Published on 8 August 2025

swiyu wallet: security and freedom of choice for Android users

The swiyu wallet is a central component of the trust infrastructure. It can be used to apply for, store and present the e-ID on a smartphone. To ensure the security of the issuance process and the secure storage of the e-ID, not only must the wallet be secure, but also the operating system and hardware of the smartphone on which the swiyu wallet is installed. At the same time, users should be granted as much freedom as possible (choice of device, operating system and distribution channel for apps). In addition, as the operator of the trust infrastructure, the federal government wants to remain as independent as possible in order to maintain and strengthen its digital sovereignty. The following questions arise in connection with these requirements:

  • On which smartphones can the swiyu wallet be installed?
  • With which operating systems can the swiyu wallet be used?
  • Through which distribution channels (app stores) can the swiyu wallet be obtained?
  • Is the swiyu wallet used actually the one published by the Swiss Confederation?

In Switzerland, only apps that are available in the App Store for the corresponding operating system (iOS) can be installed on Apple smartphones (iPhones).

Android smartphones offer greater freedom: there are different device manufacturers, different versions of the Android operating system and, in addition to the “Play Store” app store used by Google, alternative mechanisms for obtaining apps. The original plan was to offer the swiyu wallet only via the Google Play Store and to use the Play Integrity service provided by Google. Play Integrity is a service that, among other things, ensures that the app is the original version from the Play Store. However, this mechanism can be viewed critically from various perspectives:

  • Data protection: Additional data may be collected when using the service.
  • Digital sovereignty: The federal government is dependent on the corresponding service.
  • Freedom of choice: The wallet cannot be installed on operating systems or by users who do not use Play services.

Detailed analyses have shown that the following precautions can be taken to ensure that the swiyu wallet runs on a trusted Android device without using ‘Play Integrity’:

  • To prevent changes to the operating system, the bootloader must be locked and its status must either be verified or signed with a trusted fingerprint (self-signed).
  • To ensure that the operating system is considered secure and trustworthy, the version of the operating system and its patch level must meet minimum security requirements.
  • The hardware key verification must be valid (attestation and root keys must not be revoked). This ensures that the device properties (bootloader status, OS version, etc.) have been confirmed by hardware that is considered secure. The same mechanism is used to ensure that the e-ID is bound to a hardware-based key;
  • The signature of the Android Package Kit (APK) used matches the version provided by the federal government. This ensures that the software used has actually been provided by the Swiss Confederation and has not been modified.

To enable the app to be downloaded without using the Play Store, the swiyu wallet for Android users will be also available as an APK on an alternative distribution channel in addition to the Google Play Store.

Further details on these topics will be published on GitHub. The aim is to implement the approach described above on Public Beta before the launch of the productive e-ID, so that there is sufficient time for testing and validation. Further discussions are welcome on GitHub: https://github.com/swiyu-admin-ch.