The EU's open-source age verification app could be hacked in just two minutes, revealing privacy and security vulnerabilities, forcing EU officials to say it's 'still in the demonstration stage.'

The EU plans to deploy an official age verification app ahead of enforcing protection measures for minors within its borders, and is developing it asopen source under the EUPL-1.2 license. However, shortly after its release, several security experts have pointed out shortcomings in protecting sensitive data on devices and the possibility of bypassing biometric authentication.

Brussels launched an age checking app. Hackers say it takes 2 minutes to break it. – POLITICO
https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/

New version of EU age verification app to follow biometrics bypass, exposure claims | Biometric Update
https://www.biometricupdate.com/202604/new-version-of-eu-age-verification-app-to-follow-biometrics-bypass-exposure-claims

The app in question was released amidst the EU's efforts to strengthen protection for minors on social media and adult websites. In 2024, the European Commission held a €4 million (approximately ¥747 million) tender for this age verification app, and a Swedish company won the contract. The implementation, which is publicly available on GitHub, is positioned as a reference implementation that will serve as a foundation for member states to create their own solutions as part of the 'Age Verification Solution Toolbox.'

This age verification app uses a so-called zero-knowledge proof method, where users verify their age through a passport, national ID, or a trusted service provider such as a bank, and only indicate to online services that they are 'above a certain age,' without providing any further personal information.

European Commission President Ursula von der Leyen stated at the time of the announcement that it was 'completely open source and anyone can review the code,' explaining that it would soon be available as countries move to restrict children's use of social media.

However, within hours of its release, security consultant Paul Moore pointed out that the app stored sensitive data on users' devices without adequate protection and claimed it could be cracked in less than two minutes.

Hacking the #EU #AgeVerification app in under 2 minutes.

During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.

1. It shouldn't be encrypted at all - that's a really poor design.
2. It's not… https://t.co/z39qBdclC2 pic.twitter.com/FGRvWtWzaZ

— Paul Moore - Security Consultant  (@Paul_Reviews) April 16, 2026

Furthermore, French white-hat hacker Baptiste Robert explained that it may be possible to bypass the app's biometric authentication feature. Cryptographer Olivia Blasey also pointed out the problem, stating that 'even if someone else uses the device of someone who has proven they are over 18, they can still prove they are over 18.'

The European Commission responded by explaining that the hackers were testing an earlier 'demo version' released for testing and development purposes, and that the vulnerability had been fixed. However, Moore and Blasey countered that 'the version being tested was the latest version of the code that the EU had made publicly available online,' creating a discrepancy.

Indeed, the public repository on GitHub clearly states that 'the demo version is being updated and will continue to receive updates for community testing.' It also explains that 'this app is a white-label reference implementation that should be customized for each country before release, the current version is incomplete, additional integration work is required before production deployment, and country-specific registration procedures must be implemented by member states and publishers.' Furthermore, it recommends strengthening the PIN to prevent easily guessable sequences, and it has been pointed out that the repository description itself indicates that the software is still under development.

However, while the European Commission spokesperson maintains the position that 'the release is ready,' the spokesperson for the digital sector stated that 'even though it's the final version, it's still just a demo,' acknowledging that the final product for the public is not yet available, suggesting that there is a lack of consensus within the European Commission.

Given these circumstances, experts and politicians have been criticizing the move as premature. While Blasey acknowledged the open-source nature of the project, allowing experts to verify it, he stated that 'the released code does not meet the cybersecurity standards commensurate with its importance,' warning that a rushed deployment could undermine confidence in digital identity wallets as a whole in the future.

According to the overseas media outlet Politico, in March 2026, more than 400 privacy and security experts sent an open letter calling for a halt to the rollout of age-protection technology until scientific agreement is reached on its merits, demerits, and technical feasibility. Criticism has also emerged from within the European Parliament, with some saying it is being rushed due to political pressure and that it is a half-baked solution that does not meet the EU's own standards.