EU age‑check app bypassed
A researcher demoed how the EU’s AgeVerification app can be tricked to bypass PINs, rate limits and biometric checks by editing shared_prefs files, and showed unencrypted selfies and NFC biometric images left on device storage. The proof‑of‑concept reportedly breaks protections in under two minutes and raises potential GDPR exposure for special‑category biometric data. The short video demo documents the attack path and exposed artifacts on the device. (x.com)
A security researcher said the European Union’s new age-check app can be bypassed in under two minutes by editing files stored on the phone. (cybernews.com) The European Commission said on April 15 that its age-verification app was “technically ready” and would soon be available for citizens to use. The system is meant to let adults prove they are over 18 without revealing their exact age or identity to websites. (politico.eu) The Commission’s age-verification blueprint was first published on July 14, 2025, and a second blueprint followed on October 10, 2025 with passport and identity-card onboarding. The Commission says the app is a bridge until European Digital Identity wallets arrive by the end of 2026. (digital-strategy.ec.europa.eu) Age verification is a digital ID check for age-gated services such as pornography, gambling and alcohol sales. The Commission says its design should let someone prove “over 18” without exposing other personal data or allowing platforms to reconstruct what content a person viewed. (digital-strategy.ec.europa.eu) The app is open source, which means its code is published for anyone to inspect, test and reuse. The Commission says member states can customize language and other details, but not the privacy-preserving features. (digital-strategy.ec.europa.eu) The Android app’s public GitHub repository says it is part of the Age Verification Solution Toolbox and is forked from the European Digital Identity Android wallet reference application. The technical-specification repository says the project is designed for extension and deployment by member states and other actors. (github.com, github.com) Cybernews reported on April 16 that consultant Paul Moore showed a proof of concept in which deleting or changing values in Android shared preferences let him reset the personal identification number, clear the rate-limit counter and switch biometric checks off with a boolean flag. Cybernews also reported that Moore said selfies and near-field communication biometric images were left unencrypted on device storage. (cybernews.com) Those details matter because biometric data is a special category of personal data under the European Union’s General Data Protection Regulation, which carries stricter handling rules. The Commission has described the app as a privacy-preserving standard for age checks, so the next question is whether the published code, beta release and pilot testing lead to changes before national rollouts. (digital-strategy.ec.europa.eu, eur-lex.europa.eu)
