Overview

A newly unveiled European Union age verification app is already under fire after a security researcher claimed he bypassed its protections in under two minutes. The app, launched as part of the EU's effort to curb children's access to social media and adult content online, contains critical design flaws that undermine its core purpose. The incident emerged just days after the technology was presented as a privacy‑friendly way for platforms to check users' ages without retaining personal data.

How the hack works

During setup, the app asks users to create a personal identification number (PIN). After entry, the app encrypts the PIN and saves it in the device's shared_prefs directory. Security experts have criticised this approach, noting that storing encrypted data locally without proper protection allows attackers with device access to decrypt and retrieve the PIN, effectively bypassing the age verification system. Beyond the local storage vulnerability, researchers have also identified that the system can be circumvented using virtual private networks (VPNs), which allow users to mask their geographic location and appear as if they are accessing the internet from outside the EU's jurisdiction where the age verification requirements apply.

EU response and intent

A senior European Commission official acknowledged that the age verification system can be bypassed using a VPN but emphasised that the initiative was not primarily aimed at policing individual users' online behaviour. Instead, the official stated the framework is designed to provide online platforms with a harmonised, privacy‑preserving method for age verification across member states. The Commission has said it will examine the researcher's findings and work with national data protection agencies to assess whether any remedial action is required.

Implications

The security lapse comes as several European countries are already pursuing or implementing social media access bans for children. Critics argue that the flawed age verification app could undermine broader efforts to protect minors online, while privacy advocates warn that any mandatory age verification system risks creating surveillance infrastructure that could be expanded beyond its original purpose. The episode also reignites debate over the trade‑off between safety and privacy in digital regulation, with some experts suggesting that resources might be better spent on digital literacy programmes and parental controls rather than technological fixes that introduce new risks.

Expert reaction

Privacy guides community members highlighted the poor encryption practices, noting that the PIN should not be stored in an accessible format at all. Cybersecurity researchers pointed out that the ease of bypass suggests insufficient security testing prior to public release, calling for immediate patches and a fundamental redesign of the authentication mechanism. Some academics have warned that rushed rollout of age‑verification tools, driven by political pressure to act quickly on child‑safety concerns, often overlooks robust threat modelling and user‑testing phases.

What's next

The EU age verification app was technically ready by mid‑April 2026, with plans for initial adoption by seven pilot countries by the end of the year. Once fully implemented, the system would require users to verify their age when accessing adult websites from within the European Union, either through this app or similar approved alternatives. The Commission has indicated that it will issue updated guidance to member states within the coming weeks, and may consider requiring third‑party security certification before any large‑scale deployment proceeds.