EU Age Verification App Breached in Under Two Minutes

In a stark demonstration of security vulnerabilities, a European Union-developed mobile application intended for age verification was compromised in mere minutes by a security researcher. This incident underscores significant flaws in the implementation of digital age assurance mechanisms, which are central to the EU’s push for stricter online content regulations.

The app in question forms part of the EU’s broader initiative under the proposed “Regulation on Child Sexual Abuse Material” (CSAM Regulation). This legislation aims to mandate age verification processes across online platforms, particularly those hosting potentially harmful content for minors. Providers would be required to implement robust systems to confirm users’ ages before granting access, with the app serving as a key tool for decentralized, privacy-preserving verification.

Security researcher Pascal Junod, known for his work in cryptography and digital privacy, exposed the weaknesses during a live presentation at the Chaos Communication Congress (34C3) held in Leipzig, Germany. Junod, affiliated with the Swiss Federal Institute of Technology (EPFL), detailed how he reverse-engineered the app’s core functionality within a remarkably short timeframe.

The app relies on a combination of device-based biometrics and cryptographic challenges to assert a user’s age without transmitting sensitive personal data to central servers. Users scan government-issued ID documents using their smartphone camera, followed by a liveness detection process via facial recognition. The system then generates a verifiable credential attesting to the user’s age category (e.g., over 18) for presentation to content providers.

Junod’s hack began with a straightforward decompilation of the Android APK file using readily available tools like APKTool and Jadx. Within seconds, he accessed the app’s source code, revealing critical shortcomings. The age verification logic was predominantly client-side, meaning the smartphone itself performed the key computations without sufficient server-side validation. This design choice, intended to enhance privacy by minimizing data sharing, inadvertently created a single point of failure.

By extracting the cryptographic keys embedded in the app—keys that should have been securely managed but were instead hardcoded or weakly protected—Junod bypassed the ID scanning entirely. He crafted a forged biometric response that mimicked a successful liveness check for an adult user. The entire process took less than two minutes, from downloading the app to generating a valid age assurance token usable on compliant websites.

Further analysis revealed additional issues. The app’s pseudonymous identifiers, meant to prevent cross-site tracking, were predictable and easily spoofable. Moreover, the reliance on third-party biometric libraries introduced risks from unpatched vulnerabilities. Junod demonstrated how an attacker could intercept and replay verification sessions using network proxies, exploiting the app’s unsecured communication channels during token issuance.

The implications are profound for the EU’s regulatory ambitions. The CSAM Regulation, which passed its first reading in the European Parliament in early 2024, envisions widespread deployment of such technologies by 2027. Critics, including privacy advocates from the Electronic Frontier Foundation (EFF) and NOYB (None of Your Business), have long warned that age verification systems are prone to circumvention and erode user anonymity. Junod’s demo provides empirical evidence, showing that even a well-resourced EU project falls short against basic reverse-engineering techniques available to any skilled developer.

EU officials have acknowledged the findings but emphasized that the app represents a prototype in active development. A spokesperson from the European Commission stated that iterative security audits are ongoing, with plans to incorporate hardware-based trusted execution environments (TEEs) like ARM TrustZone in future iterations. These would isolate sensitive operations from the main OS, potentially mitigating client-side attacks. However, experts note that TEEs are not impervious; recent Spectre-like vulnerabilities have exposed their limitations.

The incident also highlights broader challenges in balancing child protection with fundamental rights. Under the EU’s Digital Services Act (DSA), platforms face fines up to 6% of global turnover for non-compliance. Yet, as Junod illustrated, users determined to evade restrictions—be they minors seeking prohibited content or adults prioritizing privacy—can do so effortlessly. Alternative approaches, such as client-side content scanning or metadata analysis, have been floated but face similar scrutiny.

Junod refrained from releasing a full proof-of-concept exploit, citing responsible disclosure principles. He shared his methodology with the app’s developers months prior, urging stronger protections like ephemeral keys, zero-knowledge proofs, and mandatory server-side re-verification. The tarnkappe.info report, based on Junod’s presentation, serves as a public call to action for policymakers to prioritize security over hasty deployment.

This breach serves as a cautionary tale amid accelerating global trends toward age gating. Similar systems in the UK (via the Online Safety Bill) and Australia have encountered bypasses, often involving VPNs, shared credentials, or emulators. For the EU, addressing these flaws is imperative to avoid a landscape of ineffective mandates that burden users without delivering on safety promises.

As the CSAM Regulation advances through trilogue negotiations, stakeholders must grapple with whether decentralized verification can ever be trustworthy. Junod’s two-minute hack suggests that without fundamental redesigns, such systems risk becoming symbolic rather than substantive safeguards.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.