EU's 'Privacy-Safe' Age Verification App With The 'Highest Privacy Standards In The World,' Cracked In Two Minutes

In the push to shield young people from the darker corners of the internet, the European Union rolled out what it called a game-changing tool earlier this month: a free, open-source age verification app designed to let users prove they're over a certain age without handing over any personal details.

Unveiled by Commission President Ursula von der Leyen, the app was positioned as the missing piece in enforcing the bloc's Digital Services Act, giving platforms like TikTok, Instagram, and porn sites a straightforward way to block minors from addictive feeds, harmful content, and explicit material.

Von der Leyen declared there were "no more excuses" for tech companies failing to protect kids, framing the app as a privacy-friendly digital ID that works much like the COVID-19 vaccine certificates: upload a passport or national ID once, then generate anonymous proofs that platforms can verify on the spot.

"The EU remains committed to making the digital world safer for children," she said.

With the age verification app, the EU is taking decisive steps to protect children and hold online platforms accountable, reinforcing the priority of children's safety over commercial interests," wrote the European Commission in the announcement.

The idea sounded elegant on paper, before hackers proved how fragile that promise really was.

Ti use the app, users must download it first, to then verify their age through trusted sources like banks or government IDs.

The system relies on zero-knowledge proofs to confirm adulthood without revealing anything else. National governments could build their own compatible versions, and the whole thing was meant to roll out smoothly across the EU, addressing everything from cyberbullying to grooming while respecting strict data-protection rules.

It even built on a €4 million tender awarded to Swedish and German firms back in 2024, with the code released publicly on GitHub for anyone to inspect.

Von der Leyen and her team presented it as technically ready and fully anonymous, a bold step toward making Europe’s online spaces safer without sliding into surveillance overkill.

But within hours of the launch, the app's promise unraveled in spectacular fashion.

Security researchers pounced on the demo version, and what they found was embarrassingly basic.

UK consultant Paul Moore posted a video showing he could bypass the entire authentication system in under two minutes. He could do that by just gaining physical access to a phone and editing a plain-text configuration file called shared_prefs.

The app stored an encrypted PIN locally, but that encryption wasn't tied to the actual age-verification credentials.

What this literally means, attackers could wipe the PIN, reset rate-limiting counters that prevent guessing attempts, and disable biometric locks entirely. Once done, they could set a new PIN and reuse the verified credentials as if nothing had happened.

French white-hat hacker Baptiste Robert and cryptographic expert Olivier Blazy quickly confirmed the flaws.

Blazy even demonstrated how a nephew could swipe an uncle's unlocked phone and instantly prove he was over 18 to any platform. Moore went further, recreating the credential logic in a browser extension to fake responses entirely, warning that the app could become "the catalyst for an enormous breach."

The Commission’s response was measured but defensive.

Spokespeople insisted the version under fire was merely a "demo" for testing, that the vulnerability had already been patched, and that the code would keep evolving. Chief Spokesperson Paula Pinho acknowledged it could "always be improved," while digital spokesperson Thomas Regnier emphasized that no final citizen-facing product had launched yet.

Yet the researchers maintained they had tested the latest publicly available code, and the episode quickly fueled a chorus of criticism from privacy advocates and MEPs.

Over 400 experts had already sent an open letter in March urging a moratorium on deployment until the technology’s real-world risks were better understood. Czech Pirate Party MEP Markéta Gregorová called the rollout rushed under political pressure, while German MEP Birgit Sippel labeled it a “half-baked” solution that failed the EU’s own standards. Even some national voices, like Poland’s Piotr Müller, warned of creeping centralized surveillance reminiscent of more authoritarian models.

The timing couldn’t have been worse.

The app arrived amid growing momentum for child-protection rules across Europe, inspired in part by Australia's December 2025 ban on under-16s using social media. Member states are debating minimum ages, platforms face fines under the DSA for addictive designs, and public anxiety over grooming, short-form video addiction, and infinite scrolling has never been higher.

Von der Leyen’s team hoped the app would cut through the debate, offering a practical, privacy-preserving bridge between safety and civil liberties.

Instead, the hack highlighted the gap between political ambition and technical reality.

Critics argue that age-assurance tools have long struggled with bypasses, like through the use of VPNs, shared devices, family hand-me-downs. And that rushing an imperfect system risks eroding trust in the broader European digital-identity wallet project slated for wider rollout by the end of 2026.

What emerges is a familiar tension in Europe's digital agenda: the urgent need to protect the youngest users versus the equally pressing demand for robust, tamper-proof technology. The app's open-source nature allowed rapid scrutiny, which is a strength, but it also exposed design shortcuts that seasoned hackers exploited with little more than file-manager access on an Android device.