This paper presents an independent technical analysis of the EU Age Verification app (EUDI Wallet Pilot, build 2026.04-2). The research uncovers a systemic architectural failure where the entire biometric verification pipeline—including liveness detection, face matching, and credential binding—executes without any hardware root of trust, TEE isolation, or cryptographic attestation of the sensor chain.
The full document maps out four escalating vulnerability tiers demonstrating that the application's security guarantees are architecturally unenforceable. This impacts not just this pilot app, but the entire EUDI Wallet framework and technical standards tied to the Digital Services Act.
(Format: PDF)