Critical Security Flaws Exposed in EU Age Verification App

A highly anticipated European Union Age Verification application faces severe criticism after security researcher Paul Moore demonstrated how to bypass its core protections in under two minutes. Mobile security experts have flagged the app’s cryptographic and design flaws as posing significant risks to user identity credentials.

Critical PIN Bypass Vulnerability

Moore analyzed the application’s open-source code and discovered fundamental vulnerabilities in how it handles sensitive user data. The primary issue lies in the SharedPreferences storage mechanism for PIN encryption.

During setup, the app encrypts user PINs and stores them locally in configuration files. However, this encryption lacks cryptographic binding to the secure vault containing identity data. Attackers can manipulate configuration files by deleting the PinEnc and PinIV values from the app’s shared preferences directory. Upon restart, the app forces a new PIN creation, granting attackers full access to original user credentials.

Additional Authentication Failures

Beyond the PIN bypass, Moore identified two critical flaws within the same configuration file:

  • Rate Limiting Bypass: Attackers can reset an incrementing counter to zero, enabling unlimited PIN attempts without lockout. This exploits the Broken Access Control vulnerability.
  • Biometric Circumvention: Changing the UseBiometricAuth value from true to false completely disables biometric authentication, rendering security measures ineffective.

Contradicts Official Security Claims

These findings directly challenge statements by European Commission President Ursula von der Leyen, who asserted the app met the “highest privacy standards” and was “technically ready for deployment.” EU officials had emphasized its open-source nature as a security guarantee, calling for “public verification of compliance.”

Experts Call for Architectural Overhaul

“This design pattern is a textbook anti-pattern in mobile security,” warns Moore. “Storing authentication credentials in local preference files disregards Android security best practices.” The European Data Protection Board has been notified of the risks, with experts recommending a complete rearchitecture before deployment to avoid catastrophic data breaches.

Security advocates insist the app must implement cryptographic binding between local credentials and identity vaults, along with server-side validation of security parameters. Until then, researchers warn the application remains fundamentally compromised despite its open-source foundation.

kwgixWTU klA TAAjOotfaO

Related Articles

Back to top button