...
Introduction to Nexus Smart ID Mobile App
| Excerpt |
|---|
The mobile device is key to adopting accessibility and mobility in the world of evolving digital services. It offers an appealing option to provide convenient and secure access to applications and services for users in the workforce domain as well as citizens in the government domain. The solution provides an intuitive and friction-less experience to the end user, while keeping security measures on the highest level to keep private information protected from cyber attacks and hackers both today and tomorrow. Nexus' Smart ID Mobile App provides a vast set of use cases such as client authentication, digital signing and email encryption on the mobile device. All use cases have one thing in common; they are all based on strong uncompromising PKI security. The Smart ID Mobile App is supported on both iOS and Android and available in Apple App Store and Google Play. Nexus also offers the possibility to license the Smart ID Mobile SDK, which the App is built on, so that it can be embedded into third-party mobile apps for customers who want to further customize the Mobile App. |
Smart ID Mobile App - a part of Nexus Smart ID
...
Integration with web applications, authentication and digital signing services can be achieved using industry standard protocols, published APIs, and SDKs.
...
The Smart ID Mobile App includes the following standard components:
...
Nexus Smart ID Mobile App implements a layered security model using various technologies and security measures where the combination of these provide a resilient design, with no single point of exposure and failure. The target is to protect the user credential and private key from exposure at all times and keep the app safe from cyber attacks and hackers.
Security blocks
The layered security model of the Smart ID Mobile App is constituted by a set of security blocks:, explained below.
Private key security and storage
...
Private Key Security
...
Security Features
...
Features:
Cryptographic Keys
Private keys are non-exportable
All cryptographic keys are stored AES-encrypted using key derived from the user PIN (see section "Distributed security model").
Secure Storage
Encrypted
...
cryptographic keys are stored in the Mobile App with
...
access to the keys protected by an
...
encryption scheme backed up by Android Keystore and iOS Keychain APIs
Biometrics
PIN optionally protected by biometrics as provided by device OS and model:
Fingerprint on Android and TouchID on iOS
Face Detection on Android and FaceID on iOS
Mobile App and SDK hardening
...
...
Features
...
:
Industry-leading third-party security product for hardening
Used in Smart ID Mobile App both for App and SDK protection.
Regularly upgraded so that Smart ID Mobile App and SDK are always running the latest version.
Security capabilities
Jailbreak and root detection to make sure Smart ID Mobile App or third-party Apps running our SDK, can only run in a safe environment
Code obfuscation which prevents key extraction, tampering, cloning and reverse engineering of the App and SDK
Debug mode prevention
Checksums (guards) which checks the integrity of the code
Encryption of literal strings
Mobile App security
...
...
Features
...
:
OS sandbox model
Utilizes built-in OS security and OS sandbox model
App runs in an app sandbox, which in turn runs in an OS sandbox separated from the rest of the system, so that only Smart ID Mobile App can access data store in keychain/keystore
Agile development and deployment model
Constantly evolving automation tests catering for quick regression testing on many device types in parallel
Short turn-around time from implementation to deployment
Automatic update via stores
Quick remedies for potential future vulnerabilities
Security reviews
Periodical security review by external contractor
Open and transparent process for security audits and reviews together with customers.
Screenshot protection
Prevents user from taking screenshot of Visual ID
Prevents user from mirroring the mobile app to a computer or other device
Online authentication
...
...
Features:
...
Smart ID Messaging
Messaging server (Hermod) which provides a secure communication channel between the Mobile App/SDK and server-side components for Identity Management, Digital Access, Digital Signing and so on
Messaging server actively takes part in an Online PIN process (see section "Distributed security model") invoked in online scenarios where the private key needs to be used in a cryptographic process (Not applicable for offline OTP scenarios)
HTTPS communication based on TLS with server side authentication
Verification
Session verification by verification images being displayed both on server side and in the Smart ID Mobile App
Certificate pinning
Provides means to control that the Smart ID Mobile SDK can only communicate with a dedicated Messaging server
PIN policy
...
PIN Policy
...
Security Features
...
Features:
PIN size
Minimum six (6) digits
PIN blocking policy
Three failed PIN entries result in blocking the PIN for 5 minutes
4th-8th failed PIN entries lead to blocking the PIN for 10, 20, 40, 80, 160 minutes
9th failed PIN entry leads to blocking the PIN for 320 min + warning/alert
10th failed PIN entry the profile will be deleted
PIN pattern policy
Restricts users from setting too simple PIN
Security standards
...
...
Features:
...
PKI – Public Key Infrastructure, see https://en.wikipedia.org/wiki/PKCS
Javascript Object Signing and Encryption (JOSE), see https://www.iana.org/assignments/jose/jose.xhtml
RSA2048 key size, or higher.
RSA PKCS#1 signature with SHA-256, see https://tools.ietf.org/html/rfc8017
AES encryption, see https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
X.509 certificates support, see https://tools.ietf.org/html/rfc2459
PKCS#10 Certificate Signing Request, see https://tools.ietf.org/html/rfc2986
PKCS#12 archive file format bundling private keys with X.509 Certificates, see https://tools.ietf.org/html/rfc7292
Secure provisioning
...
...
Features:
...
Secure provisioning of certificates and keys
Invoked from helpdesk/admin
Device authentication via one-time activation code (OTP) included in URL (QR code or web link)
Self-service portal using other 2FA method or username & password temporarily
Display QR code containing one-time activation code in self-service portal
Enrollment processes for certificate, keys and one-time passwords (OTP)
Creation of one-time password (OTP) profiles, both time-based (TOTP) and event-based (HOTP), see: https://tools.ietf.org/html/rfc6238 and https://tools.ietf.org/html/rfc4226
Enrollment of raw keys, which means keys not bundled or associated with any certificate
Enrollment of X.509 certificates according to a PKCS#10 schema where the private key is generated by Smart ID Mobile App on the mobile device
Enrollment of X.509 certificates according to a PKCS#12 schema with the private keys already generated and bundled with the certificates.
Refer to Hermod API examples for further details on enrollment processes
One-time activation codes (relevant for raw keys and certificate based virtual smart cards)
Can only be used once, as implied by name, and instantly destructed upon consumption
Based on double random UUID's
Configurable expiration time where the request order corresponding to the one-time activation code is destructed upon code expiration
Distributed security model
To further strengthen the protection of the PKI private key over the security feaures features that are laid out in the previous sections, Smart ID Mobile SDK in conjunction with Smart ID Messaging implements a dual architecture to prevent extraction on the private key stored in the device.
...