The EU Digital Identity Wallet’s age verification specifications plan to bind the entire app and device authenticity verification flow to the Google Play Integrity API and Apple App Attestation. After the news broke, the official GitHub discussion thread was instantly flooded, and the developer community was overwhelmingly opposed.
Based on comments in the GitHub discussion thread, the three main core arguments from opponents are as follows:
The Netherlands’ Yivi Already Provides a Non-Google Option: The Netherlands’ identity app Yivi (formerly IRMA) can complete age verification without relying on Google services, and it has already been listed in the F-Droid open-source store—directly proving that Play Integrity integration is not a technically necessary condition.
The Spec Contradicts Itself: The EU Digital Identity Wallet spec defines three principles; forcing binding to Google and Apple’s proprietary verification services simultaneously violates the “interoperability” and “open standards” principles.
Digital Sovereignty Issues: Government services should not depend on third-party external services. If Google or Apple changes policies, delists services, or suffers a systemic vulnerability, identity verification mechanisms across countries could be forced to shut down.
According to the report, a security researcher’s test found that on Android devices, it only takes editing a plain-text preferences configuration file—deleting the encrypted PIN entry and turning off the biometric “enabled” boolean. In under 2 minutes, the researcher could reset the app PIN, disable biometric login, and still fully extract the stored credentials; another researcher reproduced the vulnerability and recorded more issues, including unencrypted storage of personal information.
Some commenters used these security concerns to question whether it’s worth locking the entire system into hardware attestation to prevent remote intrusion. Some developers also questioned why age verification needs to be built as a native app; with modern Web App technology combined with the Digital Credentials API, the same result can be achieved.
According to the report, countries’ stances toward this mechanism are inconsistent: the Netherlands and Italy currently adopt Google Play Integrity unconditionally. Switzerland, due to considerations such as data protection, data sovereignty, and user choice, switched to Android’s built-in attestation mechanism and directly gave up Play Integrity.
On alternatives, the age verification app provider Scytales stated that its EU age verification app’s integrity checks do not rely on Google or Apple. Volla Systeme GmbH’s “Unified Attestation” provides short-lived integration tokens and offline verification functionality, and it can coexist with Play Integrity; some commenters view it as a compromise solution.
Based on the GitHub discussion thread, the main reasons include: the Netherlands’ Yivi app has completed age verification without relying on Google services, proving alternatives exist; mandatory binding violates the EU spec’s custom “interoperability” and “open standards” principles; and if government services rely on a private company platform’s policies, it could create digital sovereignty risks.
According to the report, the Dutch non-profit organization Waag Futurelab warned in its article that the design of the Google Play Integrity API may turn governments into enforcers of private company platform policies, and that its design may conflict with the EU Digital Markets Act (DMA), which aims to prevent large enterprises from monopolizing the market.
According to the report, the Netherlands and Italy adopt Google Play Integrity unconditionally. Switzerland, citing data protection, data sovereignty, and user choice, switched to Android’s built-in attestation mechanism and abandoned Play Integrity.
Related News
Noxa Fi’s official X account was hacked, and multiple users’ wallets have been drained.
US-UK joint statement: plans to include stablecoins in cross-border finance to enhance efficiency and competitiveness
ECB Selects 36 Payment Providers for 2027 Digital Euro Pilot
TikTok Defends Safety Measures as EU Announces Child Social Media Restrictions
Webull Secures Dutch MiCA Approval for Late 2026 Crypto Launch