Digital ID Protection
A guide for creating secure Digital Identity solutions that build lasting trust.
Why Digital ID needs robust mobile channel protection
Within the next decade, billions of people will be using Digital ID applications to prove who they are, travel across borders, access healthcare, pay taxes, and sign official documents. But as government task forces rush to build these systems, an important question remains unanswered:
How can citizens truly trust them?
Right now the mobile channel is often overlooked when threats are predicted. But Digital IDs living on smartphones are essentially floating in the ether, in a completely untrusted environment that can facilitate the app being cloned, manipulated, compromised. Attackers don’t even need to hack the system to undermine it; they simply need to persuade it to trust the wrong person.
That’s why global standards like the EU Digital Identity Wallet (EUDIW) and ISO-based frameworks are evolving - to create a consistent foundation for secure authentication, trusted digital signatures, and citizen confidence.
The shift to standardized digital credentials
The threats posed by attackers have been identified by key international initiatives that demand interoperable, user-centric, and secure digital identity systems. They should act as a guide for creating solutions that are safe for citizens, incorporating security at every layer.
EU Digital Identity Wallet (EUDIW)
The European Union Digital Identity Wallet (EUDIW), mandated by the eIDAS 2.0 regulation, is a landmark initiative tasked with providing all EU citizens with a secure and standardized digital wallet. Designed for seamless cross-border use (with both public and private services), its emphasis is on user control, data minimization, and a certified, high-assurance security framework.
Digital Travel Credentials (DTC)
Digital Travel Credentials (DTC) follows the ICAO DOC 9303 standard for Machine Readable Travel Documents, and allows for a more secure and efficient travel experience by storing a verified digital version of a passport in a mobile wallet.
Mobile Driver's Licenses (mDL)
Mobile Driver's Licenses (mDL) is based on the ISO/IEC 18013-5 standard, and provides a convenient way to verify a user’s age and driving privileges directly from a smartphone. Privacy-focused, it gives users a granular level of control over the data they share in any given interaction.
Digital Health Records
Digital Health Records, such as health cards and patient data, are guided by standards like ISO 21549. They offer benefits for patient care and system efficiency, but this is clearly a sector that requires the highest level of data protection to maintain patient confidentiality (and trust).
Across all of these initiatives, strong authentication and trusted digital signatures are at the heart of user assurance. Each one relies on cryptographic integrity and secure key management to prove not just who someone is, but that every interaction, transaction, and signature originates from them.
This is why mobile application runtime security is so important, as it ensures digital credentials cannot be copied, manipulated, or misused.
According to McKinsey the global shift to interoperable digital identities could unlock huge economic value. But this prediction will only become reality if users trust that their credentials and signatures are genuinely secure.
What exactly do we mean by Digital ID?
When we talk about Digital ID on this page, we're referring to digital representations of government-issued documents that can be stored, verified, and used on mobile devices. These include:
Digital ID Wallets – Applications where several different types of credential documents can be securely stored and managed.
Digital Travel Credentials (DTC) – Digital versions of traditional passports based on the ICAO DOC 9303 standard.
Mobile Driving Licenses (mDL)– Defined under ISO/IEC 18013-5, they enable users to easily verify their age and driving permissions.
eIDs and Residence Permits – Digital equivalents of national ID or residence cards for official identification or verification.
Digital Health Records – Sensitive medical or insurance information that is bound to identity standards such as ISO 21549.
When a Digital ID application is downloaded, it is typically empty. During enrollment, users prove their identity via biometrics, live video, or NFC passport scans. Once verified, data is loaded into their wallet, transforming the app into the gateway to all digital services. It’s easy to see why this makes Digital ID a high-value target; and why resilient mobile channel protection should be a cornerstone of Digital Identity security.
Multi-layered Digital ID protection: the Licel approach
To meet standards in practice - and to protect the citizen experiences that they enable - Digital ID applications need multi-layered protection embedded within the mobile channel.
DexProtector
The foundational layer of protection, DexProtector transforms Digital ID applications into hardened, self-defending apps capable of resisting tampering attempts. Multi-layered protection (integrity control and anti-tampering, anti-debugging, obfuscation and encryption, and Runtime Application Self-Protection) enable the app to respond to and repel threats in real time. EMVCo-evaluated and approved for Software-Based Mobile Payment (SBMP) security, DexProtector delivers proven, certifiable trust.
The Licel vTEE
A virtual trusted execution environment, the Licel vTEE acts as a smartcard-grade secure enclave (or vault) within the app. Based on Java Card and GlobalPlatform standards, it offers cryptographic key management, secure data storage, and isolated execution for critical operations. EMVCo-evaluated and approved under SBMP TEE, it also supports protocols like PACE, EAC, and digital signing in compliance with ICAO 9303 and ISO/IEC 18013-5.
Alice Threat Intelligence
Alice provides vital intelligence and visibility into the threat landscape. Its trusted sensors, protected from tampering by DexProtector, feed verified intelligence about device integrity, malware detection, tampering attempts, and other indicators of compromised environments. Available via a web dashboard, enterprise API, or a continuous data feed, Alice empowers your Security Operations Center (SOC) with forensic-level data to make informed, policy-driven decisions while maintaining full data sovereignty.
Our guiding principles for secure Digital Identity
Trust cannot be assumed:
The mobile channel is full of sophisticated threats floating in the ether. The assumption should be that Digital ID initiatives are operating in a zero-trust environment, which is why protection must be embedded within the app itself. Backend security alone is not enough.
Visibility is power:
You cannot protect against something that you cannot see. Threat intelligence and device attestation are not a luxury for Device ID initiatives; they should be seen as fundamental requirements for protecting sensitive personal data today and understanding how to protect it tomorrow.
Compliance through certified security:
The most successful Digital ID schemes are those that are built on a foundation of meeting and exceeding rigorous international security standards. They should be seen as the starting point for building trust with citizen end users, rather than the finish line.
The real-world threat landscape for Digital ID
Although Digital ID systems are centralized by design, their most vulnerable component is arguably the endpoint - the mobile application citizen end users interact with each day. If that endpoint is compromised then the whole ecosystem is at risk.
Compromized integrity
Without robust protection, Digital ID applications can be susceptible to static and (more commonly) dynamic analysis, which enables attackers to reverse-engineer proprietary code, identify vulnerabilities, and extract cryptographic keys. If successful, attackers could create bogus versions of the official app, leading to large-scale fraud.
Manipulated runtime environments
The mobile device is a hostile environment. Bad actors can use dynamic instrumentation tools like Frida and Magisk to interfere with the app while it runs, hijacking sessions, overlaying fake screens, and harvesting credentials. These attacks bypass traditional security controls and can go unseen without runtime protection.
Weaponized contactless protocols (NFC Proxy Malware)
Attackers can intercept NFC communications and relay them in real time to another device anywhere in the world (known as NFC Proxy Malware). This is a particularly distressing threat because what was meant to be a proximity-based trust model is transformed into a global – and easily scalable - attack vector.
eKYC Fraud
The integrity of Digital ID systems can be compromised at the point of enrollment (where data integrity is at its most fragile). Sophisticated forms of eKYC Fraud that leverage deep fake technology, virtual camera feeds, and spoofed biometrics help enroll bogus identities into the system that aren’t easily distinguishable from real citizens.
Anti-detect and modified devices
Android AntiDetect builds are being openly marketed to enable fraudsters to create emulated devices that can appear legitimate to server-side checks, when they’re anything but. They highlight the importance of device attestation and trusted sensors to build the bedrock of threat intelligence insights.
The following Digital ID attack scenarios illustrate what is at stake.
The “Mass Credential Clone” Attack
An attacker reverse engineers the official Digital ID application and distributes a bogus version on third-party app stores. Thousands of citizens download what they believe to be the genuine update, enabling the attacker to impersonate end users on a vast scale.
The result: identity theft on a massive scale and a terminal hit on public trust.
The “Urgent Tax Refund” Scam
A citizen receives an official-looking SMS about a tax refund. Without thinking - and completely used to document signing in a second with their Digital ID app - they click on the link and sign it. But the text was replaced in an overlay attack and they have authorized a power of attorney.
The result: a long and painful process for the citizen to prove they were scammed.
The “Silent Auditor” Malware
A sophisticated malware strain sleeps on a citizen’s smartphone before waking when they open their Digital ID app. Over several weeks, it records keystrokes and screen activity. There’s no need for the attacker to break into the app – they simply log in as the user from another device.
The result: the backend sees nothing suspicious – as far as it’s aware the fraudster is legitimate.
Understanding these attack vectors helps explain why embedded app-level protection - not only backend security - is essential to earning the trust of citizen end users.
Critical risk points
There are three key processes or phases associated with Digital ID solutions that can be targeted by attackers:
Enrollment, Storage and Local Use, and Active Operations.
When citizen end users enroll in a Digital ID scheme, there are lots of threats that those who are working in the digital banking sector would recognize. Chief among them is eKYC fraud, which, facilitated by AI, deep fake technology, and virtual camera applications, has become a go-to for attackers. Protection against data tampering and malware is also vital at this stage.
It’s crucial that citizen data is stored in a safe and secure way so that it’s incredibly difficult for attackers to tamper with it. Clearly the level of protection here depends on the sensitivity of the data, but at the very least robust integrity controls and anti-tampering is required. And it might also be necessary to store the data in a secure vault like a virtual trusted execution environment (vTEE).
It’s quite likely that Digital IDs are used for active transactions and operations, such as signing sensitive documents. In this case, it’s very important that the private keys of the application are protected, because if attackers are able to extract them, then they can pretty much do what they like with the app. Again, this is why a vTEE is a useful security tool for Digital ID task forces to consider.
Build secure Digital Identity solutions that citizens can trust.
Find out how Licel can help protect your Digital ID initiative.