‘No more excuses’: Von der Leyen says EU age checking app is ready

Someone is proposing Play Integrity integrity for the app in the issues. That person seem to be using AI, as they filed dozens of issues.

github.com/eu-digital-identity-wallet/av-app-android-wallet-ui

[Security] No root / tampered-device detection

opened 06:47PM - 16 Apr 26 UTC

      z1000biker
    

Labels: security, enhancement, priority: high Summary The application performs n…o check for rooted devices, emulators, or tampered environments before allowing access to wallet credentials. Given that the SharedPreferences protection relies on Android's sandbox (see related issues for additional weaknesses), a rooted device completely negates all storage-level protections. Biometric authentication data, PIN encryption material, and the keystore alias are all recoverable on a rooted device. Affected area No relevant detection code was found in any Kotlin source file across the entire repository. Impact An attacker in possession of a rooted device can: Read eudi-wallet.xml SharedPreferences directly. Extract CryptoAlias → use with KeyStore.getKey() (accessible to root) to recover the AES key. Decrypt PinEnc using the recovered key and PinIv. Reset PinFailedAttempts and PinLockoutUntil for unlimited brute-force. Suggested fix Integrate Google Play Integrity API at app startup and before any credential access: kotlin// In SplashInteractor or Application.onCreate() val integrityManager = IntegrityManagerFactory.create(context) val request = IntegrityTokenRequest.newBuilder() .setNonce(generateNonce()) .build() integrityManager.requestIntegrityToken(request) .addOnSuccessListener { response -> val verdict = decodeAndVerifyToken(response.token()) if (!verdict.deviceIntegrity.deviceRecognitionVerdict .contains(DeviceRecognitionVerdict.MEETS_DEVICE_INTEGRITY)) { // Block access and inform user } } As a fallback for devices without Play Services, consider a library such as RootBeer for heuristic root detection.

Also of note

github.com/eu-digital-identity-wallet/av-app-android-wallet-ui

Add to F-Droid

opened 03:46PM - 15 Apr 26 UTC

      licaon-kter
    

ref: https://f-droid.org/docs/Inclusion_Policy/ on a quick look, I guess a FLOS…S flavor can be made with these changes: * replacing com.google.mlkit: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/blob/2026.04-1/passport-scanner/build.gradle.kts#L59 * removing com.google.gms.google-services: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/blob/2026.04-1/build.gradle.kts#L27 * rebuilding or using a maven repo for jj2000_imageutil.jar: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/tree/2026.04-1/passport-scanner/libs * rebuilding or using a maven repo for libavfacelib.so and libonnxruntime.so: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/tree/2026.04-1/passport-scanner/src/main/jniLibs but eudi-lib-android-wallet-core depends on https://mvnrepository.com/artifact/com.google.android.gms/play-services-identity-credentials and that's harder to fix (I guess https://github.com/eu-digital-identity-wallet/av-doc-technical-specification/discussions/19 ) so, are there plans for this app to ever be open source or that was just a lie in https://ec.europa.eu/commission/presscorner/detail/en/STATEMENT_26_817 ? 😀 /LE: updated stuff that needs to be fixed