Archive for the ‘Android’ Category
Posted by jpluimers on 2021/01/05
[WayBack] GitHub – andOTP/andOTP: Open source two-factor authentication for Android.
A few highlights:
- andOTP is a two-factor authentication App for Android 4.4+.It implements Time-based One-time Passwords (TOTP) and HMAC-Based One-Time Passwords (HOTP). Simply scan the QR code and login with the generated 6-digit code.
- OpenPGP: OpenPGP can be used to easily decrypt the OpenPGP-encrypted backups on your PC.
- BroadcastReceivers: AndOTP supports a number of broadcasts to perform automated backups, eg. via Tasker. These will get saved to the defined backup directory. These only work when KeyStore is used as the encryption mechanism
- org.shadowice.flocke.andotp.broadcast.PLAIN_TEXT_BACKUP: Perform a plain text backup. WARNING: This will save your 2FA tokens onto the disk in an unencrypted manner!
- org.shadowice.flocke.andotp.broadcast.ENCRYPTED_BACKUP: Perform an encrypted backup of your 2FA database using the selected password in settings.
- All three versions (Google Play, F-Droid and the APKs) are not compatible (not signed by the same key)! You will have to uninstall one to install the other, which will delete all your data. So make sure you have a current backup before switching!
PlayStore: [WayBack] andOTP – Android OTP Authenticator – Apps on Google Play
• Free and Open-Source
• Requires minimal permissions:
• Camera access for QR code scanning
• Storage access for import and export of the database
• Encrypted storage with two backends:
• Android KeyStore (can cause problems, please only use if you absolutely have to)
• Password / PIN
• Multiple backup options:
• Plain-text
• Password-protected
• OpenPGP-encrypted
• Sleek minimalistic Material Design with three different themes:
• Light
• Dark
• Black (for OLED screens)
• Great Usability
• Compatible with Google Authenticator
Via: [WayBack] ‘Aanvallen via ss7-protocol om 2fa-sms’jes te onderscheppen nemen toe’ – Computer – Nieuws – Tweakers
Check out @Jaykul’s Tweet: https://twitter.com/Jaykul/status/1091200778121957377
Instead of Google authenticator and Authy
Via https://twitter.com/martinfowler/status/1091097388201230339
Related :
Nope. It’s just a secret encoded in a QR code.
Here’s the docs on the format of the URI in the QR code: https://t.co/AJhT6PFAzx
The QR code delivers a simple, durable, shared secret.
Use U2F if you can. It is much safer, as it cannot be phished or copied.
Depends on your risk model. Device to device transfer would be a good mid-ground, but doesn’t solve the “my phone was stolen/bricked/damaged” scenario.
Which is your bigger risk – duplicating (normally encrypted) secrets or losing your device and access to everything?
–jeroen
Posted in Android, Development, Mobile Development, Security, Software Development | Leave a Comment »
Posted by jpluimers on 2020/12/29
Still relevant, not limited to Delphi, though other environments often have a better warning system in place: [WayBack] Why does my Android application, compiled with Delphi Rio, no longer work?.
TL;DR: over time, Android and the development tools for it, require you to support more recent Android SDK levels.
Those SDK levels come with different requirements than past ones, so when recompiling, you need to check if you fulfill these requirements.
When you don’t, the application is likely to crash, sometimes without any indication why.
Via: [WayBack] Dalija Prasnikar – Google+ /
[WayBack] Dalija Prasnikar on Twitter: “Why does my Android application, compiled with Delphi Rio, no longer work?”
–jeroen
Posted in Android, Delphi, Development, Mobile Development, Software Development | Leave a Comment »
Posted by jpluimers on 2020/08/06
Sometimes you cannot avoid handling passwords in your application. When you do,
- keep them around as short as possible
- store them in data types that are not garbage collected
- wipe the storage as soon as you are done
In practice, this usually comes down to storing them as arrays (character or byte arrays), not strings.
This holds for many other platforms outside Java as well: strings are usually managed in one way or the other, so they cannot be wiped
References:
For actual storage of passwords, you always have the risk of retrieval: when a “bad guy” gets physical access to a device, it is basically hosed.
A KeyStore can only do so much against it: if your APK can be downloaded, it can be reverse-engineered revealing the exact steps how the store is accessed, reproducing the steps needed to hack into the underlying protected data/functionality.
The keystore can be forgetful…
You’ve just moved in to a new house and have been given the master key for the front door. You only have one of these so you know you need to keep it safe. Your really paranoid so you hire an armed guard, whose sole job is to protect this key, in fact, this is all he has been trained to do and has a catchy slogan of “need to protect a key, its what I was born to do!”. You install an extra lock on your front door as you feel the bodyguard isn’t enough, this is a rough area anyway and who’s going to make sure no-ones about to break in and steal all your crap. You return to your key guard only to be informed he has thrown the key away. You shout and scream at him but he just blankly says “I don’t have it anymore, I didn’t think it was important”. You can’t contain your anger “What the hell, your a jerk! You had one thing to do and you failed, this causes me a lot of problems, why didn’t you tell me you might do this?! What do I do now?!”
[WayBack] Android Security: The Forgetful Keystore – SystemDotRun – Dorian Cussen’s Super Blog
–jeroen
Posted in Android, Development, Java, Java Platform, Mobile Development, Power User, Security, Software Development | Leave a Comment »
Posted by jpluimers on 2020/03/04
Simple but cool app: [Archive.is] SMS Backup+ – Apps on Google Play:
Automatically backup your SMS, MMS and call history with a separate label in Gmail and Google Calendar.
Later you can restore the saved data (except MMS) back to the phone, especially useful when switching to a new device.
IMAP access needs to be manually enabled in Gmail, see the website and FAQ for more information. You can of course use your own IMAP server for backups, giving you full control over your data.
SMS Backup+ is a free open-source project which has been in active development since the early days of Android, completely ad and tracking-free, supported through voluntary donations.
Sourcecode: [WayBack] GitHub – jberkel/sms-backup-plus: Backup Android SMS, MMS and call log to Gmail / Gcal / IMAP
Via: [WayBack] Wirre Telefongespräche für 500. Ich kriege ja nicht mehr oft Anrufe auf der deutschen Telefonnummer, und so liegt das Telefon jetzt daheim und hängt am… – Kristian Köhntopp – Google+
–jeroen
Posted in Android, Development, Mobile Development, Software Development | Leave a Comment »
Posted by jpluimers on 2020/01/10
Posted in Android, Android Devices, Apple, Development, iMac, Mac, Mac OS X / OS X / MacOS, MacBook, MacBook Retina, MacBook-Air, MacBook-Pro, MacMini, macOS 10.12 Sierra, macOS 10.13 High Sierra, Mobile Development, Software Development | Leave a Comment »
Posted by jpluimers on 2019/02/06
For my link archive:
Basically:
- storing encrypted data plus IV in preferences is OK
- store the symmetric encryption key (for instance an AES one) in the keystore for the application
- likely a salt is also needed, then store the salt with the IV and encrypted data
–jeroen
Presumptions:
- The keystore of a specific application UUID is only accessible by only that application UUID when the device has been unlocked by the user
- The keystore saves credentials in a secure way
- It is OK to save both the encrypted data and associated IV
Approach (plain data is “hashed application PIN”, encrypted data is “encrypted hashed application PIN”:
- store a symmetric AES key in the application key store
- after entering application PIN:
- hash the application PIN
- use the hashed application PIN to to enter the application
- from the keystore, obtain the symmetric AES key
- create a cipher based on the AES key
- use the cipher to obtain an IV, and to encrypt the hashed application PIN
- store the encrypted hashed application PIN and IV both in the application preferences
- when needing to enter the application, present the user to either enter the application PIN again or proof that they can pass the device unlock sequence (using an unlock activity)
- if the user provided the application PIN, then:
- hash the application PIN
- try to enter the application with the hashed application PIN
- proved the device unlock, then:
- from the preferences, obtain the IV and encrypted hashed application PIN
- from the keystore, obtain the symmetric AES key
- create a cipher based on the AES key
- decrypt the encrypted hashed application PIN using the cipher and the IV into the hashed application PIN
- try to enter the application with the hashed application PIN
Posted in Android, Development, Mobile Development, Software Development | Leave a Comment »
Posted by jpluimers on 2019/01/30
Hopefully by now the Google Assistant and Google Home have made their way into the Dutch language. If so, then it’s time for me
[WayBack] Quick Intro Into Actions on Google | Grokking Android: Find out which options exist to develop apps for the Google Assistant with Actions on Google and to bring the Assistant to devices with the Assistant SDK.
–jeroen
Posted in Android, Android Devices, Development, Google, Google AI, Google Assistant, GoogleHome, Mobile Development, Software Development | Leave a Comment »
Posted by jpluimers on 2018/09/19
I wrote about Vysor before, but totally forgot to mention that for like 2 years there have been (initially beta) standalone versions of Vysor based on the Electron framework that is also used by the Atom.io editor and Visual Studio code.
So here they are (:
Over time, these have been updated with new versions.
Web site source: https://github.com/koush/vysor.io
–jeroen
History:
Related:
Posted in Android, Android Devices, Development, Mobile Development, Power User, Vysor | Leave a Comment »
The Wiert Corner - irregular stream of stuff 