alt.hn

4/17/2026 at 8:37:40 AM

EU age verification app hacked, 2 minute How to posted

 https://xcancel.com/Paul_Reviews/status/2044723123287666921

by johanstokking

4/17/2026 at 9:54:02 AM

That's not the real age verification app (there is no "EU app", every member state releases their own), it's the proof of concept that was made to demonstrate the system.

This stuff is also why the EU doesn't want the app to run on rooted devices. I don't believe there's a way to pass Strong Integrity yet, as the app doesn't support the hackable Android 8 software attestation.

by jeroenhd

4/17/2026 at 10:15:23 AM

I just want this whole idea to kindly please bog off. We shouldn't be further creating the apparatus of the surveillance state.

by azalemeth

4/17/2026 at 1:23:49 PM

Yeah I don’t like how the discussion is shifting to implementation details, instead of debating whether any of this is good or necessary

by ilumanty

4/17/2026 at 4:04:38 PM

IMO the implementation is crucial. If everything is locally on the device and I can confirm digitally that I'm older than 18 BUT NOTHING ELSE is leaked, like the German eID supports (I think).

Why/how would this be a bad thing?

by karussell

4/18/2026 at 2:47:49 AM

Because that's debating the mechanics of it rather than the need or the ethics. Nobody gives a shit about the mechanics because if there's a debate about the mechanics that means the discussions about the need and the ethics have already happened. Yet those discussions are in fact still going with few in favour of the ethics or need for these systems. The mechanics are the final step after everything else has been settled.

by Tanoc

4/17/2026 at 7:06:52 PM

Implementing this is fascist.

by slackfan

4/17/2026 at 8:28:40 PM

I want corrupt politicians to bog off and people to think long term. I guess we’re both going to be very disappointed.

by illiac786

4/17/2026 at 3:28:54 PM

My understanding is that this is much more privacy friendly than showing your id

by 0-_-0

4/17/2026 at 3:33:19 PM

Makes no difference in the fundamental dislike i have for the concept

by tiluha

4/17/2026 at 4:13:18 PM

Do you also dislike the concept of requiring to be a certain age to say enter a strip club or a sex club?

If not, what is the difference between those controls and having to be a certain age to enter porn sites?

Genuinely curious. To me, the primary objection to the online controls has been the implementations. The EU implementation will be[1] even better than the strip club, where the bouncer sees your ID and can remember it, when they move to zero-knowledge proofs.

[1]: https://digital-strategy.ec.europa.eu/en/news/commission-rel...

by magicalhippo

4/18/2026 at 9:03:06 PM

> Do you also dislike the concept of requiring to be a certain age to say enter a strip club or a sex club?

You can't compare someone checking your document before entering a strip club (or even a pub, or asking for alcoholic drinks) vs a computer system getting and logging an attestation and verifying it against a government database (or third party) where the Govt knows who the credential belongs to, and who's checking it. Along with my government "compelling me" to run software (even if it's open source itself) that requires me to have a binding contract with a foreign third-party company known for privacy violations, and running their proprietary software stack on my device for said government software to work, so I can participate in most parts of the digital society.

Of course the existing "identity verification" done by scanning yourself and your ID document (passport, national ID or driving licence) is not acceptable, unless counted exceptions where said documentation is needed (banking and others, because of KYC/AML)

by arielcostas

4/17/2026 at 5:09:35 PM

First of all yes.

Secondly, it's the dumbest comparison anyone could possibly make.

The difference with a porn website is as follows:

- the age check on porn sites are notoriously dumb and useless, it's literally a meme. It was a meme before there were memes.

- I choose to go on porn sites. It's not exactly a requirement that I get access to a porn site. Access to my OS on my device to work, have fun or do whatever I want privately is kind of a lot more necessary.

"Zero knowledge proof". Yeah OK. I've got a few dozen bridges to sell you. Interested?

by a0123

4/17/2026 at 7:54:29 PM

> First of all yes.

That at least explains a fair bit.

> the age check on porn sites are notoriously dumb and useless

That they have been useless is hardly an argument that's relevant to the current discussion.

> I choose to go on porn sites. It's not exactly a requirement that I get access to a porn site.

Indeed.

> Access to my OS on my device to work, have fun or do whatever I want privately is kind of a lot more necessary.

Sure, but that is an entirely different discussion.

Anyway, if you had some actual substance to your flippant dismissal it could perhaps lead to some interesting discussion.

by magicalhippo

4/17/2026 at 2:29:09 PM

If the app wants to take advantage of mandatory hardware attestation, it has to require Android 13 or later. This would undermine somewhat the promise that the app supports a wide range of devices. Even banks don't currently enforce Android 13+.

by atanasi

4/17/2026 at 2:39:34 PM

The reference wallet uses a minimum API level 29 (https://github.com/eu-digital-identity-wallet/av-app-android...)

Although, hardware attestation should be available for Android 8+. Only older Android versions can be spoofed.

You can still get strong integrity, but [as the docs state](https://developer.android.com/google/play/integrity/verdicts):

> On Android 12 and lower, the MEETS_STRONG_INTEGRITY verdict only requires hardware-backed proof of boot integrity and does not require the device to have a recent security update. Therefore, when using the MEETS_STRONG_INTEGRITY, it is recommended to also take into account the Android SDK version in the deviceAttributes field.

by jeroenhd

4/17/2026 at 10:34:30 AM

> This stuff is also why the EU doesn't want the app to run on rooted devices.

I would argue the EU doesn't want to run it on rooted devices because malware could violate the security sandbox and intercept information. This is largely the same reason why Google Pay requires SafetyNet.

by ChocolateGod

4/17/2026 at 2:41:12 PM

That's exactly what this hack is doing: using root to alter the app's internal storage. The Twitter video does it manually, but the problem is the same as when one does it through automated means.

by jeroenhd

4/17/2026 at 4:05:45 PM

> why the EU doesn't want the app to run on rooted devices

Where does the EU say so?

by karussell

4/17/2026 at 11:57:21 AM

So this "hack" is basically reading app storage on a rooted phone?

Wow.

by izacus

4/17/2026 at 9:32:43 AM

"hacked"

And then this person says the pin shouldn't be encrypted (but I bet if this was otherwise they would be complaining as well)

I think scrutiny over the apps are fine, but treating every issue with the same brush is not

> this product will be the catalyst for an enormous breach at some point

Breach of what exactly is not clear since most information never leaves the phone

by raverbashing

4/17/2026 at 9:34:19 AM

Maybe the biometric and photos of id and possibly selfies not being deleted properly?

by archerx

4/17/2026 at 9:45:39 AM

Yes (later in the thread it seems to be the case, though xcancel makes threads even more confusing)

But more importantly, it's not being deleted from your phone. You know, your phone with all of your other photos

Yes it should be fixed, but this "all of nothing" approach to security is just counter-productive

by raverbashing

4/19/2026 at 12:54:40 AM

Don't forget that Android is tightening restrictions on unlocking the bootloader and sideloading. Your device may not necessarily be yours; you only have limited usage rights.

by linzhangrun

4/17/2026 at 10:08:44 PM

isnt it just a little bit funny that all this age verification is coming everywhere all at once

by redeeman

4/17/2026 at 10:43:45 AM

Shows yet again: apps are secure because people check them. And politicians will avoid it at all costs for the same reason: it exposes them to being blamed for mistakes.

by spwa4

4/17/2026 at 9:26:59 PM

This is a very dishonest title OP came up with.

by walletdrainer

4/17/2026 at 6:03:28 PM

[dead]

by onethingright

4/17/2026 at 10:50:45 AM

There's one thing "the hackers" haven't considered, though! It's illegal to hack an app in the EU,

so the problem of bypassing age verification by hacking saved files doesn't arise at all!

/s

by fvv

4/17/2026 at 12:38:36 PM

I assume it's also illegal as someone underage to access all the things protected by the age verification app. So we don't need the app then :-)

by indigomm

4/17/2026 at 3:29:04 PM

However, some one below 14 (at least in Germany) cannot be found guilty: sure the EU will fix that one with a legal act as well.

by riedel