Status of MitID app

DeletedUser399

Did write to the mentioned email, and yes I ended up talking to the clueless support 😑
I have very little hope this is going to work and yester the norwegian equivalent did the same thing.

The weird thing is the other gourvement apps Kørekort and Sundhedskort works fine on GOS

DeletedUser370

DeletedUser399 I have very little hope this is going to work and yester the norwegian equivalent did the same thing.

Not clear at the moment whether BankID Norway is blocking non-GMS-licensed OSs or whether it's an app bug that is triggered on GrapheneOS somehow.

thelostone

DeletedUser399 phrasing is important, writing it in a way that the support crew are unlikely to sweep it under the rug is important :) i was using https://grapheneos.org/articles/attestation-compatibility-guide and wrote details from there that made it seem i knew more about the subject then i do.

thelostone

got an update.
"We kindly ask you to write to the Agency for Digital Government, which is responsible for developing the MitID app.

Their email is digst@digst.dk" one step forward.

thelostone

Update.
got my final answer, the rest is up to their dev team and/or Graphene users to let them know the userbase is big enough to justify changing the code.

"Dear [my name]

Thank you for your inquiry of the 9th of June, 2025.

MitID developed and maintained to support operating systems and platforms that are used by most of the Danish population.
To ensure security updates, certifications, and proper functionality, MitID only supports operating systems that are officially certified and widely adopted in Denmark.

Unfortunately, GrapheneOS currently falls outside this scope, as it represents less than 2% usage among the Danish population.

We appreciate that you bring this technical issue and the suggested documentation to our attention, and we have forwarded your input to our relevant technical teams for their information and future consideration. "

DeletedUser370

thelostone It sounds like they don't consider GrapheneOS to fall under the heading of "Android".

opteron

So my danish banking app from BEC Financial Technologies a.m.b.a. stopped working recently because of failed integrity check on GrapheneOS. So now neither banking or MitID is allowed to run on GrapheneOS.
Therefore I wrote "Digitaliseringsstyrelsen" (digst@digst.dk) expressing my concerns and how this reliance on Google and Apple doesn't align with new geopolitical situation.
I think next step is the ministry "Digitaliseringsministeriet" (digmin@digmin.dk)
insert I'm doing my part gif here

digitalfrihed

Same boat as you guys.

I've wrote a nice email for dt@datatilsynet.dk, digmin@digmin.dk & digst@digst.dk

Considering of reaching out to TV2, DR and Version2, just to make some noise.
Anyone wanna be on record if either returns?
I don't mind being the head of the spear, as long as I don't stand alone. :)

AlexTerrible

Impossible to activate Mitid on GrapheneOs even with a Google account activated...
Old mobile phone broken. Impossible to access to my bank and pay taxes.

Answer from them? U need to come here physically. Pure disaster.

TrustExecutor

Wasn't a government agency/municipality/school or similar in Denmark somewhat recently involed in a success story where they won a case against a tech giant? I have a slight memory of a school kicking out Microsoft or Google because of the reliance of a foreign company to handle the students private data. Maybe we can track down the people involved and see if they have some tips for us? Even is this is just for Denmark I feel there may be more government digital ID sevices implementing this crap in the future if some governments contracted ID corporations (crazy, isn't it!) are successful doing it and not getting enough backlash.

opteron

I just received a reply from Digitaliseringsstyrelsen:

(machine translated)
Thank you for your inquiry of July 22, 2025
In general, there are high security requirements for MitID, which is why the MitID app itself can only be downloaded from the Apple App Store or Google Play for security reasons. It is neither technically nor practically possible to guarantee that the MitID app itself works on all operating systems and browsers. The MitID app is developed and tested to be able to work on the most common operating systems used by the majority of the population. Currently, this applies to the operating systems iOS and Android.

Noise including contact to media and/or politicians is probably the only way things will change...

de0u

opteron In general, there are high security requirements for MitID [...]

So naturally it securely refuses to run on EOL Android and iOS devices?

opteron

I have no idea.
I think the policy about this topics is heavily influenced by the fraud cases where users have had their MitID compromised. There were a lot of media coverage and AFAIK no cases were because of technical vulnerabilities, instead it was basically extortion and ignorance i.e. "if you want to borrow money I need access to your MitID".

I guess the developers at MitID were told: "You need to tighten app security. The attack method doesn't matter, just do it - better safe than sorry - it's politics. Also, why support niche systems unless we're told to?"

The policy will only change if there's a political focus on the subject and that will most likely happen if there's media coverage with the right angle (i.e. not: we few geeks would like more support for niche platforms). IMO the best angle would be the current geopolitical situation, i.e. the risk of relying on software solutions from one country that might not be our friend any more.

octavian

opteron

I sent this to dt@datatilsynet.dk, digmin@digmin.dk & digst@digst.dk with the "geopolitical situation" angle. Maybe if enough people message them they will take it a bit more seriously:

Greetings,

Usage of the "MitID" app is required to interact with any public service in Denmark. Without access to said app, Danish citizens or foreigners living in Denmark may have difficulties accessing banking, pension, health or taxation digital services.

About a year ago, the Android "MitID" app started making use of Google's "Play Integrity API" in order to verify the authenticity of operating systems. The "Play Integrity API", offered by the American multinational monopolistic corporation Google, is an inferior version of the "Hardware Attestation API". It is a service aimed at reinforcing Google's control over the smartphone operating system market. "Google Play Integrity" permits highly insecure devices with years of missing "High"/"Critical" severity security patches and is trivial to bypass via leaked keys from said insecure Android devices in the ecosystem. The purpose of the "Play Integrity API" has nothing to do with security; it is simply pushed onto app developers with vague wording and false promises regarding its capabilities in order to harm custom ROMs such as "GrapheneOS" which are competing with Google.

By requiring the "Play Integrity API" in the "MitID" app, you are introducing unnecessary dependencies on Google Play services and Google's Play Integrity US-based servers. This is a foolish and contradictory decision considering that the European Union and Denmark are increasingly concerned with digital sovereignty. On one hand, Denmark is phasing out Microsoft, another American corporation, from the ministry of digitisation. On the other hand, Danish citizens require approval from an American corporation in order to activate their "MitID" app.

More concerning, however, are the ties between Google and the US government. It is common knowledge that the US government has unfettered access to all data that Google collects. This is troublesome considering that the US is a foreign state that has just recently been caught engaging in an attack of Danish national sovereignty via covert acts of “infiltration” and “influence operations" aimed at promoting Greenlandic separatism. Do you find it is wise and desirable to lock the activation of the "MitID" app behind the servers of a covertly hostile foreign government that is actively threatening the territorial integrity of Denmark?

By using the "Play Integrity API", you are also hindering European and Danish innovation. A hypothetical small Danish competitor to Google's mobile operating system would never be certified by Google for the "Play Integrity API". This potential competitor would not be able to take off and gain relevancy in Denmark without access to the "MitID" system, which has become ubiquitous in Danish society. A real example of this scenario is the case of "GrapheneOS" -- an Android-based custom ROM that has been gaining popularity in recent years because it is more secure than stock Android.
Among a plethora of security features, "GrapheneOS" prevents Google Play services from running with privileged access in the background and forwarding all user data to US servers. This is a problem for Google, which uses this data for targeted advertisement and mass surveillance. The "Play Integrity API" is a mechanism used to hinder the popularity of "GrapheneOS" and other competitors by preventing compatibility with applications such as "MitID".

If you care about privacy, fair competition, and digital sovereignty I highly encourage you to cease usage of the "Play Integrity API" and stop enforcing Google's business model. If you require attestation, consider using the standard "Android Hardware Attestation API" which is more secure, robust and enables you to allow alternative operating systems. Below you will find links pointing to documentation which contains technical details on the matter:

https://grapheneos.org/articles/attestation-compatibility-guide
https://developer.android.com/privacy-and-security/security-key-attestation

Kind regards

opteron

octavian That's extremely well written, well done! TBH I think writings of this quality could/should be directed directly to the relevant ministers, thereby leaving a paper trail in case of a "aktindsigt" (access to documents/FOI request) by the press in order to deny them plausible deniability/forcing accountability.
Ideally the press (DR, TV2, Politiken, Berlingske, Olfi etc.) should get a copy of the mail (not CC), because journalist interest in the the minister answer could escalate the issue and draw more attention.
Vive la Résistance!

nothanksgoogle

octavian and everyone else: It might be a long shot, but someone could make citizen proposal at https://www.borgerforslag.dk/ to help draw attention to this issue and similar issues. 50k people will likely not back the proposal, but even (way) less might help draw attention to the issue.

octavian

opteron

Thank you for the kind words.

I think efforts to contact the press should be spearheaded by a Danish person. As a foreigner, I am handicapped by the language barrier and ignorance of local laws/regulations/procedures. Should I actually garner attention from the press, I may find myself unable to follow up on the matter efficiently and lose momentum.

That being said, feel free to copy/edit my message above and send it to whom it may concern -- you, or anyone else that comes across this. It may be a good idea to translate it into Danish first. For that I would recommend pasting it into Deepl and then proofreading the output to ensure the message carries across correctly.

pertel

octavian hi, I came across your post today, only a few days after I started writing a very similar sounding message, intended for digst.dk
I haven't finished it, but the intent was the exact same as yours.
I am a Danish citizen, so I am considering how to make some noise on this issue, that has bothered me for years now.
Perhaps I will start by translating your message \ paraphrasing and sending it like you did. Maybe I will find time to do something else, but I'm not sure what angle to take yet.
I am considering contacting the newly started https://digitaluafhaengighed.dk/ and see if they can amplify the message.
If I don't find the time, consider stealing the idea if some of you feel like it :)
Thanks for the solid writeup

KrystinaCezara

So just to clarify, is it possible to use MitID on GrapheneOS with a 'MitID codeviewer'?
It feels like such a stupid question, but its not clear to me after trying to read through the posts. Feels like ppl are focusing on the app, but to me a codeviewer is a perfectly fine solution.

lbschenkel

KrystinaCezara Yes, you can use the dongle. That's how I use it.

KrystinaCezara

lbschenkel Thanks for the quick reply! Great to hear, the inconvenience of the dongle seems minor, if it makes it possible to get the f away from stock android.

octavian

pertel
Apologies for the late reply, Pertel.

Thank you for trying. I only received a short reply from MitID@digst.dk a while ago:

Dear Octavian

Thank you for your suggestion. We always strive to make MitID a better eID solution, so we appreciate your feedback.

Your mail has been forwarded to relevant employees.

It doesn't seem like they care. I think you are all correct in the assessment that there is a lack consistency between so-called "digital sovereignty" efforts, and the reliance of the MitID system upon US big tech.

Most people are unbothered by the situation, so we are just a tiny minority that they can ignore without consequences. The current administration in general shows contempt for digital privacy and security, given that they have been spearheading the "Chat Control" legislation in the EU and are very keen on "protecting the children".

In the absence of public outcry and lack of interest from the relevant authorities, I have relegated myself to just using the "MitID code display" combined with a password for now.

« Previous Page