Digital Identity Under the Microscope - Security of the Swiss e-ID Wallet (RESERVED!)
Category: Network security
Location: Zurich / Lausanne / Thun
Contact:
Martin Burkhart
Background
With the introduction of the Swiss e-ID system, the SWIYU Wallet has become a central component for managing and presenting digital identity credentials. These applications prioritise user privacy and security through mechanisms such as hardware-backed key storage (e.g., using Secure Enclaves) and certified app environments. Despite these safeguards, the question arises whether it remains technically feasible for users to indirectly transfer or sell their e-ID for unauthorised use, e.g., by compromising private keys, using fake wallet apps or violating technical constraints directly.
The goal of this thesis is to investigate whether misuse of an e-ID via the SWIYU Wallet App is possible by automating identity verifications through device-level manipulation. In particular, the work should explore:
- If device/app/key attestation methods successfully prevent the abusive usage of the e-ID Wallet app on Android.
- Exploration of the utility and efficacy of common exploit techniques (e.g., app repacking, OS rooting, or runtime instrumentation) to enable abusive usage of the e-ID Wallet App on Android.
Impact
A successful exploitation would allow users to operate e-ID verification services for anonymous customers, for example, providing age verification or even citizenship tests — without revealing their true identity or being detected by relying parties. But it does not stop there. The SWIYU infrastructure is designed to support an ecosystem of verifiable credentials, open to other government offices and industry. In some Swiss cantons, the electronic learner driver permit (eLDP) is already available on the same infrastructure. Many more sector-specific credentials are currently developed. Hence, security findings for the e-ID may apply to many more use cases in the future, including driver permits, health services, financial services or university degrees.
Expected Results and Deliverables
Key aspects to be addressed in this work include:
- Technical analysis of the SWIYU Wallet app and its security model (as far as publicly accessible information allows).
- Technical analysis of Key- and Device Attestation methods on Android to protect the SWIYU Wallet app.
- Exploration of mobile OS-level features (e.g., Accessibility Service) that may enable automation or indirect control of wallet apps.
- Proof-of-concept development to assess the feasibility of such an attack vector, within legal and ethical boundaries.
- Discussion of existing safeguards, such as biometric prompts or key unlinkability (e.g., through batch issuance and ephemeral key pairs), and their effectiveness against remote misuse.
- Evaluation of potential countermeasures to detect or prevent such scenarios, especially considering future advancements toward full cryptographic unlinkability (e.g. by using ZKPs), which may further complicate misuse detection.
- Early and regular discussion of findings with representatives of the e-ID program.
- The work is to be documented in a written report that presents the technical analysis, experimental results, and recommended countermeasures in a structured and comprehensible manner.
- The results of the thesis are to be summarised and presented in an oral presentation at the end of the project.
Requirements
- Security / pentesting mindset
- Experience with mobile platform security
- Motivation to develop new skills
- Interest in self-sovereign identity technologies
- Coding skills