![\"\"](\"https:\/\/yoota.it\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-16-at-16-41-47-Paul-Moore-Security-Consultant--@Paul_Reviews-Hacking-the-EU-AgeVerification-app-in-under-2-minutes.-During-setup-the-app-asks-you-to-create-a-PIN.-After-entry-the.webp\")
<\/a><\/figure>\n\n\n\nThe PIN bypass Moore describes<\/h2>\n\n\n\n
According to the researcher, during setup the app asks users to create a PIN, encrypts it, and saves it in the Moore adds that rate limiting appears to be implemented as a simple numeric counter in the same config file, resettable manually, and that the biometric authentication option is a boolean flag modifiable the same way. He closed his post with a direct reference to von der Leyen, claiming the product will be, in his view, the catalyst for a major data breach sooner or later.<\/p>\n\n\n\n The second report, published the day before, concerns how the app handles collected images. Moore writes that data extracted from verification, such as When reading an NFC document, the app extracts the DG2 file (containing the passport’s biometric photo) and writes a lossless PNG to the filesystem, deleting it only if the read succeeds. If something goes wrong, a crash, a back button tap, or a scanning error, the image remains in the cache. For selfies, the scenario he describes is worse: PNGs get written to external storage and never deleted, stored long-term rather than as temporary cache. On Android, “external storage” doesn’t necessarily mean an SD card, but rather a shared memory area subject to different protections than the app’s private storage. In both cases, Moore contends, the files are protected by Android’s keys, but the app adds no encryption of its own.<\/p>\n\n\n\n The researcher compared it to taking a photo of a document with the camera app and keeping it in the gallery “just to be safe,” adding that since these are biometric data (a special category under GDPR), unjustified retention could constitute a substantial violation of the regulation.<\/p>\n\n\n\n The app, developed by Scyt\u00e1les and T-Systems, is currently in pilot phase in Italy, France, Spain, Denmark, and Greece, and is built on the same technical specifications as the future European digital identity wallet. The fact that the code is open source was presented by the Commission as a transparency guarantee, based on the assumption that anyone can review it, which is exactly what Moore claims to have done.<\/p>\n\n\n\n Moore’s findings aren’t the first concerns to emerge about the application. In March, an independent analysis identified an architectural weakness in the issuer component, unable to verify that passport validation actually occurred on the user’s device. For now, the Commission’s claims and the researcher’s observations stand, pending a substantive response from Brussels.<\/p>\n\n\n\n For your information: X links can also be viewed using shared_prefs<\/code> directory. Moore argues that the PIN shouldn’t be encrypted at all, and more importantly, it isn’t cryptographically tied to the vault containing identity data. As a result, an attacker could remove the PinEnc<\/code> and PinIV<\/code> values from the file, restart the app, set a new PIN, and gain access to the previous profile’s verification data, ready to be presented as valid.<\/p>\n\n\n\nBiometric images and selfies written to disk<\/h2>\n\n\n\n
is_over_18: true<\/code>, is properly protected with AES-GCM. The problem, according to him, lies in the original images from which that data is extracted, namely the document photo and the user’s selfie.<\/p>\n\n\n\n![\"\"](\"https:\/\/yoota.it\/wp-content\/uploads\/2026\/04\/Screenshot-2026-04-16-at-16-44-35-Paul-Moore-Security-Consultant--@Paul_Reviews-.@vonderleyen-The-European-AgeVerification-app-is-technically-ready.-It-respects-the-highest-privacy-standards-in-the-.webp\")
<\/a><\/figure>\n\n\n\nContext behind the EU announcement<\/h2>\n\n\n\n
xcancel.com<\/code> or nitter.net<\/code> in place of x.com<\/code> in the URL.<\/p>\n\n\n\n \n