging & tampering & spoofing | - | not used |

Notes:

  • "attestationIdModel", "attestationIdProduct", and "attestationIdDevice" can all be used to identify the device model for determining the device class. All three are included because tests have shown that some devices do not provide all of these values. To increase the likelihood of identifying the model via key attestation, all three fields should be evaluated.
  • The key attestation signature and certificates (including the full certificate chain) must be validated in order to rely on the signals as described. Google’s revocation list for key-attestation certificates should also be checked. However, the list is not updated frequently enough, and there are regularly leaked keys publicly available that can still be used to sign key attestations but have not yet been revoked by Google.
  • Android key attestation also includes additional information about the properties of the attested key, such as user-authentication requirements for key usage or the key’s purpose (signing, encryption, etc.). These aspects are not documented in this list, as they do not mitigate a specific threat to the app or the device. Nonetheless, they are important and must be verified when evaluating the key attestation.

Android PlayIntegrity Verdict Signals¶

| Signal | Provider | Details | Example Value | Mitigated Threats | Collect Experience | Plausibility Check | |---|---|---|---|---|---|---| | requestDetails. requestPackageName | OS | Package name the request claims to originate from; Play Integrity verifies it matches the calling app + signing cert | e.g. "org.sprind.wallet" | app repackaging & tampering & spoofing | - | not used | | requestDetails. nonce | Wallet Backend | Random value generated by your backend to prevent replay; returned unchanged in the verdict | base64 encoded 16–32 bytes | Replay attacks, response reuse, proxy attestations | - | not used | | requestDetails. timestamp | Time when Google produced the verdict | e.g. "1672531199000" (Unix ms) | Replay attacks, response reuse, proxy attestations | - | not used | | | appIntegrity. appRecognitionVerdict | Whether the app is recognized as original, unmodified, validly installed | e.g. "PLAY_RECOGNIZED" | app repackaging & tampering & spoofing, side-loading (unintended?) | - | not used | | | appIntegrity. packageName | The actual package Google sees executing the request (also from a KeyAttestation) | e.g. "org.sprind.wallet" | app repackaging & tampering & spoofing | - | not used | | | appIntegrity. certificateSha256Digest | SHA-256 digest of the app's signing certificate (also from a KeyAttestation) | SHA-256 digests in Base64 encoding | app repackaging & tampering & spoofing | - | not used | | | appIntegrity. versionCode | identifies the apps "versionCode" from the build properties (also from a KeyAttestation) | e.g. "1" | app downgrade attacks, side-loaded older vulnerable app versions | - | could be used, can only increase, not decrease | | | deviceIntegrity. deviceRecognitionVerdict | Describes device trust level | e.g. "MEETS_STRONG_INTEGRITY" | rooting via unlocked bootloader, unknown system image (e.g. custom ROM), loss of root of trust (e.g. manipulated boot sequence) + Google proprietary backend MDVM verdict to identify compromised devices (we do not know what they are actually doing in their backend) | yes | not used | | | deviceIntegrity. deviceAttributes. sdkVersion | The devices's Android SDK API level (OS Version) | e.g. "33" for Android 13, | app cloning, downgrade attacks | - | could be used, can only increase, not decrease | | | deviceIntegrity. recentDeviceActivity. deviceActivityLevel | integrity token requests on this device in the last hour per app | e.g. "LEVEL_1" to "LEVEL_4" | Bot traffic, emulator farms, proxy device to spoof verdicts | yes | not used | | | accountDetails. appLicensingVerdict | Indicates if the app has been installed from PlayStore | e.g. "LICENSED", "UNLICENSED", "UNEVALUATED" | sideloaded APKs without entitlement (unintended?) | yes | not used | | | environmentDetails. appAccessRiskVerdict. appsDetected | List of other apps detected that may capture, overlay, control, or otherwise interfere with your app (screen recorders, overlay malware, automation tools, etc.) | e.g. "KNOWN_CAPTURING", "UNKNOWN_CONTROLLING" | Credential theft tools, input automation/bots, overlay attacks (e.g. tapjacking) | yes | maybe | | | environmentDetails. playProtectVerdict | Indicates Play Protect’s assessment of device/app risk | e.g. "NO_ISSUES" or "MEDIUM_RISK" | Using devices with known malware, disabled Play Protect (which is a possible user choice) | yes | maybe |

Notes:

  • Since our minimum Android version will be Android 13, we will be checking for "MEETS_STRONG_INTEGRITY", and the table above is based on the capabilities of the hardware-backed Play Integrity verdict.
  • MEETS_STRONG_INTEGRITY also includes the requirement that the device has received a security patch within the last 12 months.
  • The PlayIntegrity verdict signature must be validated and the verdict needs to be decrypted (using keys provided via theGoogle Play Console) in order to rely on the signals as described.

Android RASP¶

Since we have not yet decided on a RASP solution, the documented detection features should be considered a preliminary set of requirements for potential RASP solutions.

| Detection Feature | Details | Mitigated Threats | |---|---|---| | App Hooking/debugging | Monitors for dynamic debugger attachment, library injection, instrumentation frameworks (Frida, Xposed, LSPosed, DobbyHook), and other forms of dynamic manipulation of runtime logic. | Reverse engineering, dynamic runtime manipulation | | App Repackaging | Detects modifications to the app bundle, re-signing with unauthorized certificates, or injected frameworks before installation. | app repackaging & tampering & spoofing | | App tampering | Identifies binary patches, altered code segments, unexpected file changes, and modifications to critical logic. | Disabled protections, patched logic | | UD rooting | Detects rooting indicators such as sandbox violations, privileged file access, injected toolchains, and elevated OS capabilities. | Privilege escalation, unrestricted hooking, bypass of integrity controls and sandbox isolation | | UD emulation | Detects execution in virtualized, automated, or non-real hardware environments through system behavior checks and hardware consistency verification. | Automation fraud, bot attacks, spoofed devices |

Notes:

  • RASP provides a way to continuously and dynamically monitor the app and the user’s device for integrity and authenticity while the app is running.
  • Root detection by RASP is particularly important in the Android environment, as there are publicly known and well-documented methods that use leaked key-attestation keys to emulate a device with a locked bootloader, even when it is running a modified system image (e.g., a rooted system image). This root-detection mechanism works in combination with an independently maintained blocklist, separate from Google’s revocation list, for publicly leaked key-attestation keys that have not been revoked by Google. It is intended in particular to serve as a barrier against the use of non-publicly leaked key-attestation keys.

iOS DCDeviceCheck.AppAttest Attestation¶

| Signal | Provider | Details | Example Value | Mitigated Threats | Plausibility Check | |---|---|---|---|---|---| | attestationObject (x5c) | Secure Enclave + Apple attestation servers | CBOR object that proves the App Attest key was generated in a SecureEnclave | Binary CBOR structure | Replay attacks, tampering with certificate, it's unclear from documentation what additional threats could be mitigated, might also identify app repackaging & tampering & spoofing, device emulation, tampered runtime, jailbroken(rooted) OS | not used | | credentialId | Secure Enclave | 32-byte opaque identifier for the App Attest key generated in the Secure Enclave | Base64 string | Key cloning or device proxy used to spoof attestations | used, checked against assertion | | clientDataHash | Wallet Backend | SHA-256 hash of your server-provided challenge | 32-byte digest | Replay attacks, response reuse, device proxy used to spoof attestations | not used | | RP ID | OS + Secure Enclave | your app’s App ID prefix, a period and your CFBundleIdentifier | e.g. SHA‑256( TeamID + "." + BundleID ) | app repackaging & tampering & spoofing | not used | | environment (aaguid) | OS + Secure Enclave | Indicates whether the key is from "development" or "production" environment | e.g. "production" | leaked debug builds | not used | | counter | Secure Enclave | counts how many times the key has been used to sign, MUST be 0 for attestations | "0" | It is unclear what the implications are if the counter is not equal to 0 | initially stored to populate DB |

Notes:

  • The attestation also includes a receipt that can be used to query a risk metric from Apple’s servers. Apple’s documentation describes this metric as follows: *“The receipt represents the metric as a string that indicates the number of attested keys associated with a given device over the past 30 days. Look for this value to be a low number.”*This metric could help identify devices that are being used to generate attestations or assertions on behalf of other devices (proxy attestation threat). However, it has significant limitations: neither the metric nor the expected thresholds are clearly defined, and its use requires our backend to communicate with Apple’s servers, which introduces additional privacy risks due to the potential for tracking on Apple’s side. For additional information, see WardenSupreme’s description of the feature. - iOS does not provide any hardware-backed information about the device model or the OS version/patch level. These values must be queried from the OS after ensuring that the device and operating system have not been tampered with.

iOS DCDeviceCheck.AppAttest Assertions¶

| Signal | Provider | Details | Example Value | Mitigated Threats | Additional Usage | Plausibility Check | |---|---|---|---|---|---|---| | assertionObject | Secure Enclave | CBOR object containing signature over challenge + state with the App Attest key | Binary CBOR structure | Replay attacks, tampering with certificate, it's unclear from documentation what additional threats could be mitigated, might also identify app repackaging & tampering & spoofing, Device emulation, tampered runtime, jailbroken(rooted) OS |

  • | Must validate signature with attestation public key | | keyId (matches credentialId) | Secure Enclave | Identifier of the App Attest key used to sign the assertion | Base64 string | App cloning, device proxy used to spoof attestations | - | Must match known attested keyId (credentialId from attestation) | | clientDataHash | Wallet Backend | SHA-256 hash of server-generated challenge and optional payload | 32-byte digest | Replay attacks, response reuse | - | not used | | RP ID | OS + Secure Enclave | your app’s App ID prefix, a period and your CFBundleIdentifier | e.g. SHA‑256( TeamID + "." + BundleID ) | app repackaging & tampering & spoofing | - | not used | | counter | Secure Enclave | counts how many times the key has been used to sign | "42" | Replay attacks, response reuse, device proxy used to spoof attestations | - | The counter is required to increase monotonically. Big jumps could indicate app/device is used to proxy attestations for other app/devices, lower value then recorded point to a replay attack |

iOS RASP¶

Since we have not yet decided on a RASP solution, the documented detection features should be considered a preliminary set of requirements for potential RASP solutions.

| Detection Feature | Details | Mitigated Threats | |---|---|---| | App Hooking/debugging | Monitors for dynamic debugger attachment, library injection, instrumentation frameworks (Frida, Substrate), and other forms of dynamic manipulation of runtime logic. | Reverse engineering, dynamic runtime manipulation | | App Repackaging | Detects modifications to the app bundle, re-signing with unauthorized certificates, or injected frameworks before installation. | app repackaging & tampering & spoofing | | App tampering | Identifies binary patches, altered code segments, unexpected file changes, and modifications to critical logic. | Disabled protections, patched logic | | UD rooting | Detects jailbreak indicators such as sandbox violations, privileged file access, injected toolchains, and elevated OS capabilities. | Privilege escalation, unrestricted hooking, keychain access, bypass of integrity controls. | | UD emulation | Detects execution in virtualized, automated, or non-real hardware environments through system behavior checks and hardware consistency verification. | Automation fraud, bot attacks, spoofed devices |

Notes:

  • Apple’s platform security provides strong install-time protections: App Sandbox & Code Signing, App Store Review (prevent obviously malicious or re-signed apps from entering the store), System Integrity Protection (prevents unsigned code execution on non-jailbroken devices). Based on the documented functionality of these features they do not provide information about or protection against: Rooting (Jailbreak) or elevated privileges, runtime hooking or instrumentation.

  • “Your app uses the App Attest service to assert its authenticity. A compromised version of your app running on a genuine, unmodified Apple devicecan’t create valid assertions." Apple documentation

  • “Your app uses the App Attest service to assert its authenticity. A compromised version of your app running on a

  • RASP provides a way to continuously and dynamically monitor the app and the user’s device for integrity and authenticity while the app is running.

© 2026 Now Let Us. All rights reserved.

Source: Hacker News

Advertisement
Ad slot ready: 5887729102

More in this category

NOW LET US Related – Leaving Mozilla

dev-tools

Leaving Mozilla

A poignant and candid reflection from a 15-year Mozilla veteran upon their departure. The author highlights the leadership's missteps in trying to emulate tech giants and urges Mozilla to return to its core values: community and uniqueness.

NOW LET US Related – Shepherd's Dog: A Game by the Most Dangerous AI Model

dev-tools

Shepherd's Dog: A Game by the Most Dangerous AI Model

A developer tested Anthropic's latest, supposedly 'too dangerous' AI model by asking it to build a long-held game idea in a single shot. The model succeeded, generating a complete 2,319-line game after a 45-minute reasoning session.

NOW LET US Related – Open source AI must win

dev-tools

Open source AI must win

If artificial intelligence becomes a utility rented only from a few closed institutions, humanity loses its operational freedom. Open-source AI is a vital infrastructure for the future of our digital society.

NOW LET US Related – Statement on US government directive to suspend access to Fable 5 and Mythos 5

dev-tools

Statement on US government directive to suspend access to Fable 5 and Mythos 5

The US government has issued an export control directive forcing Anthropic to suspend all access to its Fable 5 and Mythos 5 models due to national security concerns, a move the AI safety startup strongly disputes.

NOW LET US Related – Electric motors with no rare earths

dev-tools

Electric motors with no rare earths

Renault Group is pioneering the development of electrically excited synchronous motors (EESM) that eliminate the need for rare earth magnets, reducing dependency on global monopolies while driving efficiency and sustainability.

NOW LET US Related – Swift at Apple: Migrating the TrueType hinting interpreter

dev-tools

Swift at Apple: Migrating the TrueType hinting interpreter

Apple has rewritten its TrueType hinting interpreter from C to memory-safe Swift for its Fall 2025 OS releases, improving security and boosting performance by an average of 13%.

EXPLORE TOPICS

Discover All Categories

Deep dive into the specific technology sectors that matter most to you.

AI Frontier

AI Frontier

Foundation models, multimodal systems, and enterprise use cases.

Agentic Systems

Agentic Systems

Task-oriented automation workflows for real operations.

SaaS Growth

SaaS Growth

CAC, LTV, retention, and growth optimization.

Dev Tools

Dev Tools

Codegen tools, next-gen IDEs, and modern dev workflows.

Cybersecurity

Cybersecurity

AI security, Zero Trust, and proactive defense.

Cloud & Infra

Cloud & Infra

Cloud Native, Edge Computing, and GPU Clusters.

Robotics

Robotics

Humanoid robots, autonomous vehicles, and smart hardware.

Startups & VC

Startups & VC

Funding trends, M&A, and the startup ecosystem.