Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated link.

...

Introduction to Nexus Smart ID Mobile App

Excerpt

The mobile device is key to adopting accessibility and mobility in the world of evolving digital services. It offers an appealing option to provide convenient and secure access to applications and services for users in the workforce domain as well as citizens in the government domain. The solution provides an intuitive and friction-less experience to the end user, while keeping security measures on the highest level to keep private information protected from cyber attacks and hackers both today and tomorrow. 

Nexus' Smart ID Mobile App provides a vast set of use cases such as client authentication, digital signing and email encryption on the mobile device. All use cases have one thing in common; they are all based on strong uncompromising PKI security.

The Smart ID Mobile App is supported on both iOS and Android and available in Apple App Store and Google Play. Nexus also offers the possibility to license the Smart ID Mobile SDK, which the App is built on, so that it can be embedded into third-party mobile apps for customers who want to further customize the Mobile App. 

Smart ID Mobile App - a part of Nexus Smart ID

Since the Smart ID Mobile App is an integral part of Nexus Smart ID, it can out-of-the-box leverage the features and processes developed and excelled for many years granting a smooth and secure experience for both users and administrators. 

Insert excerptNexus Smart ID Workforce provides easy-to-use modules Smart ID Workforce modulesnopaneltrueto issue, manage and use trusted employee identities in the form of digital smart cards for mobile devices and physical cards. 

Here are some features that could be combined with the Smart ID Mobile App: 

Integration with web applications, authentication and digital signing services can be achieved using industry standard protocols, published APIs, and SDKs.

...

The Smart ID Mobile App includes the following standard components:

...

Nexus Smart ID Mobile App implements a layered security model using various technologies and security measures where the combination of these provide a resilient design, with no single point of exposure and failure. The target is to protect the user credential and private key from exposure at all times and keep the app safe from cyber attacks and hackers.

Security blocks

The layered security model of the Smart ID Mobile App is constituted by a set of security blocks, explained listed below.

Private key security and storage

Features:

  • Cryptographic Keys

    • Private keys are non-exportable

    • All cryptographic keys are stored AES-encrypted using key derived from the user PIN (see section "Distributed security model").

  • Secure Storage

    • Encrypted cryptographic keys are stored in the Mobile App with access to the keys protected by an encryption scheme backed up by Android Keystore and iOS Keychain APIs

  • Biometrics

    • PIN optionally protected by biometrics as provided by device OS and model:

      • Fingerprint on Android and TouchID on iOS

      • Face Detection on Android and FaceID on iOS

Mobile App and SDK hardening

...

  • Industry-leading third-party security product for hardening

    • Used in Smart ID Mobile App both for App and SDK protection.

    • Regularly upgraded so that Smart ID Mobile App and SDK are always running the latest version.

  • Security capabilities

    • Jailbreak and root detection to make sure Smart ID Mobile App or third-party Apps running our SDK, can only run in a safe environment

    • Code obfuscation which prevents key extraction, tampering, cloning and reverse engineering of the App and SDK

    • Debug mode prevention

    • Checksums (guards) which checks the integrity of the code

    • Encryption of literal strings

Mobile App security 

...

  • OS sandbox model

    • Utilizes built-in OS security and OS sandbox model

    • App runs in an app sandbox, which in turn runs in an OS sandbox separated from the rest of the system, so that only Smart ID Mobile App can access data store in keychain/keystore

  • Agile development and deployment model

    • Constantly evolving automation tests catering for quick regression testing on many device types in parallel

    • Short turn-around time from implementation to deployment

    • Automatic update via stores

    • Quick remedies for potential future vulnerabilities

  • Security reviews

    • Periodical security review by external contractor

    • Open and transparent process for security audits and reviews together with customers.

  • Screenshot protection

    • Prevents user from taking screenshot of Visual ID

    • Prevents user from mirroring the mobile app to a computer or other device

Online authentication

...

  • Smart ID Messaging

    • Messaging server (Hermod) which provides a secure communication channel between the Mobile App/SDK and server-side components for Identity Management, Digital Access, Digital Signing and so on

    • Messaging server actively takes part in an Online PIN process (see section "Distributed security model") invoked in online scenarios where the private key needs to be used in a cryptographic process (Not applicable for offline OTP scenarios)

    • HTTPS communication based on TLS with server side authentication

  • Verification

    • Session verification by verification images being displayed both on server side and in the Smart ID Mobile App

  • Certificate pinning

    • Provides means to control that the Smart ID Mobile SDK can only communicate with a dedicated Messaging server

PIN policy

...

  • PIN size 

    • Minimum six (6) digits

  • PIN blocking policy

    • Three failed PIN entries result in blocking the PIN for 5 minutes

    • 4th-8th failed PIN entries lead to blocking the PIN for 10, 20, 40, 80, 160 minutes

    • 9th failed PIN entry leads to blocking the PIN for 320 min + warning/alert

    • 10th failed PIN entry the profile will be deleted

  • PIN pattern policy

    • Restricts users from setting too simple PIN

Security standards

...

Secure provisioning

Features:

  • Secure provisioning of certificates and keys

    • Invoked from helpdesk/admin

      • Device authentication via one-time activation code (OTP) included in URL (QR code or web link)

    • Self-service portal using other 2FA method or username & password temporarily

      • Display QR code containing one-time activation code in self-service portal

  • Enrollment processes for certificate, keys and one-time passwords (OTP)

    • Creation of one-time password (OTP) profiles, both time-based (TOTP) and event-based (HOTP), see: https://tools.ietf.org/html/rfc6238  and https://tools.ietf.org/html/rfc4226

    • Enrollment of raw keys, which means keys not bundled or associated with any certificate

    • Enrollment of X.509 certificates according to a PKCS#10 schema where the private key is generated by Smart ID Mobile App on the mobile device

    • Enrollment of X.509 certificates according to a PKCS#12 schema with the private keys already generated and bundled with the certificates.

    • Refer to Hermod API examples for further details on enrollment processes

  • One-time activation codes (relevant for raw keys and certificate based virtual smart cards)

    • Can only be used once, as implied by name, and instantly destructed upon consumption

    • Based on double random UUID's

    • Configurable expiration time where the request order corresponding to the one-time activation code is destructed upon code expiration

...

The mobile device and server work together using an advanced cryptographical protocol known as SPHINX, which is similar to Diffie-Hellman key establishment. See httphttps://webeeeprint.technioniacr.ac.ilorg/~hugo2018/sphinx695.pdf.