Comments (12)
The tokens are not encrypted and I think that it is possible to have them backup up (either through adb backup
or through GDrive).
allowBackup
is true, which means that external backups and Google backups are allowed:
FreeOTPPlus/app/src/main/AndroidManifest.xml
Lines 38 to 39 in e7dfc62
The normal SharedPreferences storage is used with MODE_PRIVATE
. This just means that other apps cannot access it, but it is not encrypted in any way:
To actually employ encryption, the KeyStore API should be used:
https://developer.android.com/reference/java/security/KeyStore
from freeotpplus.
Yes, encryption support is still on my todo list. I don't think FreeOTP+ can actually use KeyStoreAPI because the data needs to be stored elsewhere and restored on a different device.
I am thinking about using simpler (weaker) symmetric crypto to just encrypt secret part of the data.
Also I would like to have PIN / fingerprint support which requires quite some more work. If you are aware of any libraries to help the UI of PIN / fingerprint, it would be a great help here.
from freeotpplus.
encryption support is still on my todo list.
How about lifting from another project?
https://github.com/andOTP/andOTP
from freeotpplus.
To actually employ encryption, the KeyStore API should be used:
Seems to be a good idea. Does this mean that the original FreeOTP stores the keys unencrypted as well?
from freeotpplus.
Does this mean that the original FreeOTP stores the keys unencrypted as well?
That is correct, the original FreeOTP implementation also lacks encryption. Their developers are open to implementing it though, indeed using the KeyStore API: freeotp/freeotp-android#6 (comment)
There is one PR to implement this, I have not reviewed though and mention it since it was referenced from the previous issue: freeotp/freeotp-android#150
from freeotpplus.
Facing same issue. Everytime I take backup, the .json file remains on phone storage in plaintext. It's obvious to keep it on same location and forget about it. Also, keeping a backup in plaintext is not recommended.
@helloworld1 Kindly implement.
from freeotpplus.
I don't do ('dont know', precisely) any coding part. But, while lurking on internet, I came to know about some of the open source encryption libraries which can be implemented in android applications very efficiently.
https://facebook.github.io/conceal/
https://github.com/google/tink
https://github.com/google/capillary
https://github.com/simbiose/Encryption
Hope, this helps.
from freeotpplus.
I don't do ('dont know', precisely) any coding part. But, while lurking on internet, I came to know about some of the open source encryption libraries which can be implemented in android applications very efficiently.
I understood the comment was asking about libraries for the user interface part for PIN or libraries for fingerprint, not for encryption.
from freeotpplus.
encrypting tokens using any of the suggested library with user PIN/fingerprint hash will be sufficient.
from freeotpplus.
@unicorntaco I found the implementation of andOTP pretty good and convincing. I wonder what is the advantage of FreeOTP / FreeOTP+. Also FreeOTP+ provides the capability to migrate to andOTP.
from freeotpplus.
One big advantage of the original FreeOTP is that it uses a decent layout on tablets... see #121
from freeotpplus.
Let's consolidate the discussion in #128
from freeotpplus.
Related Issues (20)
- Not possible to delete tokens HOT 6
- wrong code offset HOT 3
- Authentication not required after app loses focus HOT 2
- [FR] Sort by emitter HOT 3
- Encrypted backups HOT 1
- Feature Request: RSA token
- Can't import from FreeOTP to FreeOTPPlus HOT 3
- [Translation Request] Galician
- Anything with "ing" in it's name incorrectly shows the ING icon HOT 2
- Import from andOTP HOT 2
- [Feature] System-Independent Unlock PIN Option
- [Feature Request] decrease line size HOT 1
- Accessibility problem: User name getting invisible when increasing system font-size HOT 2
- [Bug] Dark mode - follow system HOT 9
- Any plans to update F-Droid and Google Play store out of date versions? HOT 2
- Why has version 3.1 not been released for a long time? HOT 2
- MFA push notifications in combination with selfhosted ntfy (=DIY Authy) HOT 2
- Add app icon to fastlane/f-droid HOT 3
- F-Droid 3.1 version cannot be installed HOT 20
- Problem with import seems to be corrupted on release 23 when coming from 22 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from freeotpplus.