Status of MitID app

AlexTerrible

Impossible to activate Mitid on GrapheneOs even with a Google account activated...
Old mobile phone broken. Impossible to access to my bank and pay taxes.

Answer from them? U need to come here physically. Pure disaster.

TrustExecutor

Wasn't a government agency/municipality/school or similar in Denmark somewhat recently involed in a success story where they won a case against a tech giant? I have a slight memory of a school kicking out Microsoft or Google because of the reliance of a foreign company to handle the students private data. Maybe we can track down the people involved and see if they have some tips for us? Even is this is just for Denmark I feel there may be more government digital ID sevices implementing this crap in the future if some governments contracted ID corporations (crazy, isn't it!) are successful doing it and not getting enough backlash.

opteron

I just received a reply from Digitaliseringsstyrelsen:

(machine translated)
Thank you for your inquiry of July 22, 2025
In general, there are high security requirements for MitID, which is why the MitID app itself can only be downloaded from the Apple App Store or Google Play for security reasons. It is neither technically nor practically possible to guarantee that the MitID app itself works on all operating systems and browsers. The MitID app is developed and tested to be able to work on the most common operating systems used by the majority of the population. Currently, this applies to the operating systems iOS and Android.

Noise including contact to media and/or politicians is probably the only way things will change...

de0u

opteron In general, there are high security requirements for MitID [...]

So naturally it securely refuses to run on EOL Android and iOS devices?

opteron

I have no idea.
I think the policy about this topics is heavily influenced by the fraud cases where users have had their MitID compromised. There were a lot of media coverage and AFAIK no cases were because of technical vulnerabilities, instead it was basically extortion and ignorance i.e. "if you want to borrow money I need access to your MitID".

I guess the developers at MitID were told: "You need to tighten app security. The attack method doesn't matter, just do it - better safe than sorry - it's politics. Also, why support niche systems unless we're told to?"

The policy will only change if there's a political focus on the subject and that will most likely happen if there's media coverage with the right angle (i.e. not: we few geeks would like more support for niche platforms). IMO the best angle would be the current geopolitical situation, i.e. the risk of relying on software solutions from one country that might not be our friend any more.

octavian

opteron

I sent this to dt@datatilsynet.dk, digmin@digmin.dk & digst@digst.dk with the "geopolitical situation" angle. Maybe if enough people message them they will take it a bit more seriously:

Greetings,

Usage of the "MitID" app is required to interact with any public service in Denmark. Without access to said app, Danish citizens or foreigners living in Denmark may have difficulties accessing banking, pension, health or taxation digital services.

About a year ago, the Android "MitID" app started making use of Google's "Play Integrity API" in order to verify the authenticity of operating systems. The "Play Integrity API", offered by the American multinational monopolistic corporation Google, is an inferior version of the "Hardware Attestation API". It is a service aimed at reinforcing Google's control over the smartphone operating system market. "Google Play Integrity" permits highly insecure devices with years of missing "High"/"Critical" severity security patches and is trivial to bypass via leaked keys from said insecure Android devices in the ecosystem. The purpose of the "Play Integrity API" has nothing to do with security; it is simply pushed onto app developers with vague wording and false promises regarding its capabilities in order to harm custom ROMs such as "GrapheneOS" which are competing with Google.

By requiring the "Play Integrity API" in the "MitID" app, you are introducing unnecessary dependencies on Google Play services and Google's Play Integrity US-based servers. This is a foolish and contradictory decision considering that the European Union and Denmark are increasingly concerned with digital sovereignty. On one hand, Denmark is phasing out Microsoft, another American corporation, from the ministry of digitisation. On the other hand, Danish citizens require approval from an American corporation in order to activate their "MitID" app.

More concerning, however, are the ties between Google and the US government. It is common knowledge that the US government has unfettered access to all data that Google collects. This is troublesome considering that the US is a foreign state that has just recently been caught engaging in an attack of Danish national sovereignty via covert acts of “infiltration” and “influence operations" aimed at promoting Greenlandic separatism. Do you find it is wise and desirable to lock the activation of the "MitID" app behind the servers of a covertly hostile foreign government that is actively threatening the territorial integrity of Denmark?

By using the "Play Integrity API", you are also hindering European and Danish innovation. A hypothetical small Danish competitor to Google's mobile operating system would never be certified by Google for the "Play Integrity API". This potential competitor would not be able to take off and gain relevancy in Denmark without access to the "MitID" system, which has become ubiquitous in Danish society. A real example of this scenario is the case of "GrapheneOS" -- an Android-based custom ROM that has been gaining popularity in recent years because it is more secure than stock Android.
Among a plethora of security features, "GrapheneOS" prevents Google Play services from running with privileged access in the background and forwarding all user data to US servers. This is a problem for Google, which uses this data for targeted advertisement and mass surveillance. The "Play Integrity API" is a mechanism used to hinder the popularity of "GrapheneOS" and other competitors by preventing compatibility with applications such as "MitID".

If you care about privacy, fair competition, and digital sovereignty I highly encourage you to cease usage of the "Play Integrity API" and stop enforcing Google's business model. If you require attestation, consider using the standard "Android Hardware Attestation API" which is more secure, robust and enables you to allow alternative operating systems. Below you will find links pointing to documentation which contains technical details on the matter:

https://grapheneos.org/articles/attestation-compatibility-guide
https://developer.android.com/privacy-and-security/security-key-attestation

Kind regards

opteron

octavian That's extremely well written, well done! TBH I think writings of this quality could/should be directed directly to the relevant ministers, thereby leaving a paper trail in case of a "aktindsigt" (access to documents/FOI request) by the press in order to deny them plausible deniability/forcing accountability.
Ideally the press (DR, TV2, Politiken, Berlingske, Olfi etc.) should get a copy of the mail (not CC), because journalist interest in the the minister answer could escalate the issue and draw more attention.
Vive la Résistance!

nothanksgoogle

octavian and everyone else: It might be a long shot, but someone could make citizen proposal at https://www.borgerforslag.dk/ to help draw attention to this issue and similar issues. 50k people will likely not back the proposal, but even (way) less might help draw attention to the issue.

octavian

opteron

Thank you for the kind words.

I think efforts to contact the press should be spearheaded by a Danish person. As a foreigner, I am handicapped by the language barrier and ignorance of local laws/regulations/procedures. Should I actually garner attention from the press, I may find myself unable to follow up on the matter efficiently and lose momentum.

That being said, feel free to copy/edit my message above and send it to whom it may concern -- you, or anyone else that comes across this. It may be a good idea to translate it into Danish first. For that I would recommend pasting it into Deepl and then proofreading the output to ensure the message carries across correctly.

pertel

octavian hi, I came across your post today, only a few days after I started writing a very similar sounding message, intended for digst.dk
I haven't finished it, but the intent was the exact same as yours.
I am a Danish citizen, so I am considering how to make some noise on this issue, that has bothered me for years now.
Perhaps I will start by translating your message \ paraphrasing and sending it like you did. Maybe I will find time to do something else, but I'm not sure what angle to take yet.
I am considering contacting the newly started https://digitaluafhaengighed.dk/ and see if they can amplify the message.
If I don't find the time, consider stealing the idea if some of you feel like it :)
Thanks for the solid writeup

KrystinaCezara

So just to clarify, is it possible to use MitID on GrapheneOS with a 'MitID codeviewer'?
It feels like such a stupid question, but its not clear to me after trying to read through the posts. Feels like ppl are focusing on the app, but to me a codeviewer is a perfectly fine solution.

lbschenkel

KrystinaCezara Yes, you can use the dongle. That's how I use it.

KrystinaCezara

lbschenkel Thanks for the quick reply! Great to hear, the inconvenience of the dongle seems minor, if it makes it possible to get the f away from stock android.

octavian

pertel
Apologies for the late reply, Pertel.

Thank you for trying. I only received a short reply from MitID@digst.dk a while ago:

Dear Octavian

Thank you for your suggestion. We always strive to make MitID a better eID solution, so we appreciate your feedback.

Your mail has been forwarded to relevant employees.

It doesn't seem like they care. I think you are all correct in the assessment that there is a lack consistency between so-called "digital sovereignty" efforts, and the reliance of the MitID system upon US big tech.

Most people are unbothered by the situation, so we are just a tiny minority that they can ignore without consequences. The current administration in general shows contempt for digital privacy and security, given that they have been spearheading the "Chat Control" legislation in the EU and are very keen on "protecting the children".

In the absence of public outcry and lack of interest from the relevant authorities, I have relegated myself to just using the "MitID code display" combined with a password for now.

Apathy

CutStandard8309 I just got a reply back, over a year later. No new information to add, basically another prepared statement like last time: "We're keeping an eye on alternative operating systems, and consider if they can be implemented into the MitID solution. You mention GrapheneOS as an alternative to Android and iOS. Our very high security requirements means that MitID can only be obtained from Apple App Store or Google Play Store. It is impossible for us to ensure that MitID works on all operating systems and browsers, so we only test on the most common operating systems, which is iOS and Android. However, a cellphone is not required for MitID, you can use a code reader if you prefer."

I wrote them back and informed them that:

GrapheneOS is Android based, so stating that they support Android is pretty contradictory.
That Google Play Integrity checking is not security, because old, unpatched devices still work without issues.
That hardware based attestation is more secure than Google Play Integrity, and also works on the Google version of Android.

Let's see what their reply will be in another year.

pertel

This will probably get the same type of response, but i wrote a message today regarding their plans for a new digital wallet app to prove your identity or age, that will only be distributed in the play store or app store. Sent in danish, translated with AI.

Hello,

I have read your memo on the new DKTB app. As it states, the app will only be available via the Apple App Store and Google Play—which requires citizens to create an Apple/Google account and accept their service terms.
I am very concerned about the consequences for citizens’ privacy and for Denmark’s goal of digital independence. At the same time, I see a practical opportunity to strengthen sovereignty without significant cost.

This is problematic for several reasons:

Citizens are forced to accept extensive and changing terms from foreign platforms in order to access Danish public services.

If Apple/Google change policies or remove an app, a large share of Danes could lose access to public services from one day to the next.

It deepens our dependence on U.S. tech giants. The government has just allocated DKK 80 million in the national budget to prioritize digital sovereignty. It makes little sense that brand-new public solutions are simultaneously limited to private, foreign distribution channels.

The parallel with MitID
MitID is distributed only via Apple/Google, and on Android it uses Google Play Integrity during activation. This excludes citizens who do not wish to accept Google’s terms, as well as security-oriented operating systems without Google Play Services, such as GrapheneOS.
There is also an independent and more secure method for this in the Android Open Source Project: Hardware Attestation. It meets the same need without requiring Google services.
Is Google Play Integrity also planned as a requirement for activating the DKTB app on Android?

To be clear, I am not suggesting that you remove your apps from these services; the issue is simply that no alternatives are offered. I struggle to see how this aligns with your ambitions for digital accessibility and protection of individual citizens’ privacy.

You could, in fact, achieve a great deal for little money—specifically:

Make Android apps that you develop or fund available as direct APK downloads via digst.dk (or a similarly trusted domain).

Use Android Hardware Attestation for security checks instead of Google Play Integrity where such checks are deemed necessary.

Require that software developed with your funding must not require an account with a private company in order to be activated or used.

hotdime5913

I ended up spending a little day making a ESP32-CAM project that presses the "MitID code viewer" button with a 9G servo, takes a image, uploads it to server, processes it and returns it to a secured progressive web app.

ESP32-CAM Project
Web App

If anyone are interested in the project files/source code, let me know.

It requires:
3D printer
ESP32-CAM
SG90 servo
1A USB adapter
A cheap VPS
A domain
Some time to setup

« Previous Page