Reverse engineering a national digital ID

Hiya,

There are more and more national identity providers, as I mentioned here.

This article from 2023 does a great job of explaining the reverse engineering process to find security holes in the French national digital ID. He starts out by decompiling the associated Android app and it just gets better from there.

The post includes:

• an overall architecture of how the ID works

• common attacks to consider (for example, MITM, signature verification)

• areas of higher vulnerability (for example, handshakes)

• a practical example of an attack

One major finding:

…it was possible for an arbitrary 3rd party App to consume the FranceIdentité Backend API through the Secure Channel in the same way the original FranceIdentité app does. 

If you are building a CIAM solution, it’s worth taking a look at this to see how an entity with substantial resources (the French government) protecting important functionality (including voting) built out an identity solution that had flaws.

If you’re interested, there’s also an extensive discussion on HN.

Please hire pentesters.

Dan