Security consultant Paul Moore says he bypassed the app's protections in under two minutes. According to him, the app's technical implementation contains elementary design flaws that make it an easy target for any technically savvy user.
Moore's analysis reveals that the app's trust model is based on local files that the user can edit themselves. Although the app is open source - something Commission President Ursula von der Leyen presented as a guarantee of transparency - this appears to have backfired by exposing its flimsy architecture.
According to Moore, the app stores the PIN code on the device, but it is not tied to the user's actual identity vault. By deleting certain values from the app's configuration file, an attacker can set a new PIN code and still gain access to the previous credentials.
Normally, apps lock after several incorrect PIN attempts. In this app, the counter that tracks the number of attempts is located in an editable file. Resetting the counter gives an attacker unlimited attempts.
In addition, fingerprint or facial recognition in the app is just a single "true/false" setting. By manually changing the setting to "false", the app skips biometric verification entirely.
Experts are wondering why the app does not make use of modern smartphones' hardware-level protections, such as the Secure Enclave chip, and instead relies on software-level files that can be modified.
Telegram founder Pavel Durov commented on the case, saying the app is "hackable by design". According to Durov, the app's biggest mistake is that it blindly trusts the user's device and the information it sends.
Durov suggests it is possible the app was intentionally made easy to break. In that case, potential data breaches could later serve as a political hobbyhorse to demand the dismantling of privacy protections and broader surveillance "in the name of security".
Beyond security, the app's logic has also drawn criticism. On social media, users have questioned why age verification has an expiration date or a limited number of uses.
The EU has envisioned the app as a key part of digital identity, and it is set to be rolled out in several countries. The latest revelations, however, cast serious doubt on whether the system is really as ready and secure as the European Commission has led people to believe.
Written by: Petteri Pyyny @ 17 Apr 2026 9:57
