The European Commission’s latest Digital Age Verification App, designed to protect young users from inappropriate online content, has been swiftly compromised. Security expert Paul Moore, based in the UK, demonstrated a complete bypass of the app’s authentication process in less than two minutes following its release on April 14, 2026.
Security Flaws in App Design
When users set up the app, they are required to create a personal identification number (PIN). This PIN is encrypted and stored on the user’s device in a file called shared_prefs. However, researchers identified two significant design flaws. The PIN encryption is not linked to the identity vault containing the user’s verification credentials, and the encryption method used does not effectively protect against tampering.
An attacker with physical access to a device can manipulate this by removing the PinEnc and PinIV values from the shared_prefs file. After restarting the app, they can set a new PIN, subsequently gaining access to the original user’s verified credentials without raising alarms.
Additional Vulnerabilities Discovered
In addition to the PIN issue, researchers found two more security weaknesses within the same file. The app’s brute-force protection, intended to limit incorrect PIN attempts, is merely an incrementing counter in shared_prefs. An attacker can reset this counter, allowing limitless PIN guesses without any lockout.
Furthermore, the app’s biometric authentication can be bypassed by altering a boolean flag named UseBiometricAuth. By setting this flag to false, attackers can entirely skip the biometric verification step, eliminating an important layer of security.
Implications and Official Response
Experts have labeled these vulnerabilities as severe design failures rather than isolated incidents. The app is intended as a prototype within the broader European Digital Identity Wallet framework, highlighting the significance of these security concerns for essential national infrastructures.
Critics also pointed out another flaw discovered in March 2026, where the app failed to confirm whether passport validation happened on the user’s device. Moore addressed EU Commission President Ursula von der Leyen, cautioning that without intervention, the app could lead to substantial data breaches.
Despite these revelations, as of April 17, 2026, the European Commission has not released an official fix or response to these vulnerabilities. Meanwhile, countries like France, Spain, and Denmark continue testing the app in pilot phases.
For ongoing updates on cybersecurity and more information, follow us on Google News, LinkedIn, and X. Contact us to share your insights and stories.
