Securing Digital Identity: A Guide for Mobile App Developers

By 2026, digital identity wallets are projected to hold the personal data of over 400 million EU citizens. But with this growth comes a massive risk: attackers are targeting this new digital frontier. In this blog, we’ll show you how to stay ahead of these threats, protect your users, and avoid devastating financial and reputational damage.

While digital wallets initially emerged as payment tools, they are evolving into identity management. This introduces significant security and privacy concerns. For mobile developers, this means adapting to new requirements, particularly in terms of security and compliance.

This blog explores:

• The key security threats facing digital identity wallets
• Regulatory expectations under eIDAS 2.0 and the EU Cybersecurity Act
• Practical best practices mobile developers should adopt to ensure compliance and resilience

Mobile app wallets are no longer just about payments

Over the last decade, digital wallets have evolved from single-purpose payment tools into multifunctional platforms. The transformation began with big tech’s early wallet offerings:

• 2011: Google Wallet (Global)
• 2014: Apple Pay (Global)
• 2015: Samsung Pay (Global)

These platforms were originally designed to simplify payments using Near Field Communication (NFC) and tokenized card storage. However, they soon expanded to support boarding passes, loyalty cards, event tickets, and more.

In parallel, APAC tech giants launched similar solutions such as China’s Alipay and WeChat Pay, India’s BHIM/UPI and DigiLocker expanding mobile wallets into integrated platforms supporting payments, travel, health, and identity services.

These innovations underscore a global trend: wallet apps are rapidly becoming centralized digital identity platforms, capable of not just payments, but also secure authentication, document sharing, and government interactions.

As wallets increasingly store and transmit personally identifiable information (PII) and enable access to financial, medical, and administrative services, they become prime targets for sophisticated cyberattacks.

Understanding the security risks

ENISA’s March 2024 guidance on Remote ID Proofing
details multiple specific threat vectors digital identity wallet app developers must guard against:

Deepfake-driven injection attacks

Attackers use AI-generated deepfake videos or pre-recorded images to manipulate facial recognition during the remote digital identity proofing process. This can allow unauthorized users to spoof identity verification procedures and bypass authentication.

Emulators and virtual cameras

Threat actors deploy emulator environments or virtual camera feeds to trick biometric systems into accepting fake input. This enables them to mimic a legitimate user without physically accessing their device.

Man-in-the-Middle (MitM) attacks

Especially during onboarding, attackers may intercept sensitive data exchanged between the app and backend servers. These attacks aim to compromise identity or session tokens, thereby undermining the system's trust.

These threats are specific to identity verification workflows and require biometric spoofing defenses and runtime environment validation.

In addition to identity-specific attacks, digital identity wallets face broader mobile application security threats, such as:

Overlay attacks

Malicious apps or overlay attacks are displayed on top of legitimate apps to trick users into entering credentials or other sensitive information.

Cloned apps

Attackers reverse-engineer legitimate wallet apps and distribute malicious clones that appear authentic but are designed to steal credentials or execute unauthorized API calls.

API abuse

Weakly protected APIs can be exploited to bypass authentication, access user data, or tamper with backend systems.

These threats must be carefully evaluated and addressed using robust mobile app security measures before digital identity apps are released to the public. Proactive protection is essential to maintain user trust, prevent illicit activities, and meet regulatory expectations.

The regulatory landscape in the EU: eIDAS 2.0 and beyond

The Regulation (EU) 2024/1183, part of the eIDAS 2.0 framework, introduces cybersecurity certification for all European Digital Identity (EUDI) wallets under the EU Cybersecurity Act. The regulation aims to build a secure, mobile-friendly infrastructure for digital identities by enforcing high-assurance, secure-by-design development standards.

Much like the GDPR before it, this regulation doesn’t just impact organizations within the EU. Any company offering digital identity wallet services to EU citizens will be required to comply with the regulation, making it a likely trendsetter for global digital identity governance.

Core regulatory requirements

Developers must embed robust security controls throughout the app’s lifecycle, from initial design and development through releases and updates. The regulation prioritizes proactive risk mitigation over reactive patching.

The regulation stipulates that wallet application software must be open-source licensed. This is a significant move toward transparency, enabling peer review in the national and EU-wide digital identity infrastructure.

EUDI Wallets are required to undergo cybersecurity certification under approved schemes
. This includes rigorous testing and reassessment to ensure resilience against evolving threats.

How obfuscation works hand in hand with security by design

The regulation emphasizes security by design which means apps must be secure in architecture, logic, and behavior, regardless of whether the code is open or proprietary. But while this foundation is essential, it’s not enough on its own. Once apps are live, attackers can still reverse engineer or tamper with them. That is where obfuscation comes in. It’s not a substitute for good design, but it adds a much-needed layer of protection. Obfuscation helps protect your app’s code at the binary level, making it harder for attackers to inspect, clone, or modify. No matter how your app is built, the version that ends up on a user’s device is a compiled binary. Without extra defenses, that binary is exposed and vulnerable.

When used the right way, obfuscation support secure design by:

• Making reverse engineering much harder
• Increasing the effort and resources needed to attack mobile apps
• Protecting sensitive elements like cryptographic keys and business logic

Together, security by design and obfuscation create a stronger defense. One sets a secure foundation, the other guards it in the wild.

Best practices for digital wallet security

Let’s take a closer look at what ENISA explicitly recommends for mobile app security in digital identity applications, as outlined in its March 2024 Remote ID Proofing guidance. To comply with EU standards and protect against real-world threats, the guidelines suggest developers to implement the following security layers:

Code obfuscation

• Practice: Makes source/binary code harder to reverse-engineer.
• ENISA Guidance: recommends code obfuscation for sensitive apps to prevent code analysis and preserve integrity. Seen as a "state-of-the-art" defense. (ref: Remote ID proofing good practices - ENISA - March 2024 )

Anti-tampering protections

• Practice: Root/jailbreak detection, anti-debugging, runtime integrity checks, secure hardware (e.g., TEE or Secure Elements).
• Compliance: Wallets must prevent unauthorized modifications and use secure elements or equivalent to protect cryptographic material.
• ENISA Guidance: Recommends Runtime Application Self-Protection (RASP) and detection of untrusted runtime environments. (ref: Remote ID proofing good practices - ENISA - March 2024 )

App attestation

• Practice: App attestation uses platform APIs or cryptographic tokens to prove app integrity to servers or backends. Server-side protections alone are insufficient. 'Secure-by-design' must include mobile-native safeguards.
• Compliance: Strongly implied by the regulation through requirements for tamper-proof execution and secure-by-design approaches.
• ENISA Guidance: Encourages Trusted Execution Environments and integrity verifications to ensure only legitimate apps operate.(ref: Remote ID proofing good practices - ENISA - March 2024).

Continuous Mobile App Security Testing (MAST)

• Practice: MAST includes vulnerability scanning, code review, penetration testing, and remediation.
• Compliance: Certified wallets must be tested at least every two years; failure to remediate leads to certificate revocation.
• ENISA Guidance: Advocates recurring penetration tests and white hat bug bounties as part of a secure development lifecycle.(ref: Remote ID proofing good practices - ENISA - March 2024 )

Final thoughts

The shift toward mobile-first identity management represents a significant opportunity and responsibility for developers. As the EU standardizes digital identity, app developers must step up with multi-layered, proactive security strategies.

To succeed in securing EUDI wallet apps, mobile developers must:

• Embed code obfuscation, anti-tampering, app attestation, and testing during early development, not after deployment.
• Adopt DevSecOps practices to continuously update and reassess app security throughout its lifecycle.
• Follow ENISA guidance and EU certification protocols to ensure long-term compliance.

Ready to secure your digital Identity wallet application? Contact a Guardsquare expert to get started.