This work systematically evaluates the vulnerability of modern smartphones—equipped with advanced SoCs (sub-10 nm process, heterogeneous cores, >2 GHz clock speeds) since 2019—to electromagnetic side-channel attacks (EM-SCA) during ECDSA signing. We propose a novel EM-SCA methodology tailored to complex SoC architectures and integrate it with the Nonce@Once attack paradigm. Our empirical evaluation successfully recovers ECDSA private keys from OpenSSL and libgcrypt implementations on Raspberry Pi 4 and Fairphone 4. Results demonstrate that purely software-based cryptographic implementations on general-purpose processors remain fundamentally insecure against physical side-channel threats—particularly critical in high-assurance applications such as electronic identity (e.g., EUDI Wallet). Key contributions include: (1) establishing a realistic EM-SCA threat model for contemporary mobile platforms; (2) empirically validating the practical exploitability of widely deployed cryptographic libraries; and (3) substantiating the necessity and urgency of hardware-isolated secure elements (SEs) at the endpoint layer for robust authentication security.

Smartphones handle sensitive tasks such as messaging and payment and may soon support critical electronic identification through initiatives such as the European Digital Identity (EUDI) wallet, currently under development. Yet the susceptibility of modern smartphones to physical side-channel analysis (SCA) is underexplored, with recent work limited to pre-2019 hardware. Since then, smartphone system on chip (SoC) platforms have grown more complex, with heterogeneous processor clusters, sub 10 nm nodes, and frequencies over 2 GHz, potentially complicating SCA. In this paper, we assess the feasibility of electromagnetic (EM) SCA on a Raspberry Pi 4, featuring a Broadcom BCM2711 SoC and a Fairphone 4 featuring a Snapdragon 750G 5G SoC. Using new attack methodologies tailored to modern SoCs, we recover ECDSA secrets from OpenSSL by mounting the Nonce@Once attack of Alam et al. (Euro S&P 2021) and show that the libgcrypt countermeasure does not fully mitigate it. We present case studies illustrating how hardware and software stacks impact EM SCA feasibility. Motivated by use cases such as the EUDI wallet, we survey Android cryptographic implementations and define representative threat models to assess the attack. Our findings show weaknesses in ECDSA software implementations and underscore the need for independently certified secure elements (SEs) in all smartphones.