Back to Work
Case StudySarawak State Government

How a specialist team built the digital identity
engine inside SarawakPass

A team of seven engineers. One proprietary Digital Wallet SDK. The identity layer for 2.9 million Sarawakians. As a core team member of the project, here's what the team built, how it was built, and why every technical decision mattered.

The brief

SarawakPass (formerly SarawakID) is the Sarawak State Government's official digital identity platform. It gives every Sarawakian a trusted, unified digital identity to access government services online. The State Service Modernisation Unit, under the Chief Minister's Department, needed a mobile application that could serve as a national digital ID wallet — handling identity verification, credential storage, and seamless authentication across every government service in the state.

The main contractor managing the overall SarawakPass project needed a specialist vendor for the most technically demanding piece: the digital identity layer. That's where the specialist vendor team came in—and I was one of the core engineers on that team.

The specialist team's role

The specialist vendor team—which I was a core member of—focused on three areas that form the proprietary offering:

  • Digital Identityverifiable credentials, identity verification flows, and self-sovereign identity infrastructure
  • IAM (Identity and Access Management)single sign-on, authentication protocols, and credential lifecycle management
  • Digital Wallet SDKa hardened, OWASP MASVS-compliant mobile SDK that powers the wallet experience on iOS and Android

The team: seven people. Two iOS engineers. Two Android engineers. Two backend engineers specialising in digital identity. One technical lead. We built the full package — SDK, backend identity services, and a standalone validator application — and delivered it as proprietary IP to the main contractor for integration into SarawakPass.

The architecture

SarawakPass follows the EUDI Wallet architecture pattern, aligned with eIDAS 2.0 — the European regulation that sets the standard for electronic identification and trust services. While Sarawak is in Malaysia, not Europe, eIDAS 2.0 represents the most rigorous and well-defined framework for national digital identity wallets globally. Building against this standard means SarawakPass's identity layer meets the same trust level required of European Union digital identity wallets.

At a high level, the system has three layers:

Holder App

SarawakPass mobile app — stores credentials, presents them to verifiers, manages the user's digital wallet

Issuer Backend

Government systems that issue signed verifiable credentials (e.g. "this person is a verified Sarawak citizen")

Validator App

A standalone verifier application that checks credential authenticity — online or offline

The SDK sits inside the Holder App. The backend handles issuance and verification. The Validator App is a standalone product that any verifier (a government officer, a service desk, a border checkpoint) can use to confirm a citizen's credentials.

Verifiable credentials

The core of what the team built is a verifiable credentials system. Here's what that means in practice.

When a citizen completes eKYC (electronic Know Your Customer) — scanning their Malaysian IC and verifying their face — the government issuer signs a digital credential asserting something about that person. For example: "This person holds a valid Sarawak digital identity." That credential is cryptographically signed and stored in the user's wallet.

When the citizen needs to prove who they are — at a government counter, at a service desk, at a border checkpoint — they present that credential. The verifier checks the cryptographic signature, not a database lookup. This is self-sovereign identity in action: the user holds their own credentials, and verification happens without calling home to a central server.

The team implemented this using SD-JWT-KB (Selective Disclosure JSON Web Token with Key Binding). Here's why that matters:

  • Selective Disclosure (SD)the user can prove they're over 18 without revealing their exact date of birth. They can prove they're a Sarawak resident without revealing their full address. Each attribute in the credential can be disclosed independently.
  • Key Binding (KB)the credential is bound to the device's cryptographic key. Even if someone copies the token, they can't use it because they don't hold the private key. The presentation proof requires signing with the device's key, proving the presenter is the legitimate holder.
  • JOSE (JSON Object Signing and Encryption)the underlying format for encoding, signing, and optionally encrypting the credential data. The team used JWS (JSON Web Signature) for integrity and JWE (JSON Web Encryption) where confidentiality is required.

Cryptographic foundation

Every credential starts with a key pair. On iOS, the team generated the key pair inside the Secure Enclave — a dedicated hardware component that stores private keys in a way that makes them physically impossible to extract, even with physical access to the device. On Android, the equivalent hardware-backed keystore was used.

The flow works like this:

  1. 01Generate key paircreated inside the Secure Enclave / hardware keystore. The private key never leaves the hardware. The public key is exported.
  2. 02Generate CSR (Certificate Signing Request)the app creates a CSR containing the public key and sends it to the identity backend.
  3. 03Backend validates and signsthe identity backend verifies the user's eKYC data, then issues a verifiable credential signed with the government issuer's private key.
  4. 04Store credential locallythe signed credential is stored on-device in encrypted local storage. No cloud dependency. The user's credentials work offline.
  5. 05Present and verifywhen the user presents the credential to a verifier, the app signs the presentation with the Secure Enclave key (key binding). The verifier checks the issuer's signature against the government's public key.

This is standard PKI (Public Key Infrastructure), applied to identity. The government issuer acts as the root of trust. Every credential is traceable back to that root through a chain of cryptographic signatures.

Offline verification

Sarawak is the largest state in Malaysia. Much of it is rural, with limited or no internet connectivity. If digital identity only works online, it fails the people who need it most.

The system was designed so that verification works without any network connection. Here's how:

  • Local credential storageall verifiable credentials are stored encrypted on-device. When the user opens their wallet, everything is there. No loading spinner waiting for a server.
  • BLE proximity transferwhen a citizen needs to prove their identity to a verifier (e.g. a government officer in a rural area), both devices communicate over Bluetooth Low Energy. The citizen's app sends the credential and a fresh presentation proof. The validator app verifies it locally using the cached issuer public keys. No internet required on either side.
  • Proprietary proximity data sharingtwo engineers on the team built the BLE data transfer protocol entirely in-house. This is a proprietary proximity sharing implementation — not an off-the-shelf library. Every packet transmitted over BLE is wrapped in an SD-JWT-KB presentation, which means even if an attacker intercepts the Bluetooth signal, they cannot modify or hijack the data. The key binding proof ties the presentation to the holder's device key, making man-in-the-middle attacks cryptographically detectable. Without the legitimate device's private key, intercepted data is useless.
  • Sign digest verificationthe presentation includes a cryptographic signature (a digest) that the validator checks against the credential. If the signature is valid and the credential hasn't expired, the identity is confirmed.

This means a government officer standing in a longhouse in the interior of Sarawak can verify a citizen's identity using nothing more than two phones and Bluetooth.

SDK hardening

A digital identity wallet is a high-value target. If an attacker can extract credentials, bypass authentication, or tamper with the app, the entire trust model collapses. The SDK was built to OWASP MASVS (Mobile Application Security Verification Standard) — the industry-standard framework for mobile app security.

The SDK includes these runtime protections:

Jailbreak / Root Detection

Detects if the device has been jailbroken (iOS) or rooted (Android). A compromised operating system means an attacker can access areas normally restricted. The SDK flags this and restricts credential operations.

Anti-Tampering

Detects if the app's binary has been modified. Attackers sometimes patch the app to bypass checks or extract logic. The SDK verifies its own integrity at runtime using checksums and signature validation.

Anti-Reverse Engineering

Detects tools like Frida, Cycript, and debuggers that attackers use to inspect the app's internals. The SDK obfuscates critical code paths and monitors for instrumentation frameworks.

Proxy Detection

Detects man-in-the-middle proxy tools (Burp Suite, Charles Proxy, mitmproxy) that could intercept network traffic. Even though all traffic is TLS-encrypted, proxy detection adds a layer of defence against certificate pinning bypasses.

Runtime Hook Detection

Detects dynamic code injection and method hooking at runtime. Attackers use hooks to redirect function calls — for example, making the app think face verification succeeded when it didn't. The SDK monitors for these modifications.

These protections don't exist in isolation. They run continuously, not just at launch. If any check fails, the SDK escalates — from warning the user to refusing credential operations entirely, depending on severity.

The validator app

Alongside the SDK, a standalone validator application was built. This is the tool that government officers, service desk staff, and other verifiers use to check a citizen's credentials.

The validator does three things:

  1. 01Receiveaccepts a credential from the holder app via QR code scan or BLE proximity transfer.
  2. 02Verifychecks the issuer's cryptographic signature, confirms the credential hasn't been tampered with, validates the key binding proof (confirming the presenter holds the legitimate private key).
  3. 03Displayshows the verified identity attributes to the verifier, with clear indication of which attributes were selectively disclosed.

The validator works fully offline. It caches the government issuer's public keys, so it can verify credentials anywhere — at a border checkpoint, in a rural clinic, at a government counter during a network outage.

Single sign-on and ecosystem

SarawakPass isn't just a wallet — it's the identity backbone for the state's entire digital government ecosystem. Citizens use it to sign into multiple government services with one tap:

ServiceWhat it does
S PAY GLOBALDigital payments and cashless transactions
Service SarawakGovernment services portal
Sarawak Gov AppOfficial government app hub
Sarawak Smart CitySmart city monitoring
eBookingGovernment facility bookings
mobile LASISLand survey information system
SCHBSenior Citizen Health Benefit

The SSO implementation means citizens authenticate once with SarawakPass (face login, QR code, or PIN) and seamlessly access all integrated services without logging in again. The SDK handles token exchange, session management, and secure credential presentation across every connected app.

What was delivered

The deliverable to the main contractor was a complete, self-contained package:

  • Digital Wallet SDKiOS and Android libraries for credential storage, presentation, and verification, with full OWASP MASVS security hardening
  • Verifiable Credentials EngineSD-JWT-KB issuance, selective disclosure, key binding, and signature verification — online and offline
  • Validator Appstandalone verifier application for government officers and service desks, with BLE and QR code credential acceptance
  • Identity Backendissuer services, key management, CSR processing, and credential lifecycle management
  • Secure Enclave Integrationhardware-backed key pair generation and CSR creation on iOS and Android
  • SDK Security Suitejailbreak detection, anti-tampering, anti-reverse engineering, proxy detection, and runtime hook detection

All of this is proprietary intellectual property — licensed to the main contractor as part of the SarawakPass ecosystem.

The team

Seven people built this. Two iOS engineers. Two Android engineers. Two backend engineers focused on digital identity infrastructure. One technical lead.

The team worked as a specialist unit within a larger project delivery. The main contractor handled the overall SarawakPass application — the UI, the eKYC flows, the government integrations. The specialist team focused on the identity layer, the SDK, and the security that makes the whole thing trustworthy.

Why this matters

2.9 million Sarawakians. Government services that range from digital payments to land surveys to healthcare benefits. An environment where internet connectivity is not guaranteed. And a threat model that includes state-level actors, organised fraud, and physical device compromise.

Building a digital identity system for this context is not the same as adding "Sign in with Apple" to a consumer app. Every cryptographic decision, every offline fallback, every SDK hardening measure exists because the system has to work for a real person standing in front of a real government officer, possibly with no internet, possibly on a compromised device — and still deliver a trustworthy result.

That's what the team built. That's what SarawakPass runs on every day.