GoKawiilCyber and privacy experts immediately dove into the source code on the GitHub software platform and reported several issues with the app's design.
The saga is turning into a PR disaster for Brussels. But underneath the controversy over the code lie deeper divisions between privacy campaigners, child rights groups, tech firms and politicians over how to protect minors online — as leaders promise to shield kids from social media and porn sites.
Within hours of the EU’s app release, security consultant Paul Moore found it would store sensitive data on a user’s phone and leave it unprotected, he wrote in a widely shared post on X. Moore claimed to have hacked the app in under 2 minutes.
Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app.
Olivier Blazy, a cryptographic researcher who is part of a French task force on digital identity, said: "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."
The European Commission on Friday stood by its statement that the app is technically ready. "Yes, it is ready. Maybe we can add, 'and it can always be improved'," Chief Spokesperson Paula Pinho told reporters.