this post was submitted on 19 Apr 2026
89 points (94.9% liked)
Privacy
48139 readers
17 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 6 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This is the 20ies post I see about this.
And the 10th times I will say it:
This is a prototype release. This is not a production ready release. It demos the integration. Each country will build their own app.
@vapeloki While this is a prototype release, yes, it shows they don't have user privacy at the core of their product despite what the branding seems to imply.
Usually prototypes comes with missing features, but right now the features are in a state with fundamental security flaws and they'd almost need to rebuild a whole app to fix that. Usually a prototype is to prove that a concept works, not how insecure it is.
Also, besides that, the president of the EU commission publicly stated that the app is production ready with the world's best security standards. See https://xcancel.com/vonderleyen/status/2044340323120193595#m . I don't think this would get posted if they thought that the app's security infrastructure was broken and that this is just a prototype ๐ซค
First sentence in the GitHub readme
And once again: each country has to implement its own app. This version is just a technology demo and indented to be tested, hacked and reviewed
Edit : forgot the link to the repo https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui
@vapeloki From Ursula von der Leyen on Twitter, april 15th :
"The European Age Verification App is ready"
"Our app ticks all the boxes.
โ Highest privacy standards in the world
[...]"
The GitHub readme note was added on april 17th, so after the backlash. I guess that means they are aware they need to update stuff, at least, but again it shows how they thought the app was good to go and production ready while it clearly was not.
Obviously Ursula von der Leyen is not a developer of the app so at some point she must have been told by the developers that the app was ready, then people saw it wasn't so they added the note to the GitHub readme. That's how I think things went.
We are getting somewhere. So a bunch of devs develop an SDK, and some demo implementations. No country adopted the app yet, there is no version that works, as there is no version by an ID card authority.
It does not matter what Ursel said, there is no app. There is only an SDK.
And to then the press talks about "the App". Why would one add such a node in the first place? Only because of this reporting.
https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui#important-note
@vapeloki I really don't get what you say with "there is no app". The repo is literally called " age verification Android application". It's not an SDK
Also, why shouldn't it matter what Ursula said?The part of the readme you linked me mentions "In particular, any national-specific enrolment procedures must be implemented by the respective Member States or publishing parties". This does not relate to the security of how data is stored.
"The current version is not feature complete", well, it's not what I'm complaining about. The thing is the feature that are there are not well made and use an approach that don't focus on security and privacy.
Yes it's a demo but if they want people to base their implementation based on that, then every implemenation will be faulty. A demo is meant to DEMOnstrate how it's done. It never says anywhere it's a prototype and if it was so, they wouldn't brag about top notch security on their web page.
But anyways, you probably won't change your mind.
Ok, once again in slow: each country must implement their own app.
One for Germany, one for France and so on. Because it has to be tied into the ID card system of the country.
You can build the app in the repo but the app can not do any age verification without this integration. I even cited the fucking sentence from the readme.
@vapeloki The issue is, once again, not that the app allows you to bypass age verification or anything with how countries implement it. It's that the app makes it extremely easy to get the data and spoof someone else, while claiming it's secure and privacy focused while it is not.
A prectical example would be :
- Someone steals my phone
- They can access the app as they can bypass the PIN
- They can appear and act as myself on any platform that will use the system to verify
No matter how countries implement it or how the app is still "in development", I'm just saying that this current implementation is insecure and can be very easily hacked besides what is being said on the public spaces like the dedicated website and the twitter account of the president of the EU commission.
I will probably stop replying to this thread now as you keep telling me the same arguments and even when I demonstrate how I disagree with them, you keep repeating the same ones so I'll just stop wasting my time
I don't say the code isn't sloppy and should never go live I. It's state.
I say: show me the app on the app store that you can download and use.
We are talking about security issues in a reference implementation.
We are not talking about an app. All this does is to spread fear and if this whole thing is not accepted by the Public because of this , what then? We land up in a privatisation scenario once again and then fuck privacy.
This state of the Codebase is fixable, but stop talking about it like it would be a released app. It is not.