Learned Lessons from Implementing an Android Client for the Cloud Signature Consortium API

Advanced electronic signatures are the main security mechanism used for assuring authentication, integrity and non-repudiation of electronic documents. Digitization on a large scale requires secure and flexible electronic signature systems. In E.U., the use of remote qualified electronic signatures has considerably increased after the adoption of the Regulation (EU) No 910/2014 (“eIDAS”). Thanks to the new legislative measures, owning a physical device to create a qualified electronic signature in no longer mandatory, so the user experience has been considerably improved. However, the full potential of remote qualified electronic signatures has not been reached yet. Our work supports the adoption of the remote digital signature in various fields by implementing an Android application that can apply qualified electronic signatures. To assure interoperability, the client-server communication follows a standard protocol: the Cloud Signature Consortium API. The main advantage of our approach is that the Android application is able to sign using certificates issued by different Trust Service Providers. This paper will analyze the current situation and will present the main challenges encountered when designing and developing a digital signature application that uses remote qualified digital certificates as well as the learned lessons that could be of tremendous help for others activating in this field.