Security information for Smart ID Mobile App
Nexus' statement of commitment
Nexus is dedicated to the implementation of an active, analytics-driven approach to cybersecurity. Security testing and improvement are ongoing activities that are incorporated into our vulnerability and threat management process.
Nexus performs continuous testing on all mobile solution components to ensure the highest possible level of security. We regularly engage external security auditors to validate our security posture. The regular assessments of application and system vulnerability threats cover the following:
network vulnerability threat assessments,
penetration testing and code review with leading, independent third parties, and
security control framework review and testing.
Our commitment to ensure security was recently noted by an external auditor who declared it is evident that Nexus has made a significant effort to reduce the overall risk that is facing certificate-based security. Contact Nexus for more information.
As trust relates to transparency, all major call flows and APIs are available on our documentation website.
We strongly encourage customers to take all possible precautions to prevent unauthorized access using the current best practices in information security. In case any vulnerabilities are discovered in Nexus' products, they should be reported to Nexus without delay.
Please note that Nexus permits third-party vulnerability and penetration tests with Nexus' approval. Vulnerability and penetration tests shall not be attempted without Nexus' guidance, particularly not in a production environment, as uncontrolled tests may impact system availability, performance and security negatively.
Finally, the overall security in the system has dependencies on the overall PKI solution including the use of Hardware Security Modules (HSMs) and CA software. Lifecycle management processes should mitigate the risks when a device is in vulnerable state, for example lost or misused. Revocation of authentication and signing certificates and the distribution of certificate revocation lists (CRLs) to relying parties should be implemented for this case.
Nexus' CA software Certificate Manager is certified in compliance with Common Criteria for Information Technology Security Evaluation (CC) EAL4+ and covers lifecycle management and revocation processes.
Introduction to Nexus Smart ID Mobile App
The mobile device is key to adopting accessibility and mobility in the world of evolving digital services. It offers an appealing option to provide convenient and secure access to applications and services for users in the workforce domain as well as citizens in the government domain. The solution provides an intuitive and friction-less experience to the end user, while keeping security measures on the highest level to keep private information protected from cyber attacks and hackers both today and tomorrow.
Nexus' Smart ID Mobile App provides a vast set of use cases such as client authentication, digital signing and email encryption on the mobile device. All use cases have one thing in common; they are all based on strong uncompromising PKI security.
The Smart ID Mobile App is supported on both iOS and Android and available in Apple App Store and Google Play. Nexus also offers the possibility to license the Smart ID Mobile SDK, which the App is built on, so that it can be embedded into third-party mobile apps for customers who want to further customize the Mobile App.
Smart ID Mobile App - a part of Nexus Smart ID
Since the Smart ID Mobile App is an integral part of Nexus Smart ID, it can out-of-the-box leverage the features and processes developed and excelled for many years granting a smooth and secure experience for both users and administrators.
Nexus Smart ID Workforce provides easy-to-use modules to issue, manage and use trusted employee identities in the form of digital smart cards for mobile devices and physical cards.
Here are some features that could be combined with the Smart ID Mobile App:
Integration with web applications, authentication and digital signing services can be achieved using industry standard protocols, published APIs, and SDKs.
The Smart ID Mobile App includes the following standard components:
Smart ID Mobile App – stand-alone app for iOS and Android
Smart ID Mobile SDK – security and communication core to be integrated in third-party mobile apps, for iOS and Android
Smart ID Messaging (Hermod) - Spring-Boot Java server shipped as Docker container.
The Smart ID Mobile App works in combination with Smart ID Messaging, which represents the server side of the security infrastructure as well as the connection point to other server-side systems and services.
Security Features
Overview of layered security model
Nexus Smart ID Mobile App implements a layered security model using various technologies and security measures where the combination of these provide a resilient design, with no single point of exposure and failure. The target is to protect the user credential and private key from exposure at all times and keep the app safe from cyber attacks and hackers.
Security blocks
The layered security model of the Smart ID Mobile App is constituted by a set of security blocks, listed below.
Private key security and storage
Cryptographic Keys
Private keys are non-exportable
All cryptographic keys are stored AES-encrypted using key derived from the user PIN (see section "Distributed security model").
Secure Storage
Encrypted cryptographic keys are stored in the Mobile App with access to the keys protected by an encryption scheme backed up by Android Keystore and iOS Keychain APIs
Biometrics
PIN optionally protected by biometrics as provided by device OS and model:
Fingerprint on Android and TouchID on iOS
Face Detection on Android and FaceID on iOS
Mobile App and SDK hardening
Industry-leading third-party security product for hardening
Used in Smart ID Mobile App both for App and SDK protection.
Regularly upgraded so that Smart ID Mobile App and SDK are always running the latest version.
Security capabilities
Jailbreak and root detection to make sure Smart ID Mobile App or third-party Apps running our SDK, can only run in a safe environment
Code obfuscation which prevents key extraction, tampering, cloning and reverse engineering of the App and SDK
Debug mode prevention
Checksums (guards) which checks the integrity of the code
Encryption of literal strings
Mobile App security
OS sandbox model
Utilizes built-in OS security and OS sandbox model
App runs in an app sandbox, which in turn runs in an OS sandbox separated from the rest of the system, so that only Smart ID Mobile App can access data store in keychain/keystore
Agile development and deployment model
Constantly evolving automation tests catering for quick regression testing on many device types in parallel
Short turn-around time from implementation to deployment
Automatic update via stores
Quick remedies for potential future vulnerabilities
Security reviews
Periodical security review by external contractor
Open and transparent process for security audits and reviews together with customers.
Screenshot protection
Prevents user from taking screenshot of Visual ID
Prevents user from mirroring the mobile app to a computer or other device
Online authentication
Smart ID Messaging
Messaging server (Hermod) which provides a secure communication channel between the Mobile App/SDK and server-side components for Identity Management, Digital Access, Digital Signing and so on
Messaging server actively takes part in an Online PIN process (see section "Distributed security model") invoked in online scenarios where the private key needs to be used in a cryptographic process (Not applicable for offline OTP scenarios)
HTTPS communication based on TLS with server side authentication
Verification
Session verification by verification images being displayed both on server side and in the Smart ID Mobile App
Certificate pinning
Provides means to control that the Smart ID Mobile SDK can only communicate with a dedicated Messaging server
PIN policy
PIN size
Minimum six (6) digits
PIN blocking policy
Three failed PIN entries result in blocking the PIN for 5 minutes
4th-8th failed PIN entries lead to blocking the PIN for 10, 20, 40, 80, 160 minutes
9th failed PIN entry leads to blocking the PIN for 320 min + warning/alert
10th failed PIN entry the profile will be deleted
PIN pattern policy
Restricts users from setting too simple PIN
Security standards
PKI – Public Key Infrastructure, see https://en.wikipedia.org/wiki/PKCS
Javascript Object Signing and Encryption (JOSE), see https://www.iana.org/assignments/jose/jose.xhtml
RSA2048 key size, or higher.
RSA PKCS#1 signature with SHA-256, see https://tools.ietf.org/html/rfc8017
AES encryption, see https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
X.509 certificates support, see https://tools.ietf.org/html/rfc2459
PKCS#10 Certificate Signing Request, see https://tools.ietf.org/html/rfc2986
PKCS#12 archive file format bundling private keys with X.509 Certificates, see https://tools.ietf.org/html/rfc7292
Secure provisioning
Secure provisioning of certificates and keys
Invoked from helpdesk/admin
Device authentication via one-time activation code (OTP) included in URL (QR code or web link)
Self-service portal using other 2FA method or username & password temporarily
Display QR code containing one-time activation code in self-service portal
Enrollment processes for certificate, keys and one-time passwords (OTP)
Creation of one-time password (OTP) profiles, both time-based (TOTP) and event-based (HOTP), see: https://tools.ietf.org/html/rfc6238 and https://tools.ietf.org/html/rfc4226
Enrollment of raw keys, which means keys not bundled or associated with any certificate
Enrollment of X.509 certificates according to a PKCS#10 schema where the private key is generated by Smart ID Mobile App on the mobile device
Enrollment of X.509 certificates according to a PKCS#12 schema with the private keys already generated and bundled with the certificates.
Refer to Hermod API examples for further details on enrollment processes
One-time activation codes (relevant for raw keys and certificate based virtual smart cards)
Can only be used once, as implied by name, and instantly destructed upon consumption
Based on double random UUID's
Configurable expiration time where the request order corresponding to the one-time activation code is destructed upon code expiration
Distributed security model
To further strengthen the protection of the PKI private key over the security features that are laid out in the previous sections, Smart ID Mobile SDK in conjunction with Smart ID Messaging implements a dual architecture to prevent extraction on the private key stored in the device.
Three security elements are required to bypass private key protection:
The PIN set by the User, optionally further protected by biometrics
A cryptographic secret generated and stored protected in the App
A cryptographic secret generated and stored protected in Smart ID Messaging
Neither the mobile device nor the server holds all three elements, so stealing a PIN and hacked phone will not enable retrieving a private key.
The server controls the number of access attempts, to protect the private keys from exposure to for instance a brute force attack.
The mobile device and server work together using an advanced cryptographical protocol known as SPHINX, which is similar to Diffie-Hellman key establishment. See https://eprint.iacr.org/2018/695.pdf.