Giter Club home page Giter Club logo

Comments (12)

Lekensteyn avatar Lekensteyn commented on June 15, 2024 3

The tokens are not encrypted and I think that it is possible to have them backup up (either through adb backup or through GDrive).

allowBackup is true, which means that external backups and Google backups are allowed:

FreeOTPPlus/app/src/main/AndroidManifest.xml

Lines 38 to 39 in e7dfc62

<application
android:allowBackup="true"

The normal SharedPreferences storage is used with MODE_PRIVATE. This just means that other apps cannot access it, but it is not encrypted in any way:

FreeOTPPlus/app/src/main/java/org/fedorahosted/freeotp/TokenPersistence.java

Lines 49 to 52 in e7dfc62

public TokenPersistence(Context ctx) {
prefs = ctx.getApplicationContext().getSharedPreferences(NAME, Context.MODE_PRIVATE);
gson = new Gson();
}

To actually employ encryption, the KeyStore API should be used:
https://developer.android.com/reference/java/security/KeyStore

from freeotpplus.

helloworld1 avatar helloworld1 commented on June 15, 2024 3

Yes, encryption support is still on my todo list. I don't think FreeOTP+ can actually use KeyStoreAPI because the data needs to be stored elsewhere and restored on a different device.
I am thinking about using simpler (weaker) symmetric crypto to just encrypt secret part of the data.
Also I would like to have PIN / fingerprint support which requires quite some more work. If you are aware of any libraries to help the UI of PIN / fingerprint, it would be a great help here.

from freeotpplus.

unicorntaco avatar unicorntaco commented on June 15, 2024 2

encryption support is still on my todo list.

How about lifting from another project?

https://github.com/andOTP/andOTP

from freeotpplus.

kelna avatar kelna commented on June 15, 2024

To actually employ encryption, the KeyStore API should be used:

Seems to be a good idea. Does this mean that the original FreeOTP stores the keys unencrypted as well?

from freeotpplus.

Lekensteyn avatar Lekensteyn commented on June 15, 2024

Does this mean that the original FreeOTP stores the keys unencrypted as well?

That is correct, the original FreeOTP implementation also lacks encryption. Their developers are open to implementing it though, indeed using the KeyStore API: freeotp/freeotp-android#6 (comment)

There is one PR to implement this, I have not reviewed though and mention it since it was referenced from the previous issue: freeotp/freeotp-android#150

from freeotpplus.

itsKV avatar itsKV commented on June 15, 2024

Facing same issue. Everytime I take backup, the .json file remains on phone storage in plaintext. It's obvious to keep it on same location and forget about it. Also, keeping a backup in plaintext is not recommended.

@helloworld1 Kindly implement.

from freeotpplus.

itsKV avatar itsKV commented on June 15, 2024

I don't do ('dont know', precisely) any coding part. But, while lurking on internet, I came to know about some of the open source encryption libraries which can be implemented in android applications very efficiently.

https://facebook.github.io/conceal/
https://github.com/google/tink
https://github.com/google/capillary
https://github.com/simbiose/Encryption

Hope, this helps.

from freeotpplus.

bluikko avatar bluikko commented on June 15, 2024

I don't do ('dont know', precisely) any coding part. But, while lurking on internet, I came to know about some of the open source encryption libraries which can be implemented in android applications very efficiently.

I understood the comment was asking about libraries for the user interface part for PIN or libraries for fingerprint, not for encryption.

from freeotpplus.

itsKV avatar itsKV commented on June 15, 2024

encrypting tokens using any of the suggested library with user PIN/fingerprint hash will be sufficient.

from freeotpplus.

helloworld1 avatar helloworld1 commented on June 15, 2024

@unicorntaco I found the implementation of andOTP pretty good and convincing. I wonder what is the advantage of FreeOTP / FreeOTP+. Also FreeOTP+ provides the capability to migrate to andOTP.

from freeotpplus.

lemmy04 avatar lemmy04 commented on June 15, 2024

One big advantage of the original FreeOTP is that it uses a decent layout on tablets... see #121

from freeotpplus.

helloworld1 avatar helloworld1 commented on June 15, 2024

Let's consolidate the discussion in #128

from freeotpplus.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.