Privacy News Brussels launched an age checking app. Takes 2 minutes to break it.

ZeroStrawberries

ZeroStrawberries

Level 2
Thread author
Mar 7, 2020
78
610
67
Content source
https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/
Cyber experts say they have found holes in Brussels’ age verification app, despite claims by the EU executive that it is “technically ready.”

BRUSSELS — The European Union’s unveiling of a mobile app to check people’s age online has quickly turned sour, as cybersecurity experts found glaring privacy and security problems with the code.
European Commission President Ursula von der Leyen presented the age-verification tool in Brussels on Wednesday, saying it was "technically ready" and will soon be available to use as countries move to ban kids from social media.
"It is fully open source. Everyone can check the code," von der Leyen said.

Cyber and privacy experts immediately dove into the source code on the GitHub software platform and reported several issues with the app's design.

Within hours of the EU’s app release, security consultant Paul Moore found it would store sensitive data on a user’s phone and leave it unprotected, he wrote in a widely shared post on X. Moore claimed to have hacked (includes video showing the process) the app in under 2 minutes.

Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app.
Olivier Blazy, a cryptographic researcher who is part of a French task force on digital identity, said: "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."
The European Commission on Friday stood by its statement that the app is technically ready. "Yes, it is ready. Maybe we can add, 'and it can always be improved'," Chief Spokesperson Paula Pinho told reporters.

The app allows users to verify their age via their passport, a national ID or via trusted providers like a bank. Tech platforms can ask the app if a person is over a certain age, but wouldn’t have access to more personal data — in what’s known as a “zero-knowledge proof” method aimed at preserving privacy.
Click to expand...

From Pirat_Nation on X(Twitter):
Security researcher Paul Moore has demonstrated how the EU age verification app can be compromised in under 2 minutes with nothing more than physical access to a device.
By editing the app’s shared preferences file an attacker can remove the encrypted PIN values, reset the rate limiting counter to zero, and disable biometric requirements entirely.
The app then accepts a new PIN and grants access to the existing age verification credentials.
His earlier analysis of the open source code also revealed that the app stores NFC biometric facial data and user selfies as unencrypted lossless PNG files on the device.
Deletion is incomplete, leaving the images at risk even after processing.
Click to expand...
 
Last edited by a moderator:
  • Like
  • +Reputation
  • Wow
Reactions: Brownie2019, Sorrento, Wrecker4923 and 5 others
ZeroStrawberries said:
Cyber experts say they have found holes in Brussels’ age verification app, despite claims by the EU executive that it is “technically ready.”

BRUSSELS — The European Union’s unveiling of a mobile app to check people’s age online has quickly turned sour, as cybersecurity experts found glaring privacy and security problems with the code.
European Commission President Ursula von der Leyen presented the age-verification tool in Brussels on Wednesday, saying it was "technically ready" and will soon be available to use as countries move to ban kids from social media.
"It is fully open source. Everyone can check the code," von der Leyen said.

Cyber and privacy experts immediately dove into the source code on the GitHub software platform and reported several issues with the app's design.

Within hours of the EU’s app release, security consultant Paul Moore found it would store sensitive data on a user’s phone and leave it unprotected, he wrote in a widely shared post on X. Moore claimed to have hacked (includes video showing the process) the app in under 2 minutes.

Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app.
Olivier Blazy, a cryptographic researcher who is part of a French task force on digital identity, said: "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."
The European Commission on Friday stood by its statement that the app is technically ready. "Yes, it is ready. Maybe we can add, 'and it can always be improved'," Chief Spokesperson Paula Pinho told reporters.

The app allows users to verify their age via their passport, a national ID or via trusted providers like a bank. Tech platforms can ask the app if a person is over a certain age, but wouldn’t have access to more personal data — in what’s known as a “zero-knowledge proof” method aimed at preserving privacy.

From Pirat_Nation on X(Twitter):
Security researcher Paul Moore has demonstrated how the EU age verification app can be compromised in under 2 minutes with nothing more than physical access to a device.
By editing the app’s shared preferences file an attacker can remove the encrypted PIN values, reset the rate limiting counter to zero, and disable biometric requirements entirely.
The app then accepts a new PIN and grants access to the existing age verification credentials.
His earlier analysis of the open source code also revealed that the app stores NFC biometric facial data and user selfies as unencrypted lossless PNG files on the device.
Deletion is incomplete, leaving the images at risk even after processing.
Click to expand...
That is a serious set of claims, but it is important to separate reported findings from independently confirmed facts.

Based on what you posted, the main issue is local device security, not necessarily a break of the underlying age-checking cryptography itself.

What the reported issues appear to mean

  • If the claims are accurate, someone with physical access to the phone may be able to tamper with local app data.
  • That could let another person reuse an already-issued “over 18” status on that device.
  • Storing sensitive images or identity-related data unencrypted on-device would also be a major privacy flaw.
  • Incomplete deletion of those files would make the privacy risk worse.

What this does not automatically prove

  • It does not automatically mean the zero-knowledge proof concept itself is broken.
  • It does not automatically mean the app is remotely exploitable.
  • It does not automatically mean every released build is vulnerable in exactly the same way, unless the tested build and configuration are clearly identified.

Why this matters anyway

Even if the core cryptographic design is sound, poor client-side implementation can still undermine the whole trust model.

For an age-verification app, that is a big problem because the security goal is not only privacy, but also binding the verified status to the right person and device controls. If biometric checks, PIN protection, or local credential storage can be bypassed, then the practical value of the app is weakened.

Important nuance

A lot depends on the exact attack conditions:

  • Was the phone already unlocked?
  • Did the attacker need developer/debug access?
  • Was root, ADB, or backup extraction required?
  • Was this tested on a production build or a development configuration?
  • Were mitigations from Android keystore or hardware-backed storage actually enabled?

Those details matter because “hackable in 2 minutes” can sound more dramatic than the real-world threat model. A physical access attack on an unlocked device is still important, but it is different from a remote compromise.

If the reports are accurate, the likely weaknesses are

  • Improper protection of local secrets or app state
  • Trusting editable shared preferences for security decisions
  • Weak enforcement of biometric/PIN gating
  • Unsafe storage of sensitive images
  • Poor secure deletion handling

Bottom line

If those code findings and demonstrations are genuine, then the criticism is justified: the app may be “technically ready” in the sense that it runs, but that is not the same as being security-ready or privacy-ready.

The safest conclusion for now is that the app should be treated as under active scrutiny, not fully trusted by default, until the Commission or independent reviewers publish a clear technical response, fixes, and threat-model clarification.

Sources
 
  • Like
Reactions: Gandalf_The_Grey and Halp2001
Reading the news, I think it's important to distinguish between two things. On one hand, it doesn't seem like the app can be 'hacked' remotely; the flaw happens if someone has physical access to the phone and manipulates it directly. In the end, with physical access, almost any system can be bypassed.

What is truly concerning, though, is how sensitive data is handled. If photos or biometric info are stored without proper protection or aren't deleted correctly, that’s a serious privacy risk for the user. It looks more like a sloppy development issue than a flaw in the age verification concept itself. 🔐 📱
 
  • Like
  • Applause
Reactions: Brownie2019, Sorrento, Wrecker4923 and 3 others

You may also like...