Brussels launched an age checking app. Hackers took 2 minutes to break it
by axbyte on 4/20/2026, 8:49:22 AM
Comments
by: edarchis
Please stop saying "Brussels" to mean the EU. It's a nasty trick to give the idea that it's some kind of external entity forcing your country to do something. It's not. It's an assembly. And it's insulting to people from Brussels. I don't want this any more than you do.
4/21/2026, 7:59:09 AM
by: Sweepi
These are the sources cited by the article:<p>[1] <a href="https://xcancel.com/Paul_Reviews/status/2044502938563825820" rel="nofollow">https://xcancel.com/Paul_Reviews/status/2044502938563825820</a><p>[2] <a href="https://xcancel.com/paul_reviews/status/2044723123287666921" rel="nofollow">https://xcancel.com/paul_reviews/status/2044723123287666921</a><p>[3] <a href="https://csa-scientist-open-letter.org/ageverif-Feb2026" rel="nofollow">https://csa-scientist-open-letter.org/ageverif-Feb2026</a><p>| "The saga is turning into a PR disaster for Brussels. "<p>imo: mostly because the Author wants it be a disaster.<p>The App has not launched, they published the source code in order to invite external review. I dont have time to every claim, but e.g. this [see quote below] seems to be blown out of proportions to me - the app fails to delete a temp. image, which results in a selfie being stored indefinitely(?) on the internal disk of your device - if an adversary has access to the internal disk of my phone, they can also just access the photo roll.<p>"For selfie pictures:<p>Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.<p>This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary."
4/20/2026, 9:47:36 AM
by: yaro330
Oh God not this stupid tweet again. He's "hacking" it from a rooted phone. You can't just willy nilly edit those files like that on a normal phone. Fml I would've written a CN under that.<p>On top of that they didn't infiltrate anything.
4/21/2026, 9:18:10 AM
by: JimDabell
Note that this is an implementation of eIDAS:<p><a href="https://www.eudi-wallet.eu/" rel="nofollow">https://www.eudi-wallet.eu/</a><p>The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.<p>If somebody who has access to your unlocked phone can access the data in the app, then this is something that should be tightened up but it’s a substantial privacy improvement over the far more commonplace option of uploading your ID to every website that wants to know if you are an adult.<p>It’s an attempt to avoid things like this:<p>> Discord says 70k users may have had their government IDs leaked in breach (Oct 2025, 435 comments) - <a href="https://news.ycombinator.com/item?id=45521738">https://news.ycombinator.com/item?id=45521738</a>
4/20/2026, 9:22:16 AM
by: cm-t
It is "funny" to read every single time "to protect minors online" like there are no adult around them, while technically those technologies are by design to control every single human for online access. It is not because the words are well chosen to sound unpolitical, just for "security", that it make those law/technology not political. It is political.
4/21/2026, 7:07:23 AM
by: bilekas
This is not the problem the title makes it out to be.. It's still in development.<p>> "Now, when we say it's a final version, it's ... still a demo version." He added the final product is not yet available for citizens and "the code will be constantly updated and improved … I cannot today exclude or prejudge if further updates will be required or not."<p>The whole idea of this age requirement is ridiculous in the first place, changing the focus to how good or bad the unnecessary tools are is nothing but a nice distraction.
4/21/2026, 10:38:59 AM
by: senorqa
Why does this app even exist? Why is everyone in this thread so okay with more surveillance? It’s ironic that people are arguing over technicalities instead of tackling the moral and societal impact of age verification.
4/21/2026, 7:11:45 AM
by: Teafling
The title of the original article seems wrong, they didn't launch the app, they published the source code ahead of the launch.
4/20/2026, 9:18:47 AM
by: arnorhs
There's something that is written between the lines here.<p>EU is often portrayed as overly bureaucratic, slow moving. The way this app was developed seems more in the line of "move fast, break things".<p>I don't know if that says something about the EU, or about the EU-naysayers, but I thought it was worth pointing out.
4/21/2026, 10:04:51 AM
by: gorgoiler
This all feels a bit like letting children into a nightclub and then needing to see ID every time you buy a drink.
4/21/2026, 4:35:28 AM
by: nikolay
They didn't launch an app per se - they've released the source code of such app. So, let's be more precise on the terminology, please!
4/20/2026, 10:18:51 PM
by: runnkos
1. Devs forgot to delete images in some failed scenarios. Images that do not get sent anywhere and remain locally. In an open source app that anyone can point calmly to the bug and it will get fixed easily.<p>2. "an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file"... Any android developer knows that to access the shared prefs file you need ROOT access on the phone, which is impossible on the stock os. Rooting the phone requires advanced knowledge. It means deliberately nuking your phone security, which most likely will require factory resetting the phone in the process. Or a hacker would need to use a sophisticated exploit, maybe even 0day, to access an app that would allow him to log in on some adult sites. Sounds reasonable (no).<p>So, the guy found two very superficial problems in a early demo app. Does not even look at the important code with the actual implementation of the zero knowledge proof cryptography, as it is way above his skill level. Throws malicious allegations mixed with blatant lies. Cries for attention to the whole internet and it gets augmented by news and people who understand security and technology even less than him. He dares calling it "hacking" in under 2 minutes. That's just disgusting.<p>He even calls himself "Security Consultant". Lord have mercy on whoever is going to work with him.
4/20/2026, 10:41:56 PM
by: dlahoda
Why it needs documents? From video of liveness check it clearly visible that 35 years old bearded man is over 18.
4/21/2026, 9:11:52 AM
by: throw_await
The EU let Ursula von der Leyen say a lot of false statements about this <a href="https://netzpolitik.org/2026/gesichtsscan-und-handy-zwang-von-der-leyen-erklaert-alterskontroll-app-fuer-fertig/" rel="nofollow">https://netzpolitik.org/2026/gesichtsscan-und-handy-zwang-vo...</a>
4/21/2026, 7:08:35 AM
by: nalekberov
The title seems totally misleading.<p>The app still hasn’t launched. There’s only so long you can run on hype before you lose the readers you were trying to win over.
4/20/2026, 11:52:35 PM
by: akabalanza
If my kids cannot change a boolean into a json, they do not deserve the [redacted]
4/20/2026, 12:00:45 PM
by: atoav
It would be possible to implement age verification in a way that would somewhat work and that would be to use the correct crypto on an government issued ID card. Crypto where the OS (or a website) can ask the card: "Is the holder of that card over X years old y/n?" and the card would just answer with a binary yes no question without exposing any other data while still checking the government signature.<p>Obviously that won't stop motivated teens from taking their parents ID cards or similar mechanisms. Thst means any system that likes to prevent that needs to additionally ensure the identity of the card holder. And then you create a privacy nightmare.<p>So my proposal would be to accept that nothing is ever perfect and just use the card and ensure that system works as well as it could.<p>Of course "card " is a standin for all manner of hardware that can do it, including phones.
4/21/2026, 8:03:21 AM
by: ChrisArchitect
Previously on source: <a href="https://news.ycombinator.com/item?id=47803773">https://news.ycombinator.com/item?id=47803773</a>
4/20/2026, 3:52:44 PM
by: James_K
The “hack” in question is pointing out that the app forgets to delete images of the user's face and ID (stored). A lot of people have pictures of their face already on the phone, and often their ID as well so this is hardly a security flaw in any real sense.
4/20/2026, 11:17:52 PM
by:
4/20/2026, 3:52:33 PM
by: soco
"Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18." - and how is that something that could, or should, be addressed by the app? Are we even serious??
4/20/2026, 9:36:07 AM
by: appz3
[dead]
4/20/2026, 11:55:58 PM
by: 08627843789
[dead]
4/20/2026, 9:46:48 AM
by: close04
On top of the pretty bad article, HN finds the “can’t win” scenario again. There’s no age verification scheme that will survive “collusion”, that’s when the adult allows the minor to use validated credentials, devices, etc. And whatever more intrusive age verification schemes we come up with will also fail this but add the intrusiveness to ruffle even more HN feathers. We can have the constant face, fingerprint and DNA scan for as long as the sensitive apps is used. Everything gets stored on a central server for safety so your kid can’t hack the device and replace the reference sample. /s<p>> "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."<p>Love the magic step in the middle, unlock my app. Ask for passcode or faceid to “unlock your app”. That’s a lot of legwork the adult has to do so the child can “trick” the system.<p>Some people will forever be shocked that if they leave on the table an open booze or medicine bottle, loaded gun, etc. a child can just take them and misuse them. The blame is unmistakably with bottle and gun manufacturers, right?<p>Put a modicum of effort to protect the sensitive apps or supervise the child when you share your device. They can do a lot of damage even with age appropriate apps. Wanna see how quickly your kid will tell everyone on the net how much money you have (via proxies), where you live, and when you go on vacation? Or tell someone the credit card number they swiped from your pocket if the other person makes it sound like a game?
4/20/2026, 10:03:29 AM
by: Lapsa
reminder - there's tech out there capable of reading your mind remotely
4/21/2026, 5:41:26 AM
by: mrweasel
> "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."<p>While I appreciate the zero-knowledge proofs is considered, how the hell did no one in charge of the app design think of this? It's is literally the first question I asked when I first heard about this app. You go to the app in a store to buy alcohol, you're asked to verify your age, but that's not what you're doing. Your simply showing the store that you have a phone, with and app, which was configured by some over 18 (maybe).<p>Honestly I don't think it's possible to verify that you're over 18 without also providing something like a photo ID (and even that is error prone).<p>You can probably do something online, where the website or app does some back channel communication to a server that verifies a token. Even that is going to have issues. You could add a "List of sites that has verified your age" option where you can revoke the verification, in case your nephew borrows your phone.<p>They are going to implement this and it will be "good enough", but I don't see this being 100% secure or correct.
4/20/2026, 9:37:44 AM