The mobile age verification application powered by the European Commission presents vulnerabilities that allow altering its operation in less than two minutes, according to what security consultant Paul Moore has demonstrated. The announcement comes a few days after Ursula von der Leyen advanced that this tool is practically ready.
The test exposes several flaws in the access protection system. One of the most sensitive points affects the PIN that the application asks the user for. That code is encrypted and saved in the directory shared_prefs of the device, but it is not cryptographically linked to the container where identity data is stored.
PIN Reset without losing credentials
That separation allows an attacker to delete the PinEnc and PinIV values from the configuration file, restart the application, and set a new PIN without losing access to the already generated credentials. In practice, the system can be exposed to a reassignment of the access code without needing to invalidate the previously stored identity.
Moore has also found that limiting attempts is not effective. The control system is based on a counter saved in that same configuration file and can be manually reset. That opens the door to unlimited attempts.
Biometrics can also be deactivated
Biometric authentication is not protected either. The mechanism can be overridden by modifying the boolean value UseBiometricAuth in the configuration file. With that change, the application stops requiring that additional layer of verification.
Beyond the technical failures, the main criticism is directed at the system's own design. Moore argues that the web validation process and on-device verification work separately and without a real check of who is using the terminal at that moment.
"Even if the application works exactly as designed, the website and the verification process are completely decoupled and are anonymous. The architecture assumes that you will send the request to your device, which contains your biometric data. But it can go to any device, anywhere in the world and since the phone has no way of knowing who initiated the process, the child still passes age verification" - Paul Moore, security consultant
The verification is associated with the device, not the user
The expert summarizes the problem in a fundamental point. The application would not effectively accredit the age of the person using it, but rather that of the owner of the mobile phone where the credentials are loaded. The validation is associated with the Android device, not with the real identity of the user at each access.
"The assertion is that the user is over 18 years old. In reality, the application responds that the owner of this Android device is over 18 years old. It doesn't know who the user is... how can it know their age? This is the current design, not a bug" - Paul Moore, security consultant
The demonstration reopens the debate about the reliability of the future European age verification system just as its deployment seemed imminent. The objections raised affect both the technical protection of the application and the validity of the model chosen to accredit the age of majority.