Comment by jeroenhd
4 days ago
That's not the real age verification app (there is no "EU app", every member state releases their own), it's the proof of concept that was made to demonstrate the system.
This stuff is also why the EU doesn't want the app to run on rooted devices. I don't believe there's a way to pass Strong Integrity yet, as the app doesn't support the hackable Android 8 software attestation.
I just want this whole idea to kindly please bog off. We shouldn't be further creating the apparatus of the surveillance state.
Yeah I don’t like how the discussion is shifting to implementation details, instead of debating whether any of this is good or necessary
IMO the implementation is crucial. If everything is locally on the device and I can confirm digitally that I'm older than 18 BUT NOTHING ELSE is leaked, like the German eID supports (I think).
Why/how would this be a bad thing?
2 replies →
I want corrupt politicians to bog off and people to think long term. I guess we’re both going to be very disappointed.
My understanding is that this is much more privacy friendly than showing your id
Makes no difference in the fundamental dislike i have for the concept
5 replies →
If the app wants to take advantage of mandatory hardware attestation, it has to require Android 13 or later. This would undermine somewhat the promise that the app supports a wide range of devices. Even banks don't currently enforce Android 13+.
The reference wallet uses a minimum API level 29 (https://github.com/eu-digital-identity-wallet/av-app-android...)
Although, hardware attestation should be available for Android 8+. Only older Android versions can be spoofed.
You can still get strong integrity, but [as the docs state](https://developer.android.com/google/play/integrity/verdicts):
> On Android 12 and lower, the MEETS_STRONG_INTEGRITY verdict only requires hardware-backed proof of boot integrity and does not require the device to have a recent security update. Therefore, when using the MEETS_STRONG_INTEGRITY, it is recommended to also take into account the Android SDK version in the deviceAttributes field.
> This stuff is also why the EU doesn't want the app to run on rooted devices.
I would argue the EU doesn't want to run it on rooted devices because malware could violate the security sandbox and intercept information. This is largely the same reason why Google Pay requires SafetyNet.
That's exactly what this hack is doing: using root to alter the app's internal storage. The Twitter video does it manually, but the problem is the same as when one does it through automated means.
> why the EU doesn't want the app to run on rooted devices
Where does the EU say so?