The European Commission has unveiled its official age-verification app, presenting it as a privacy-preserving, open-source solution to protect minors online.
Within hours of its release, however, security researchers reported critical flaws that could expose biometric data and allow users to bypass verification entirely.
European Commission President Ursula von der Leyen announced the app on April 15, claiming it meets “the highest privacy standards,” alongside ease of use, cross-device support, and full transparency. The app is intended to let users prove they are over 18 without revealing their identity, supporting enforcement efforts under the Digital Services Act (DSA).
Official documentation emphasizes data minimization and explicitly states that no personal data is stored. The Android version is distributed as a precompiled APK via GitHub for testing, while iOS users must build the app manually. During onboarding, users set a PIN, optionally enable biometric authentication, and obtain a “proof of age attestation” through a mock identity provider.
The system is designed to act as a privacy-preserving intermediary between users and online services, allowing platforms to verify age without directly handling identity documents.
Security and privacy issues abound
Shortly after the source code was published, security analyst Paul Moore identified multiple privacy and security issues. While the app encrypts derived data, such as an “over 18” flag, using AES-GCM, it does not properly protect the original biometric inputs.
Moore also found that facial images extracted from NFC-enabled identity documents (DG2 data) are written to disk as unencrypted PNG files and only deleted if verification completes successfully. If the process fails or is interrupted, the images may remain on the device. More concerningly, selfie images used for verification are written to external storage and are never deleted, resulting in long-term storage of sensitive biometric data.
These findings appear to contradict the app’s claim that no personal data is stored and may raise compliance concerns under the GDPR, which classifies biometric data as highly sensitive.
The researcher also demonstrated an authentication weakness where the app stores an encrypted PIN in a shared preferences file, but it is not cryptographically tied to the stored credentials. By deleting specific values from this file, an attacker can reset the PIN while retaining access to existing attestations.
Additional issues include a rate-limiting mechanism that can be reset by modifying a counter in the same file, and a biometric authentication flag stored as a simple boolean that can be toggled to bypass checks.
In a separate proof-of-concept, the security consultant showed that the system can be bypassed without using the official app. By replicating its logic in a browser extension, he generated valid verification responses that relying services would accept. The extension detects QR codes in verification flows and returns forged payloads indicating the user is over 18.
This points to a broader design flaw where verification tokens are trusted without being securely bound to a device or identity. Strengthening this link would likely require persistent identifiers, potentially undermining the app’s privacy goals.
The European Commission has not yet responded to the findings. The speed at which these issues were uncovered highlights the difficulty of building systems that handle biometric data while balancing privacy and security.
Users testing the app should avoid submitting real identity documents where possible, review storage permissions, and clear residual files.
Leave a Reply