EU age verification app hacked, 2 minute How to posted

Posted by johanstokking 6 hours ago

Counter40Comment14OpenOriginal

Comments

Comment by jeroenhd 4 hours ago

That's not the real age verification app (there is no "EU app", every member state releases their own), it's the proof of concept that was made to demonstrate the system.

This stuff is also why the EU doesn't want the app to run on rooted devices. I don't believe there's a way to pass Strong Integrity yet, as the app doesn't support the hackable Android 8 software attestation.

Comment by atanasi 17 minutes ago

If the app wants to take advantage of mandatory hardware attestation, it has to require Android 13 or later. This would undermine somewhat the promise that the app supports a wide range of devices. Even banks don't currently enforce Android 13+.

Comment by jeroenhd 6 minutes ago

The reference wallet uses a minimum API level 29 (https://github.com/eu-digital-identity-wallet/av-app-android...)

Although, hardware attestation should be available for Android 8+. Only older Android versions can be spoofed.

You can still get strong integrity, but [as the docs state](https://developer.android.com/google/play/integrity/verdicts):

> On Android 12 and lower, the MEETS_STRONG_INTEGRITY verdict only requires hardware-backed proof of boot integrity and does not require the device to have a recent security update. Therefore, when using the MEETS_STRONG_INTEGRITY, it is recommended to also take into account the Android SDK version in the deviceAttributes field.

Comment by azalemeth 4 hours ago

I just want this whole idea to kindly please bog off. We shouldn't be further creating the apparatus of the surveillance state.

Comment by ilumanty 1 hour ago

Yeah I don’t like how the discussion is shifting to implementation details, instead of debating whether any of this is good or necessary

Comment by ChocolateGod 4 hours ago

> This stuff is also why the EU doesn't want the app to run on rooted devices.

I would argue the EU doesn't want to run it on rooted devices because malware could violate the security sandbox and intercept information. This is largely the same reason why Google Pay requires SafetyNet.

Comment by jeroenhd 5 minutes ago

That's exactly what this hack is doing: using root to alter the app's internal storage. The Twitter video does it manually, but the problem is the same as when one does it through automated means.

Comment by izacus 2 hours ago

So this "hack" is basically reading app storage on a rooted phone?

Wow.

Comment by raverbashing 5 hours ago

"hacked"

And then this person says the pin shouldn't be encrypted (but I bet if this was otherwise they would be complaining as well)

I think scrutiny over the apps are fine, but treating every issue with the same brush is not

> this product will be the catalyst for an enormous breach at some point

Breach of what exactly is not clear since most information never leaves the phone

Comment by archerx 5 hours ago

Maybe the biometric and photos of id and possibly selfies not being deleted properly?

Comment by raverbashing 5 hours ago

Yes (later in the thread it seems to be the case, though xcancel makes threads even more confusing)

But more importantly, it's not being deleted from your phone. You know, your phone with all of your other photos

Yes it should be fixed, but this "all of nothing" approach to security is just counter-productive

Comment by spwa4 4 hours ago

Shows yet again: apps are secure because people check them. And politicians will avoid it at all costs for the same reason: it exposes them to being blamed for mistakes.

Comment by fvv 3 hours ago

There's one thing "the hackers" haven't considered, though! It's illegal to hack an app in the EU,

so the problem of bypassing age verification by hacking saved files doesn't arise at all!

/s

Comment by indigomm 2 hours ago

I assume it's also illegal as someone underage to access all the things protected by the age verification app. So we don't need the app then :-)