EU Age App: Hacked in 2 Minutes

EU Age Verification App Hacked in Under 2 Minutes: A Major Security Wake-Up Call

The European Union's ambitious digital identity wallet, designed for mandatory age verification, has been exposed as highly vulnerable. Security researcher Paul Moore demonstrated a bypass in less than two minutes, raising serious doubts about its readiness to protect user privacy and data.

What Is the EU Age Verification App?

The EU digital identity wallet is an upcoming app aimed at providing secure age checks across Europe. It uses biometric facial scans, NFC data, and selfies to verify users' ages, positioning itself as a tool to safeguard minors online. Currently available as an open-source demo, it is not yet intended for full production deployment.

How the Hack Was Performed

Paul Moore, a skilled security researcher, gained physical access to a test device and compromised the app rapidly. By editing the app's shared preferences file, he removed encrypted PIN values, reset the rate limiting counter, and disabled biometric requirements entirely. The app then accepted a new PIN, granting full access to existing age verification credentials.

• Time required: Less than 2 minutes.
• Method: Simple file editing with physical device access.
• Outcome: Complete bypass of security measures, including biometrics.

Exposed Vulnerabilities and Risks

Beyond the quick bypass, analysis of the open-source code revealed deeper flaws. The app stores sensitive NFC data, biometric facial scans, and user selfies insecurely. These exposures could lead to identity theft or unauthorized access to verified age credentials. Critics note the app's design assumes non-rooted devices, yet it remains susceptible even in controlled environments.

Researchers highlight that such weaknesses undermine the app's core purpose of protecting children online, as attackers could exploit it to fake age verification.

Implications for EU Digital Identity Plans

This incident occurs as the EU pushes forward with broader digital identity initiatives. The demo version's flaws suggest significant work remains before widespread rollout. While intended to enhance online safety, the hack demonstrates how easily protections can fail, potentially eroding public trust in government-backed tech solutions.

Conclusion

The swift hack of the EU age verification app underscores the challenges in building secure biometric systems. As developers address these issues, users should remain cautious about sharing sensitive data.

In summary, Paul Moore's demonstration proves that even well-intentioned apps need rigorous security testing. Stronger safeguards are essential before mandating such technology across Europe.