I'm not sure exactly what you mean by virtualisation but as far as I'm aware emulators respect it. Depends on the kind of emulation I guess, I think there's pure software emu and device-based emulation (via a cloud service).That sounds to me like doing client side security. Is that OS hook strong enough that you would want to protect that sort of PII behind? I expect to get round it with virtualisation for example.
And sure, it's client-side security. That's one of the problems with having something as ubiquitous as a vaguely-modern smartphone. They're something institutions have to cater for - increasingly for staff as much as students - and they're not like a workstation that can be managed centrally via IT. This makes them innately susceptible to attacks that traditional infosec just doesn't cover.
It's kind of an interesting field right now. There's so much iteration between generations of devices, APIs and so forth, that mistakes are basically guaranteed. It's not like how computers first came about where it was academia first, popular culture second. It's the other way around.
I'm trying not to derail the thread too much, but you don't understand the (concrete) use case I'm getting at. These cards often render barcodes that can be used to access facilities. A replacement of a physical service that most universities (and more institutions) provide.A "digital ID card" that's just a picture isn't an an appropriate method of confirming identity in the first place.
Yes, we can tangent the tangent into "is replacing said service a good idea" but that's a whole other discussion. The flag is important, and the flag has a valid use case.