New EU age verification app hacked? Researcher demonstrates 2-minute bypass

A security researcher has shown it takes less than two minutes to bypass the European Union’s new age verification app using nothing more than a basic file edit on an Android phone.

Paul Moore, who works as a security consultant, posted a screen recording on X showing exactly how it’s done. 

Hacking the #EU #AgeVerification app in under 2 minutes.

During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.

1. It shouldn’t be encrypted at all – that’s a really poor design.
2. It’s not… https://t.co/z39qBdclC2 pic.twitter.com/FGRvWtWzaZ

— Paul Moore – Security Consultant  (@Paul_Reviews) April 16, 2026

He went through the regular setup first. The app had him create a six-digit PIN, confirm it, pick a verification method, and receive the official 18+ digital credential. Everything looked normal up to that point.

Then Moore switched to a file explorer, opened the app’s shared_prefs folder, and deleted the encrypted PIN entries from eudi-wallet.xml. After restarting the app and entering a brand new PIN, it accepted the change and let him use the original credentials.

The same config file also controls other security features. Reset the rate limiting number to zero, and you can keep guessing PINs indefinitely. Change one boolean value and the app skips biometric checks completely. It all takes just basic file editing.

This demo dropped right after the European Commission announced the app was technically ready. Ursula von der Leyen had called it a high-privacy, open-source solution to protect kids online and urged countries to adopt it fast.

Keep in mind that it’s still labeled as an early development version on GitHub. The readme itself warns that security and privacy standards are lower than final releases and advises against using it in production.

Still, Moore warned that an app like this could lead to a serious breach down the line. The video has already racked up over 2.6 million views.

Online reactions on Reddit and X have been all over the place. Some say physical access to a rooted phone compromises almost any app anyway. Others called the design sloppy, especially since the PIN isn’t properly linked to the actual identity data.

Telegram founder Pavel Durov took it further. In a post, he argued the app was hackable by design because it trusted the device completely. He suggested the EU might now use this breach as an excuse to strip away the privacy features and quietly turn the whole thing into a broader surveillance tool for social media.

The EU plans to push national versions into digital identity wallets later this year. Whether they fix these core problems first remains to be seen.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.