EU Age Verification App Hacked in Under Two Minutes: Security Flaws Exposed

A security consultant recently demonstrated that the European Union's newly introduced age verification application can be completely bypassed in under two minutes. The app, designed to allow users to prove they are over 18 without unnecessarily handing over personal data, contains fundamental design and cryptographic flaws. Using nothing more than a basic file editor on an Android phone, it is possible for an attacker with local device access to hijack an existing user's identity credentials.

How the Authentication System Was Bypassed

During the standard setup process, users are prompted to create a six-digit PIN. The application encrypts this PIN and stores it locally in a configuration directory, specifically within the eudi-wallet.xml file located in the shared_prefs folder. The critical vulnerability lies in the fact that this encrypted PIN is not cryptographically tied to the identity vault that actually stores the sensitive verification data.

Because of this separation, the authentication system can be easily manipulated. An attacker simply needs to open the app's shared_prefs folder and delete the specific encryption values labeled "PinEnc" and "PinIV". Upon restarting the application, the system resets and prompts the user to enter a brand new PIN. The app accepts this new PIN while simultaneously granting full access to the original, valid 18+ digital credentials established under the previous profile.

Disabling Biometrics and Rate Limiting

Beyond the PIN bypass, the same editable configuration file controls several other critical security features. Rate limiting, which is traditionally used to prevent attackers from repeatedly guessing a PIN, is stored as a basic counter within this file. By manually resetting this counter to zero, an attacker can guess PINs indefinitely without triggering a lockout mechanism.

Furthermore, the application's biometric security checks are controlled by a single boolean value. Modifying this specific value allows an attacker to completely skip facial or fingerprint recognition checks. Extensive security barriers can essentially be dismantled through elementary file editing, forcing the app to bypass its own access controls.

Unencrypted Data Storage and Privacy Risks

The application was built to minimize data collection, with official documentation stating that no personal data is stored. However, analysis of the open-source code revealed that sensitive biometric data is handled insecurely.

• NFC Document Extraction: Facial images extracted from NFC-enabled identity documents are written directly to the device's disk as unencrypted, lossless PNG files.
• Selfie Retention: Selfie images utilized during the verification process are written to external storage and are not automatically deleted.

If the verification process is interrupted or fails, these unencrypted biometric images may remain permanently accessible on the device, significantly increasing the risk of unauthorized data exposure.

Official Endorsements vs. Development Reality

The demonstration of these vulnerabilities occurred shortly after European Commission officials praised the application. The app was publicly described as being "technically ready" and operating in alignment with high privacy standards.

Despite these high-profile endorsements, the underlying code repository on GitHub labels the software as an early development version. The official documentation explicitly warns that the initial release features reduced security, privacy, and reliability standards compared to final builds, and strongly advises against deploying this version in a live production environment.