EU age verification app faces security scrutiny after researcher shows quick local bypass

The European Commission says its new age verification app is technically ready and will soon be available to citizens across the EU. But within days of that announcement, security researcher Paul Moore said he bypassed the app’s local protections in under two minutes by editing files stored on the device.

That claim does not mean the entire EU age-check framework has collapsed, but it does raise serious questions about how the current implementation protects local credentials, PIN controls, and biometric settings. The Commission describes the app as open source, privacy-preserving, and designed to work with the wider European Digital Identity Wallet model, which makes early design weaknesses especially important.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The app sits at the center of a larger EU push to help platforms verify age without collecting more personal data than necessary. President Ursula von der Leyen said the tool will let users prove their age while remaining anonymous, and Reuters reported that the Commission sees it as a barrier to reduce children’s unintended exposure to harmful content rather than a perfect anti-circumvention system.

What the researcher says is broken

Moore’s reported bypass focuses on how the app stores and enforces local authentication settings. According to reporting on his findings, the app stores encrypted PIN values in local shared preferences, but those values are not strongly bound to the verified identity material the app later unlocks. By deleting the stored PIN fields and setting a new PIN, an attacker with access to the device could regain access to the already-issued credential.

The same local file reportedly controls brute-force protection and biometric enforcement. Reporting on the disclosure says an attacker can reset the failed-attempt counter to zero and flip a boolean value to disable biometric authentication, which would remove two more checks without needing to break any strong cryptography.

Those details point to a local-device security problem, not a claim that remote attackers can instantly break every EU identity system over the internet. The reported attack needs access to the device or its files. That still matters because age credentials are supposed to be trustworthy and privacy-preserving, and a weak local trust model can undermine both goals.

Why this matters beyond one demo

The Commission has presented the age verification blueprint as more than a single app. It is a reusable, open-source model that member states and service providers can adopt, and it is meant to be compatible with the future European Digital Identity Wallet ecosystem. A weakness in that reference implementation can ripple outward if countries or vendors copy the same design choices.

The official timeline also shows this is not a quiet lab project anymore. The Commission says the blueprint has been available since July 2025, a pilot phase started in July 2025, and as of April 2026 the app is technically ready for citizen rollout. IAPP reported that Denmark, France, Greece, Italy, and Spain were part of the pilot, while other commentary has described a six-country pilot footprint.

That scale increases the stakes. If the app is going to serve as a trusted age gate for online platforms across Europe, its local protections need to be harder to tamper with than ordinary app preferences. Otherwise, critics will argue that the system adds friction for compliant users without delivering the security guarantees policymakers promised. This last point is an inference based on the Commission’s stated goals and the researcher’s reported bypass method.

Key details at a glance

The Commission has also stressed that the system aims to reveal only whether a user meets an age threshold, not broader identity details. Its public blueprint says the proof provider link is cut after proof issuance and that online services should only receive anonymous age proof. That privacy promise is central to the project’s pitch.

Reuters added another layer of context. A senior Commission official told the outlet the broader initiative can still be bypassed with tools like VPNs, but framed the app as a deterrent barrier rather than a surveillance system or absolute enforcement mechanism. That does not answer Moore’s local bypass claims, but it shows the Commission already views circumvention as part of the real-world threat model.

So the real question now is narrower and more technical: can the app safely protect an issued age credential on a user’s device after enrollment? The reported PIN and biometric bypasses suggest that answer may still be unsettled in the current implementation.

What to watch next

• Whether the European Commission or the project maintainers publish a formal security response, patch note, or revised build.
• Whether member states in the pilot adjust local deployments before wider rollout.
• Whether independent researchers find deeper flaws in credential binding or issuance, not just local app settings. This is an inference based on the nature of the reported weaknesses.
• Whether the Commission clarifies the difference between the open-source blueprint, pilot implementations, and the final citizen-facing apps.

FAQ