Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Wallet Solution] Integrity checks and Wallet Instance authentication #40

Closed
peppelinux opened this issue Jun 28, 2023 · 10 comments
Closed

[Wallet Solution] Integrity checks and Wallet Instance authentication #40

peppelinux opened this issue Jun 28, 2023 · 10 comments
Assignees
@balanza @grausof
Labels
wallet-solution
Milestone
0.6.0

Comments

@peppelinux
Copy link
Member 

          Maybe we can also add the check on the rooted device? @grausof

Originally posted by @fmarino-ipzs in #14 (comment)
@peppelinux
Copy link
Member Author

@fmarino-ipzs 's

I think that the wallet provider is only able to attest the TEE capability. The Wallet Solution must ensure that the private keys are securely stored.

@balanza
Copy link
Contributor

balanza commented Jun 28, 2023

The point is on the genuineness of the mobile app. The problem is sociotechnical as it involves legal concerns as well as technical constraints and facilities provided by the Device's OS vendors.

We are investigating possible solutions to that, we'll keep you posted.

@asharif1990
Copy link
Collaborator

Concerning the genuineness of the mobile app, can't we rely on the App attestations using the Google Integrity API/iOS device check?

@grausof
Copy link
Collaborator

grausof commented Jul 3, 2023

Concerning the genuineness of the mobile app, can't we rely on the App attestations using the Google Integrity API/iOS device check?

There is an extensive ongoing discussion regarding this matter that requires further attention. Several issues arise, including concerns about privacy, ensuring universal availability of the service to all citizens, as well as the involvement of non-EU services, among others!

@asharif1990
Copy link
Collaborator

Concerning the genuineness of the mobile app, can't we rely on the App attestations using the Google Integrity API/iOS device check?

There is an extensive ongoing discussion regarding this matter that requires further attention. Several issues arise, including concerns about privacy, ensuring universal availability of the service to all citizens, as well as the involvement of non-EU services, among others!

I see. Concerning privacy, can you elaborate on it (I am curious to know about it)? regarding the availability I agree somehow with it, but if we cannot assume the user has a mobile device with a minimum version of Android/iOS that is needed for the use of these services, we may encounter the same problem for the Secure storage of credentials/keys on the mobile devices as well.

@grausof
Copy link
Collaborator

grausof commented Jul 3, 2023

Concerning the genuineness of the mobile app, can't we rely on the App attestations using the Google Integrity API/iOS device check?

There is an extensive ongoing discussion regarding this matter that requires further attention. Several issues arise, including concerns about privacy, ensuring universal availability of the service to all citizens, as well as the involvement of non-EU services, among others!

I see. Concerning privacy, can you elaborate on it (I am curious to know about it)? regarding the availability I agree somehow with it, but if we cannot assume the user has a mobile device with a minimum version of Android/iOS that is needed for the use of these services, we may encounter the same problem for the Secure storage of credentials/keys on the mobile devices as well.

It is possible to check the minimum requirements, the problem is to contact non-EU services such as SafetyNet or App Attest Service for apple. The main privacy issue is related to IP addresses

@grausof grausof mentioned this issue Jul 4, 2023
Merged
5 tasks
@grausof
Copy link
Collaborator

grausof commented Aug 8, 2023

I add that the integrity check can also be used as an authentication system of the Wallet Instance towards the Wallet Provider. This way, issuing n attestation will only happen if the integrity check is passed (preventing anyone from getting attestation outside the app). cc @peppelinux

@grausof grausof changed the title [Wallet Solution] security checks [Wallet Solution] Integrity checks and Wallet Instance authentication Aug 8, 2023
@asharif1990
Copy link
Collaborator

I add that the integrity check can also be used as an authentication system of the Wallet Instance towards the Wallet Provider. This way, issuing n attestation will only happen if the integrity check is passed (preventing anyone from getting attestation outside the app). cc @peppelinux

I would like to recommend the consideration of key attestation beside the integrity check as it provides useful information regarding the type of secure area that the user's phone support + basic cryptographic properties of the attested key. This information would be useful to be returned in the Wallet instance Attestation as mentioned by @peppelinux here.

@peppelinux peppelinux added this to the 0.6.0 milestone Sep 1, 2023
@grausof grausof mentioned this issue Sep 6, 2023
Closed
@peppelinux
Copy link
Member Author

see also: #161

@grausof
Copy link
Collaborator

grausof commented Jan 31, 2024

Duplicated of #161
I'll close the issue and let's move the discussion there

@grausof grausof closed this as completed Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@balanza balanza

@grausof grausof

Labels
wallet-solution
Projects
None yet
Milestone
0.6.0
Development

No branches or pull requests
4 participants
@balanza @grausof @peppelinux @asharif1990