Maybe the security expert could read the readmes in the repos first. From the iOS app repo:
The initial development release has reduced security, privacy, availability, and reliability standards relative to future releases. This could make the software slower, less reliable, or more vulnerable to attacks than mature software.
And further:
If you’re planning to use this application in production, we recommend reviewing the following steps: […] The Pin storage configuration matches your security requirements, or provide your own by following this guide Pin Storage Configuration […]
So the text hints not at design flaws but at facts that are already stated in the readme. <irony> Plus, the major source for the article is Pavel Durov, who’s messenger is of course a standard in security and privacy. </irony>
So there seems to be no news but a lot of speculation by Durov instead.
Link to app repos, both contain the disclaimers: https://github.com/eu-digital-identity-wallet/eudi-app-ios-wallet-ui https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui
I really hope the manage to do this properly. I’m all for verification on the internet, but only if it is fast, secure and reasonably private. You can do it, but noboy has so far
I feel like I’m going insane, I thought the EU just recently passed an initiative to directly ban age verification, and then I open my feed yesterday and there is nothing else other than news about this app & I can’t find the initiative I thought I saw.
Edit: I figured out what was confusing me, the MEP just recently enshrined E2EE, which I remembered as a big win on the same level of no age verification.
I said it before and I’ll it again, the best solution for this is to have a standard API where device admins can optionally set a age group, and that treats an unset value as signalling unrestricted access. This is so simple it’s almost impossible to fuck up, parents get a parenting tool, most people can just ignore it, and big brother can go on a long vacation.
This is what the California law requires BTW (except it makes the field mandatory which is shit). IMO in this case the EU solution is overcomplicated, it just feels like they needed an excuse to get more out of the COVID certificate investments…
deleted by creator
Yes, exactly, I mention it in my comment. It almost did the right thing and blundered in one detail.
I‘m a little bit confused because all of this is moving so quickly (and badly) when the EU is known to work slow. How do they even have an app ready so quickly? Even when it‘s trash. It‘s almost as if they act on the ‚wisdom‘: „Apologizing later is easier than asking for permission first.“ I get the impression they started working on this before any legislation was even proposed.
The specification has been worked on for at least a year going by the git repo. The (android) app is a fork of the EUID Wallet app I think which is at least three years old
they were already working on it?
uhm, vibe coding?
Bbbbbbut the politicians with no technical experience, knowledge or skills said that it would work! Should we trust the politicians or the actual experts?.. /s
scotus (yeah i know) said chevron bad, so let’s trust the politicians!
What’s the official stage of it? was it already intended to be released? If not it might be less of an issue.
Anyway it’s good that it’s open source. At the very least it encourages public discussion and in this case noticing the flaws.
The git repo calls it a demo. The website calls it a prototype. The EU Commission calls it “ready”.
But they also said it “Works on any device” and “Highest privacy standards in the world” so I guess we can’t trust what EU Commission says.
That “ready” is just typical political advertising speech. Could have been worded more carefully, but it’s forgivable. As long as the git repo and website correctly identify it as a demo/prototype, it seems fine to me. E.g. not using the security enclave is totally fine for a demo. It doesn’t affect the general protocol design. There’s a lot of hostility both to these initiatives as well as to the EU (often by different actors, there’s e.g other countries pushing for less privacy respecting mechanisms), so the clever criticism tends towards nitpicking. There’s actually merit in releasing such an ambitious project as open source and so early, which even with the nitpicking and negativity, is a good thing.
Another thing that will be blocked on my DNS
Kids: Fuck you, “security expert”. Thanks for making our situation even worse. Those government institute will surely force that shit upon us and we have no reliable ways to fight back. The only real way to mitigate the situation was letting those morons to roll out noneffective way to punish us for nothing. But here you are, making us suffer just for a chance of looking clever on the Internet.
lol are you implying security experts should not probe this and we just let it happen?
We already let it happen. And all we must do is “unlet” it from happen. Not investigate the quality of shit.
that is a very pessimistic outlook.
there covid app for example was also something that could be misused in terrible ways and they managed to even get it approved by the ccc.
defeatism just makes things worse.
So, fighting for some basic freedom for kids is “pessimistic” and looking for flaws in their cage letting at least some of them to get free is… good? Correct? What a nice guy, “security expert”. Helping to keep those pesky kids in line. Correct?
So your argument is that since you are opposed to the app’s very existence it’s immoral to test it for security flaws.
I’d like to argue against that with the principle of defense in depth. I’m also not a friend of OS-level age verification and would like it to be dropped. But if it is implemented I want it to be implemented in a way that isn’t wildly insecure. I can simultaneously argue against the principle as a whole and insist that any implementation of it be secure. If it does come I at least want the damage from a botched implementation to be mitigated.
To use your cage analogy, I can both complain about the principle of caging people and about the fact that the cage is badly made and poses an injury risk to the people inside it. Neither is acceptable.
you are missing the point: this measure is a steaming pile of dogshit. but it’ll be forced on us anyway - the least we can do is make sure it’s at least secure because even a hardliner can’t defend this security issue
