Too much Google: Criticism of age verification system for Android
The European Digital Identity age verification solution for Android, which is currently under development, does not appear to fully meet the EU's requirements.
Google Android bugdroid before lock icon.
(Image: Primakov/Shutterstock.com)
The EU is working on an age verification platform for iOS and Android, among others. The implementation of the European Digital Identity (EUID) for Android has been criticized since the source code and documentation were published on Github, as it leaves out alternative Android variants and relies too heavily on Google services.
Age verification only for Android devices with Google services
The erste Android version relies on Google's Play Integrity API for age verification. However, this interface is only available in systems licensed by Google. In addition, apps used would have to be downloaded from the Play Store, which requires a Google account.
According to the developers, this is a first attempt that was developed "solely to demonstrate the process". However, some developers are already pointing out that the approach excludes alternative Android versions such as LineageOS or GrapheneOS and that the current solution violates EU regulations.
It could and should work without Google
As Daniel Micay, security researcher and developer for GrapheneOS auf Github, there is already "a much stronger interface" than the Play Integrity API in the form of the Hardware Attestation API. This can also be used by alternative Android versions and eliminates "unnecessary dependence on Google Play services and Google's Play Integrity services".
According to Micay, the hardware attestation API is available on all devices that were launched with Android 8 or newer and are still receiving security patches. The developer also considers the hardware API to be more secure than the software-based Play Integrity API, which is easier to circumvent.
Micay is supported by the developer of the Catima card app, Sylvia van Os: She questions vor especially the deepening of the "dependence on American tech giants for age verification". In a weiteren thread, developers consider the Google account requirement to be unacceptable for an open source project, among other things.
Videos by heise
The current development solution should or would basically inevitably have to be changed in favor of alternative Android versions. According to EU-Webseite to the project, interoperability is an elementary component of the development requirements: "The solution ensures seamless integration across different device operating systems, wallet applications and online services."
The developers of the solution have since removed the Dokumentation adapted and the reference to the Play Integrity API. Instead, reference is now made to OWASP-MASVS-Konformität (Mobile Application Security Verification). However, this is not sufficient; instead, fordern developer states that it must be clearly indicated that no Play Integrity API may be used for corresponding apps.
Age verification will initially be tested in five countries: France, Spain, Italy, Denmark and Greece, so Reuters. The five countries can adapt the solution to their needs and integrate it into a national app.
(afl)
