Mobile ID Wallets Offer Cross-Border Convenience, If They’re Secure

Digital ID systems date back to the early 2000s, with successful early adoption in countries like Estonia, India, Singapore, and Sweden. Today, many governments have already made or are currently making the transition to mobile ID wallets that serve the function of physical identifications like passports and driver’s licenses. 

These digital wallets may include personal details such as a government ID number, place and date of birth, biometrics, and citizenship status, based on the issuing government’s specific laws and requirements. 

The projected benefits of adopting a mobile ID wallet system include:

• Greater convenience when traveling or accessing essential services
• Reducing risks of lost/stolen/damaged physical documents (lost devices can have IDs removed via remote access)
• Better protection from forgery, fraud, identity theft
• Better control of personal data (PII exposure and misuse)
• The ability to accurately enforce granular access policies (such as age-based controls), if desired
  
  

Cybersecurity requirements

Like any other mobile application that contains sensitive information and/or connects users to valuable services, mobile ID wallets will be heavily targeted by bad actors at the application level. Specific security regulations and standards for ID wallets are being defined within most regions. 

For example, Regulation (EU) 2024/1183 includes cybersecurity for EUDI wallets. These requirements include:

• Secure by design. Developers must embed robust and proactive security controls throughout the app’s lifecycle.
• Based on open-source code. Wallet apps must be open-source licensed for transparency, enabling national and EU-wide peer reviews.
• Cybersecurity certified. Wallets must undergo approved cybersecurity certification, including rigorous testing and reassessment to ensure resilience against evolving threats. (EU cybersecurity agency ENISA is currently building a formal certification scheme for member states to prove the security of their ID wallets.)

Real threats and potential outcomes

Privacy and security are essential table stakes for the effective transition to a mobile ID wallet system. Types of threats include:

• Cloned “fake ID” wallets (reverse engineering, modifying, repackaging) Malware-tampered ID wallets
• Man-in-the-Middle (MitM) attacks
• Injection attacks and AI-assisted “deep fakes” (KYC/authentication fraud)
• Emulators and virtual cameras
• Overlay attacks
• API abuse

Defending against this range of threats requires purpose-built mobile app security, not generic tools adapted from web or enterprise contexts.

Successful exploitation of a mobile ID wallet carries significant risks for issuing government bodies. These may include basic problems like system downtime or interoperability issues, as well as negative press and loss of public trust (uninstalls, poor adoption, project redesigns, spiraling costs). In more extreme cases, an insecure mobile ID wallet could potentially facilitate espionage or nation-state attacks (physical security incidents resulting from mobile app security failures).

Comprehensive security for mobile ID wallets

Mobile ID wallets present high-value, high-risk targets. Device-level security alone is not sufficient protection against sophisticated attacks. Effective application-level security provides coverage across the entire mobile software development lifecycle (SDLC).

Continuous code testing

Mobile app security starts in the design and development phases. Organizations need  purpose-built mobile application security testing (MAST) with both static and dynamic scanning capabilities. This helps eliminate security issues early in the development cycle, when it’s easier, faster, and cheaper to fix code within the context of when it’s written or assembled.

While many government regulations may be too general or still under active development, a solution that aligns with OWASP MAS verification standards and guidelines ensures best-of-breed testing that’s specific to risks associated with mobile applications.

AI-based coding tools have become a mainstay in most organizations to help teams meet increasingly aggressive delivery goals. While AI-assistants increase speed, research confirms that about 25% of AI-generated code contains OWASP Top 10 vulnerabilities. Making matters worse, over half of mobile developers admit to shipping vulnerable code due to deadlines, and about two-thirds of organizations report losing customers due to security issues.

Multi-layered protections

While testing is essential, it only addresses one part of the mobile threat model. A mobile app can pass security scans and still expose sensitive logic once it is decompiled.

Mobile applications released into the wild also need protection against reverse engineering and tampering attacks. This should include code hardening (multiple layers of obfuscation and encryption techniques) as well as runtime security checks to counter static and dynamic attacks.

Another consideration is how and where these protections are implemented. A compiler-based solution alters the code protection mechanisms with each app iteration. This helps to ensure that any knowledge an attacker gains about an app and its defenses becomes obsolete upon the next release. This effectively “resets the clock” on persistent attempts to reverse engineer a mobile application.

Mobile API security

Mobile API security is often overlooked, and that security gap is being actively exploited. Malicious actors are increasingly focusing on API vulnerabilities to stage server-side attacks - 44% of advanced bot activity now specifically targets APIs.

Mobile APIs connect client-side mobile apps on the frontend to resources like sensitive data and services on backend servers. This makes mobile APIs a popular target for attacks by non-genuine apps (those that have been reverse engineered and modified) as well malicious bot and AI agent attacks.

Mobile APIs themselves may even contain valuable data, which makes them a popular scraping target for AI agents, if left unprotected. While 82% of mobile app publishers say exposure to backend/API abuse is increasing, only 48% monitor API activity.

Effective mobile API protection is best achieved with dedicated app attestation capabilities. This ensures that requests can be trusted as coming from a legitimate, untampered app on an acceptable device (while blocking any malicious clones or automated bots).

Threat monitoring

Backend fraud detection systems monitor transactions, logins, and behavioral anomalies. But they typically see only what reaches the server – not what happens inside the mobile runtime before a request is made. Sending telemetry into SIEM or SOC pipelines can help, but it often requires heavy customization and constant maintenance to correlate device-level signals. While these approaches are useful, they have inherent blind spots.

The missing piece is continuous, contextual visibility at the mobile layer itself. Real-time threat monitoring shifts the model from static defense to ongoing awareness. Effective mobile app monitoring helps organizations spot suspicious behavior from users and devices. This real world threat telemetry can then directly inform protection adjustments.

In addition, mobile-layer threat data can also be integrated into the organization’s broader fraud protection or SIEM/SOC systems to detect coordinated threat patterns and multi-vector attacks with greater speed and precision.

Stop digital “fake IDs” with Guardsquare

Mobile ID wallets are rapidly becoming the new normal for international travel, access to government services, and much more. Preventing fraud and misuse of these critical mobile apps will depend on comprehensive application-level security.

As the global leader in securing mobile applications across all phases of the mobile SDLC, Guardsquare’s platform covers each essential solution area – from automated testing, to multi-layered protection, to API security, to continuous threat monitoring.

Connect with a Guardsquare expert today to learn more