- Updated: April 4, 2026
- 6 min read
Mobile Device Vulnerability Management (MDVM) in German EUDI Wallet – Key Insights
The Mobile Device Vulnerability Management (MDVM) architecture is a comprehensive framework that combines hardware‑based attestations, cloud‑based integrity checks, and Runtime Application Self‑Protection (RASP) to ensure that German EUDI wallets run only on trusted mobile devices.
Why MDVM Matters for the German EUDI Wallet
As the European Union pushes for a unified digital identity, Germany’s EUDI wallet must meet the highest assurance level (AL‑high). This means the wallet’s cryptographic keys are only usable when the underlying mobile device proves it is free from critical vulnerabilities. The MDVM architecture, detailed in the official original MDVM documentation, defines how security signals, device class identification, and real‑time RASP detection work together to protect the wallet’s KeyAttestation, PlayIntegrity, and AppAttest processes.
MDVM Architecture at a Glance
The MDVM system is built on three pillars:
- Signal Collection: Gather attestation data from Android KeyAttestation, Google Play Integrity, and Apple App Attest.
- Device Class Identification: Map signals to a verified device model, OS version, and hardware‑backed keystore (HKS) status.
- RASP Detection: Continuously monitor the wallet app for tampering, rooting, emulation, and bot‑like behavior.
These components feed a central MDVM Decision Engine that either authorizes or blocks the wallet’s OpenID4VCI Key Attestation flow.
Key Security Signals: KeyAttestation, PlayIntegrity, and AppAttest
1. Android KeyAttestation
KeyAttestation provides a cryptographically signed snapshot of the device’s hardware security module (HSM) state. Critical fields include:
| Signal | What It Verifies | Threat Mitigated |
|---|---|---|
| HardwareEnforced (SecurityLevel) | Presence of StrongBox or Trusted Execution Environment | Emulation attacks |
| RootOfTrust.verifiedBootState | Verified boot status (Verified/Failed) | Bootloader tampering, custom ROMs |
| osPatchLevel | Date of last security patch | Out‑of‑date OS vulnerabilities |
2. Google Play Integrity Verdict
Play Integrity adds a cloud‑side assessment that cross‑checks the device’s attestation against Google’s internal vulnerability database.
- deviceRecognitionVerdict: Returns
MEETS_STRONG_INTEGRITYonly when the device has a recent security patch and a locked bootloader. - appLicensingVerdict: Confirms the app was installed from Google Play, preventing sideloaded tampered builds.
- environmentDetails.playProtectVerdict: Flags known malware or disabled Play Protect.
3. Apple App Attest (iOS)
On iOS, the ChatGPT and Telegram integration leverages Apple’s Secure Enclave to generate a device‑bound key pair. The attestation object includes:
- Certificate chain signed by Apple.
- Secure Enclave‑generated
credentialIdthat cannot be cloned. - Counter that must start at zero, detecting replay attacks.
Runtime Application Self‑Protection (RASP) in MDVM
RASP operates inside the wallet app, offering a platform‑agnostic safety net when hardware attestations are insufficient.
Core Detection Capabilities
- App Hooking/Debugging: Detects Frida, Xposed, or LSPosed injection attempts.
- App Repackaging: Flags altered signatures or modified bundles before launch.
- Root/ Jailbreak Detection: Monitors privileged file access and sandbox violations.
- Emulation Checks: Verifies hardware consistency to block virtualized test farms.
- Automation & Bot Detection: Analyzes request patterns for abnormal activity.
When a RASP signal indicates a high‑risk state, the MDVM engine can instantly revoke the wallet’s session token, preventing any credential misuse.
Functional Specs: From Device Class to Decision Logic
The MDVM specification defines three functional blocks, each with a clear responsibility:
Identify Device Class
Combines KeyAttestation and PlayIntegrity data to produce a unique Device Class ID that includes:
- Model name (e.g., Samsung Galaxy S23).
- OS version and patch level.
- HKS type (StrongBox, Trusted Execution Environment).
Verify Vulnerabilities for Device Classes
MDVM queries a continuously updated Device Class Vulnerability Database (DCVDB). The database aggregates CVE data, vendor advisories, and internal security research. If a device class is linked to a CVE with a CVSS score ≥ 7.0, the engine marks the class as non‑compliant.
Decide on Device/App Usage
Based on the combined signal score (0–100), the engine enforces one of three actions:
- Allow: Score ≥ 80 – device passes all checks; wallet proceeds with Key Attestation.
- Warn: Score 60‑79 – user receives a security warning; optional re‑authentication required.
- Block: Score < 60 – wallet aborts the transaction and revokes any temporary keys.
These decisions are logged for auditability, satisfying both GDPR and German BSI compliance requirements.
What MDMD Means for Developers, Enterprises, and Regulators
For Mobile Developers
Developers must integrate three SDKs into their wallet app:
- Android
SafetyNet/PlayIntegrityclient library. - iOS
DeviceCheck/AppAttestframework. - A lightweight RASP module (e.g., UBOS templates for quick start).
UBOS’s Web app editor on UBOS can generate boilerplate code for these integrations, dramatically reducing time‑to‑market.
For Enterprises & SMBs
Companies deploying the EUDI wallet across a workforce need to align their Mobile Device Management (MDM) policies with MDVM requirements. The Enterprise AI platform by UBOS offers a unified dashboard that visualizes device‑class compliance, RASP alerts, and attestation health scores.
For Regulators and Auditors
MDVM provides a verifiable audit trail:
- Timestamped attestation logs stored in an immutable ledger.
- Device‑class vulnerability snapshots that can be cross‑referenced with national CVE feeds.
- RASP incident reports that detail the exact code path where tampering was detected.
This transparency satisfies the German Federal Office for Information Security (BSI) and the EU’s eIDAS regulation.
Take the Next Step with UBOS
Implementing MDVM doesn’t have to be a solo effort. UBOS offers a suite of tools and services that align perfectly with the architecture:
Start Quickly with Templates
Explore ready‑made solutions like the AI SEO Analyzer or the AI Article Copywriter to prototype attestation flows.
Automate Workflows
Use the Workflow automation studio to trigger compliance checks whenever a new device registers.
Scale with AI Marketing Agents
Leverage AI marketing agents to inform users about security updates and required device patches.
Partner for Success
Join the UBOS partner program to get dedicated support for MDVM integration.
Ready to future‑proof your digital identity solution? Visit the UBOS homepage for a full overview, or explore the About UBOS page to learn how our team drives secure, AI‑enhanced mobile experiences.
Conclusion
The MDVM architecture is the linchpin that transforms the German EUDI wallet from a theoretical credential store into a resilient, real‑world identity solution. By unifying hardware attestations, cloud integrity verdicts, and proactive RASP monitoring, MDVM ensures that only devices meeting strict security baselines can access high‑assurance digital identities. Developers gain clear integration pathways, enterprises receive actionable compliance dashboards, and regulators obtain auditable evidence—all while users enjoy a seamless, trustworthy experience.
Stay ahead of the security curve—integrate MDVM today and let UBOS accelerate your journey to a secure digital future.