The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,231 other followers

Archive for the ‘Mobile Development’ Category

Roderick Gadellaa on Twitter: simple app that (re)sets the volume of the TV to 8% of the max volume every time you turn it on.

Posted by jpluimers on 2021/01/08

[WayBack] Roderick Gadellaa on Twitter: “In case anyone who owns an Android TV is interested: I’ve built a (very, very) simple app that (re)sets the volume of the TV to 8% of the max volume every time you turn it on.  #androidtv #tools…”

[WayBack] Roderick Gadellaa on Twitter: “Some instructions: – You have to sideload it (google is your friend: “how to sideload app on android tv”) – You have to start the app once. It won’t show up on Home, so go to Settings > Apps > TvVolsetr > Open – Android TV 7.0 Nougat or higher required”

[WayBackRoderick Gadellaa auf Twitter: “Some instructions: – You have to sideload it – You have to start the app once. It won’t show up on Home, so go to Settings > Apps > TvVolsetr > Open – Android TV 7.0 Nougat or higher required”

Follow only the images links from [] “how to sideload app on android tv” – Google Search, as the others point to phishing sites.

This image link for instance is useful: [WayBack] How to Sideload Apps on Android TV: Android TV is an excellent product for anyone who wants to expand their current living room setup—it makes easy work of streaming most content, has a slew of games (that are actually worth playing), and is relatively inexpensive. But what happens when an app you want on your TV isn’t available for your device?

Download: [WayBacktvVolsetr.apk


Read the rest of this entry »

Posted in Android, Android Devices, Mobile Development, Power User, Software Development | Leave a Comment »

GitHub – andOTP/andOTP: Open source two-factor authentication for Android

Posted by jpluimers on 2021/01/05

[WayBack] GitHub – andOTP/andOTP: Open source two-factor authentication for Android.

A few highlights:

  • andOTP is a two-factor authentication App for Android 4.4+.It implements Time-based One-time Passwords (TOTP) and HMAC-Based One-Time Passwords (HOTP). Simply scan the QR code and login with the generated 6-digit code.
  • OpenPGP: OpenPGP can be used to easily decrypt the OpenPGP-encrypted backups on your PC.
  • BroadcastReceivers: AndOTP supports a number of broadcasts to perform automated backups, eg. via Tasker. These will get saved to the defined backup directory. These only work when KeyStore is used as the encryption mechanism
    • org.shadowice.flocke.andotp.broadcast.PLAIN_TEXT_BACKUP: Perform a plain text backup. WARNING: This will save your 2FA tokens onto the disk in an unencrypted manner!
    • org.shadowice.flocke.andotp.broadcast.ENCRYPTED_BACKUP: Perform an encrypted backup of your 2FA database using the selected password in settings.
  • All three versions (Google Play, F-Droid and the APKs) are not compatible (not signed by the same key)! You will have to uninstall one to install the other, which will delete all your data. So make sure you have a current backup before switching!

PlayStore: [WayBack] andOTP – Android OTP Authenticator – Apps on Google Play

•  Free and Open-Source
•  Requires minimal permissions:
•  Camera access for QR code scanning
•  Storage access for import and export of the database
•  Encrypted storage with two backends:
•  Android KeyStore (can cause problems, please only use if you absolutely have to)
•  Password / PIN
•  Multiple backup options:
•  Plain-text
•  Password-protected
•  OpenPGP-encrypted
•  Sleek minimalistic Material Design with three different themes:
•  Light
•  Dark
•  Black (for OLED screens)
•  Great Usability
•  Compatible with Google Authenticator

Via: [WayBack] ‘Aanvallen via ss7-protocol om 2fa-sms’jes te onderscheppen nemen toe’ – Computer – Nieuws – Tweakers

Check out @Jaykul’s Tweet:

Instead of Google authenticator and Authy


Related :

Nope. It’s just a secret encoded in a QR code.

Here’s the docs on the format of the URI in the QR code:

The QR code delivers a simple, durable, shared secret.

Use U2F if you can. It is much safer, as it cannot be phished or copied.

Depends on your risk model. Device to device transfer would be a good mid-ground, but doesn’t solve the “my phone was stolen/bricked/damaged” scenario.

Which is your bigger risk – duplicating (normally encrypted) secrets or losing your device and access to everything?



Posted in Android, Development, Mobile Development, Security, Software Development | Leave a Comment »

Why does my Android application, compiled with development tool XXX version YYY, no longer work?

Posted by jpluimers on 2020/12/29

Still relevant, not limited to Delphi, though other environments often have a better warning system in place: [WayBack] Why does my Android application, compiled with Delphi Rio, no longer work?.

TL;DR: over time, Android and the development tools for it, require you to support more recent Android SDK levels.

Those SDK levels come with different requirements than past ones, so when recompiling, you need to check if you fulfill these requirements.

When you don’t, the application is likely to crash, sometimes without any indication why.

Via: [WayBack] Dalija Prasnikar – Google+ /

[WayBack] Dalija Prasnikar on Twitter: “Why does my Android application, compiled with Delphi Rio, no longer work?”


Posted in Android, Delphi, Development, Mobile Development, Software Development | Leave a Comment »

Making it dead simple to implement @haveibeenpwnd in your applications, including strength warning if found in @troyhunt’s password collection.

Posted by jpluimers on 2020/12/02

I wasn’t aware that Troy Hunt created an API [WayBack] for [WayBack] Have I Been Pwned: Check if your email has been compromised in a data breach.

He did, as I noticed through [WayBack] Michelangelo van Dam on Twitter: “Making it dead simple to implement @haveibeenpwnd in my applications, including strength warning if found in @troyhunt’s password collection. Check out to try it out yourself. #ImproveSecurity #haveibeenpwnd”.

There are in fact plenty of other packages, web-sites and apps using the API as seen on [WayBack] Have I Been Pwned: API consumers.

Many people ask “if it is safe” (often assuming passwords are sent in clear, or hashes are sent in full; my fear is that those people implement security somewhere).

It is safe:

PHP source is at [WayBack] GitHub – DragonBe/hibp: A composer package to verify if a password was previously used in a breach using Have I Been Pwned API.

There is also a [WayBack] composer package at [WayBack] dragonbe/hibp – Packagist.

A really cool thing on it is this:

This project was also the subject of my talk [WayBack] Mutation Testing with Infection where the code base was not only covered by unit tests, but also was subjected to Mutation Testing using [WayBack] Infection to ensure no coding mistakes could slip into the codebase.

Apart from the tests, the most important source is at [WayBack] hibp/Hibp.php at master · DragonBe/hibp · GitHub



Posted in Development, Mobile Development, PHP, Python, Scripting, Software Development, Web Development | Leave a Comment »

Android passwords: store as transient as possible using arrays in stead of strings

Posted by jpluimers on 2020/08/06

Sometimes you cannot avoid handling passwords in your application. When you do,

  • keep them around as short as possible
  • store them in data types that are not garbage collected
  • wipe the storage as soon as you are done

In practice, this usually comes down to storing them as arrays (character or byte arrays), not strings.

This holds for many other platforms outside Java as well: strings are usually managed in one way or the other, so they cannot be wiped


For actual storage of passwords, you always have the risk of retrieval: when a “bad guy” gets physical access to a device, it is basically hosed.

A KeyStore can only do so much against it: if your APK can be downloaded, it can be reverse-engineered revealing the exact steps how the store is accessed, reproducing the steps needed to hack into the underlying protected data/functionality.

The keystore can be forgetful…

You’ve just moved in to a new house and have been given the master key for the front door. You only have one of these so you know you need to keep it safe. Your really paranoid so you hire an armed guard, whose sole job is to protect this key, in fact, this is all he has been trained to do and has a catchy slogan of “need to protect a key, its what I was born to do!”. You install an extra lock on your front door as you feel the bodyguard isn’t enough, this is a rough area anyway and who’s going to make sure no-ones about to break in and steal all your crap. You return to your key guard only to be informed he has thrown the key away. You shout and scream at him but he just blankly says “I don’t have it anymore, I didn’t think it was important”. You can’t contain your anger “What the hell, your a jerk! You had one thing to do and you failed, this causes me a lot of problems, why didn’t you tell me you might do this?! What do I do now?!”

[WayBack] Android Security: The Forgetful Keystore – SystemDotRun – Dorian Cussen’s Super Blog


Posted in Android, Development, Java, Java Platform, Mobile Development, Power User, Security, Software Development | Leave a Comment »

%d bloggers like this: