That's not the real age verification app (there is no "EU app", every member state releases their own), it's the proof of concept that was made to demonstrate the system.
This stuff is also why the EU doesn't want the app to run on rooted devices. I don't believe there's a way to pass Strong Integrity yet, as the app doesn't support the hackable Android 8 software attestation.
IMO the implementation is crucial. If everything is locally on the device and I can confirm digitally that I'm older than 18 BUT NOTHING ELSE is leaked, like the German eID supports (I think).
Do you also dislike the concept of requiring to be a certain age to say enter a strip club or a sex club?
If not, what is the difference between those controls and having to be a certain age to enter porn sites?
Genuinely curious. To me, the primary objection to the online controls has been the implementations. The EU implementation will be[1] even better than the strip club, where the bouncer sees your ID and can remember it, when they move to zero-knowledge proofs.
Secondly, it's the dumbest comparison anyone could possibly make.
The difference with a porn website is as follows:
- the age check on porn sites are notoriously dumb and useless, it's literally a meme. It was a meme before there were memes.
- I choose to go on porn sites. It's not exactly a requirement that I get access to a porn site. Access to my OS on my device to work, have fun or do whatever I want privately is kind of a lot more necessary.
"Zero knowledge proof". Yeah OK. I've got a few dozen bridges to sell you. Interested?
If the app wants to take advantage of mandatory hardware attestation, it has to require Android 13 or later. This would undermine somewhat the promise that the app supports a wide range of devices. Even banks don't currently enforce Android 13+.
> On Android 12 and lower, the MEETS_STRONG_INTEGRITY verdict only requires hardware-backed proof of boot integrity and does not require the device to have a recent security update. Therefore, when using the MEETS_STRONG_INTEGRITY, it is recommended to also take into account the Android SDK version in the deviceAttributes field.
> This stuff is also why the EU doesn't want the app to run on rooted devices.
I would argue the EU doesn't want to run it on rooted devices because malware could violate the security sandbox and intercept information. This is largely the same reason why Google Pay requires SafetyNet.
That's exactly what this hack is doing: using root to alter the app's internal storage. The Twitter video does it manually, but the problem is the same as when one does it through automated means.
Shows yet again: apps are secure because people check them. And politicians will avoid it at all costs for the same reason: it exposes them to being blamed for mistakes.
This stuff is also why the EU doesn't want the app to run on rooted devices. I don't believe there's a way to pass Strong Integrity yet, as the app doesn't support the hackable Android 8 software attestation.
Why/how would this be a bad thing?
If not, what is the difference between those controls and having to be a certain age to enter porn sites?
Genuinely curious. To me, the primary objection to the online controls has been the implementations. The EU implementation will be[1] even better than the strip club, where the bouncer sees your ID and can remember it, when they move to zero-knowledge proofs.
[1]: https://digital-strategy.ec.europa.eu/en/news/commission-rel...
Secondly, it's the dumbest comparison anyone could possibly make.
The difference with a porn website is as follows:
- the age check on porn sites are notoriously dumb and useless, it's literally a meme. It was a meme before there were memes.
- I choose to go on porn sites. It's not exactly a requirement that I get access to a porn site. Access to my OS on my device to work, have fun or do whatever I want privately is kind of a lot more necessary.
"Zero knowledge proof". Yeah OK. I've got a few dozen bridges to sell you. Interested?
Although, hardware attestation should be available for Android 8+. Only older Android versions can be spoofed.
You can still get strong integrity, but [as the docs state](https://developer.android.com/google/play/integrity/verdicts):
> On Android 12 and lower, the MEETS_STRONG_INTEGRITY verdict only requires hardware-backed proof of boot integrity and does not require the device to have a recent security update. Therefore, when using the MEETS_STRONG_INTEGRITY, it is recommended to also take into account the Android SDK version in the deviceAttributes field.
Where does the EU say so?
I would argue the EU doesn't want to run it on rooted devices because malware could violate the security sandbox and intercept information. This is largely the same reason why Google Pay requires SafetyNet.
Wow.
And then this person says the pin shouldn't be encrypted (but I bet if this was otherwise they would be complaining as well)
I think scrutiny over the apps are fine, but treating every issue with the same brush is not
> this product will be the catalyst for an enormous breach at some point
Breach of what exactly is not clear since most information never leaves the phone
But more importantly, it's not being deleted from your phone. You know, your phone with all of your other photos
Yes it should be fixed, but this "all of nothing" approach to security is just counter-productive
so the problem of bypassing age verification by hacking saved files doesn't arise at all!
/s