The EU’s age verification app can be hacked in 2 minutes. (Found by Paul Moore)

Demo :
https://youtu.be/1hfDOhrNx1I

In short :
- The pin you set to lock the app is encrypted, not hashed, which means with the private key of the app it could be reversed (there’s no need to get that as you’ll see in the next points
- Once you verify your age, the pictures and data identifying you is not deleted. Although on regular phones you and other apps can’t access it as they are protected at the Android level, this is still a breach of GDPR
- The app’s data is stored in a shared preferences file, which is pretty much just plain text. If you delete the key for your PIN, the app will let you create a new one, and still access the data of the old account.
- Nevertheless, the EU still brands it as a privacy friendly option on their site at https://t.ly/labwF

In short, don’t verify your age online! This is really bad for privacy!
@privacy

#privacy #europe #opensource #cybersecurity #ageverification

  • vapeloki@lemmy.world
    1·
    4 days ago

    We are getting somewhere. So a bunch of devs develop an SDK, and some demo implementations. No country adopted the app yet, there is no version that works, as there is no version by an ID card authority.

    It does not matter what Ursel said, there is no app. There is only an SDK.

    And to then the press talks about “the App”. Why would one add such a node in the first place? Only because of this reporting.

    https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui#important-note

    The current version is not feature complete and will require further integration work before production deployment. In particular, any national-specific enrolment procedures must be implemented by the respective Member States or publishing parties.

    • 🦊 helloyanis :veripawed3:@furries.clubOP
      3·
      4 days ago

      @vapeloki I really don’t get what you say with “there is no app”. The repo is literally called " age verification Android application". It’s not an SDK
      Also, why shouldn’t it matter what Ursula said?The part of the readme you linked me mentions “In particular, any national-specific enrolment procedures must be implemented by the respective Member States or publishing parties”. This does not relate to the security of how data is stored.

      “The current version is not feature complete”, well, it’s not what I’m complaining about. The thing is the feature that are there are not well made and use an approach that don’t focus on security and privacy.

      Yes it’s a demo but if they want people to base their implementation based on that, then every implemenation will be faulty. A demo is meant to DEMOnstrate how it’s done. It never says anywhere it’s a prototype and if it was so, they wouldn’t brag about top notch security on their web page.

      But anyways, you probably won’t change your mind.

      • vapeloki@lemmy.world
        1·
        4 days ago

        Ok, once again in slow: each country must implement their own app.

        One for Germany, one for France and so on. Because it has to be tied into the ID card system of the country.

        You can build the app in the repo but the app can not do any age verification without this integration. I even cited the fucking sentence from the readme.

        • 🦊 helloyanis :veripawed3:@furries.clubOP
          0·
          4 days ago

          @vapeloki The issue is, once again, not that the app allows you to bypass age verification or anything with how countries implement it. It’s that the app makes it extremely easy to get the data and spoof someone else, while claiming it’s secure and privacy focused while it is not.
          A prectical example would be :
          - Someone steals my phone
          - They can access the app as they can bypass the PIN
          - They can appear and act as myself on any platform that will use the system to verify
          No matter how countries implement it or how the app is still “in development”, I’m just saying that this current implementation is insecure and can be very easily hacked besides what is being said on the public spaces like the dedicated website and the twitter account of the president of the EU commission.
          I will probably stop replying to this thread now as you keep telling me the same arguments and even when I demonstrate how I disagree with them, you keep repeating the same ones so I’ll just stop wasting my time

          • vapeloki@lemmy.world
            1·
            4 days ago

            I don’t say the code isn’t sloppy and should never go live I. It’s state.

            I say: show me the app on the app store that you can download and use.

            We are talking about security issues in a reference implementation.

            We are not talking about an app. All this does is to spread fear and if this whole thing is not accepted by the Public because of this , what then? We land up in a privatisation scenario once again and then fuck privacy.

            This state of the Codebase is fixable, but stop talking about it like it would be a released app. It is not.