The EU’s “privacy-first” age verification app has just been patched, but critics say the fixes may be polishing a “fundamentally ill-conceived” foundation.
-
The EU age verification app was patched on April 17th after the backlash of app's security features.
-
The patches receives another wave of criticism, as some experts say that the root detection outdated, the PIN hashing misconfigured and passport photo scanning is still nor encrypted.
-
Last week, Ursula Von der Leyen said that EU age verification app is “technically ready,” while later EU Commission's spokesperson soften stance calling it "work in progress."
-
Not all security experts share the previous alarm regarding the app security flaws. Some argue the panic is overblown, since a successful bypass only confirms age on a website — no sensitive personal data is exposed.
On April 17th, the app developer rolled out a wave of fixes to address the issues raised. However, some of the internet experts are still not convinced.
Last week, Ursula Von der Leyen said that the long-anticipated EU age verification app is “technically ready” and aligned with “the highest privacy standards.”
The app received widespread backlash after multiple architectural vulnerabilities were identified that allow instant bypass.
An EU Commission spokesperson hit back, stating that the “work is ongoing” and the app's open-source nature is precisely for this reason – to allow anyone with the skills on the internet to pinpoint the app's weak spots and help improve it.
What is fixed in the updated EU age verification app?
The latest release of updates claimed to have hardened some of the previously identified weak points.
According to documentation, on-device data is now encrypted at rest, with cryptographic keys locked behind the device's hardware-backed key store. This means that a rooted file explorer can no longer casually rifle through stored settings.
The app now checks device integrity on startup and refuses to run entirely on rooted or jailbroken devices, though the EU notes that production deployments should layer on stronger device-attestation mechanisms tailored to their own infrastructure and compliance requirements.
The passport onboarding flow has also been tightened. NFC scanning is more stable, and the passport photo is now stored privately and wiped as soon as it's no longer needed. No more biometric data is lingering in the app's cache after a failed comparison.
Then there's the PIN. The update enforces stricter complexity rules to block easily guessable codes, and PINs are now salted and hashed rather than stored in their original form.
In other words, the exact vulnerability that powered cybersecurity consultant Paul Moore's viral two-minute bypass video, editing a plaintext-adjacent PIN value in Shared Preferences, should no longer be possible.
Updates dubbed “utter security theater”
Reacting to new releases, Moore posted another point-by-point teardown on X. And his verdict was scathing.
"Honestly, I don't know if I should laugh or cry," he said.
The on-device encryption, the headline fix meant to lock down the very Shared Preferences file that powered his original bypass, relies on three dependencies that are all deprecated:
- androidx.security:security-crypto, deprecated in 2025
- EncryptedSharedPreferences, also deprecated in 2025
- MasterKeys, deprecated since 2020
These weren't legacy leftovers that slipped through a version bump. They were added recently, in direct response to security criticism, as a hardening measure for a framework intended to serve as the foundation for production apps across the entire European Union.
“Remember, this isn't an isolated app. It's intended to lay the foundation for many production applications, all using deprecated security libraries from the outset,” Moore continued.He noted that the codebase already contains KeystoreController, a better approach, but the developers did not choose it.
The Cybernews community is talking about this. Be a part of the conversation.
The root detection fares no better under Moore's examination. The app checks a handful of known su binary paths and scans the package manager for familiar root apps like Superuser and SuperSU.
According to Moore's assessment, these techniques would have been adequate in 2015. In 2026, modern rooting tools trivially bypass all of these checks.
On the passport photo fix, Moore acknowledged progress – the images are now being deleted correctly. But he flagged that they're still not encrypted while they exist on the device, leaving him questioning what "stored privately" actually means in practice.
It was the PIN hardening that drew Moore's most technical fire. The implementation salts correctly using a true cryptographically secure pseudorandom number generator, then feeds the result into PBKDF2-SHA256.
It is an algorithm Moore called outdated that recommended only where FIPS compliance is required, which doesn't apply here. The iteration count is set at 210,000, a number Moore called "oddly specific."
“It's the OWASP minimum for PBKDF2-SHA512, not SHA256. Right number, wrong algorithm. In reality, OWASP recommended 600,000 iterations as a minimum in 2023,” he explained.
However, 600,000 is the baseline minimum for passwords, not PINs with 1 million permutations. The minimum viable fix, he suggested, would be a modern hashing algorithm with reasonable brute-force resistance calibrated against a 2026 threat model.
“Utter security theater. None of this negates my fundamental point. This isn't fixable through code – it's fundamentally ill-conceived and poorly implemented,” Moore commented.
Is the criticism of the app exaggerated?
While Moore's initial posts racked up millions of views and dominated the headlines, not everyone in the security world shared his alarm, at least not about the issues that went viral.
Miłosz Gaczkowski, a mobile app security professional, published a detailed counter-analysis on LinkedIn that took aim at the narrative Moore’s posts had created.
His core argument was that the uncovered vulnerabilities are real, but the panic they generated is wildly disproportionate to the actual risk. PIN bypass, which gathered most of the public attention, according to Gaczkowski, will not enable anyone to extract sensitive data.
“If an attacker bypasses the PIN of this application – that is, if they steal your phone, which was already rooted, and which you happened to leave unlocked at the time of theft – the attacker may be able to use your phone to confirm their age on an 18+ website,” he explained.
“That... seems to be it. There's no sensitive personal information to extract, no credentials, no nothing.“
Gaczkowski criticized the European Commission's communications team. Simultaneously publishing proof-of-concept code, which is not production-ready, while publicly declaring the technology "technically ready" was, in his view, a failure.
In response to a LinkedIn post, Moore engaged in the discussion, stating that most of the mainstream narrative missed the point. In his opinion, the media, the commentators, and the EC itself applied the wrong threat model. The threat isn't an external attacker breaking into someone's phone. It's the user themselves wanting to bypass the system.
“Many people commenting on this, even the EC itself, applied the wrong threat model. Nobody is breaking into a device to steal a signed "I'm over 18" assertion. But, the user (not wanting to submit valid biometrics in the first place) can easily bypass all protections – even inside a Chrome extension,” Moore explained.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked