this post was submitted on 27 Jul 2025
513 points (99.2% liked)

Technology

73346 readers
4991 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
513
EU age verification app to ban any Android system not licensed by Google (www.reddit.com)
submitted 1 day ago* (last edited 1 day ago) by Gsus4@mander.xyz to c/technology@lemmy.world
90 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] artyom@piefed.social 219 points 1 day ago* (last edited 1 day ago) (16 children)

Please don't link to Reddit. Context below:

The EU is currently developing a whitelabel app to perform privacy-preserving (at least in theory) age verification to be adopted and personalized in the coming months by member states. The app is open source and available here: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui.

Problem is, the app is planning to include remote attestation feature to verify the integrity of the app: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui?tab=readme-ov-file#disclaimer. This is supposed to provide assurance to the age verification service that the app being used is authentic and running on a genuine operating system. Genuine in the case of Android means:

  • The operating system was licensed by Google

  • The app was downloaded from the Play Store (thus requiring a Google account)

  • Device security checks have passed

While there is value to verify device security, this strongly ties the app to many Google properties and services, because those checks won't pass on an aftermarket Android OS, even those which increase security significantly like GrapheneOS, because the app plans to use Google "Play Integrity", which only allows Google licensed systems instead of the standard Android attestation feature to verify systems.

This also means that even though you can compile the app, you won't be able to use it, because it won't come from the Play Store and thus the age verification service will reject it.

The issue has been raised here https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/issues/10 but no response from team members as of now.

[–] Appoxo@lemmy.dbzer0.com 2 points 1 day ago (4 children)

Wouldnt it be enough to verify through IMEI to make sure the OS isnt emulated?

[–] artyom@piefed.social 6 points 1 day ago (1 children)

IMEI is PII

[–] Appoxo@lemmy.dbzer0.com 1 points 1 day ago (2 children)

Is it tied to my real identity?
If not it seems to me that it should be sufficient as to serve as a security this phone is legit and not emulated/compromised.

[–] Redjard@lemmy.dbzer0.com 1 points 18 hours ago

In the eu, phone numbers by law are tied to state identities.
And the phone provider can naturally resolve their sim IDs down to the phone number they are assigned to.
Anything related to celltower interactions is PII.

[–] artyom@piefed.social 7 points 1 day ago* (last edited 1 day ago)

Yes it's tied to your identity. That's what PII is. It's also not tied at all to your OS.

load more comments (2 replies)
load more comments (13 replies)