
Google's Abandoned Android Authenticator App - edent
https://shkspr.mobi/blog/2020/02/googles-abandoned-android-authenticator-app/
======
dang
Related current thread:
[https://news.ycombinator.com/item?id=22443225](https://news.ycombinator.com/item?id=22443225)

------
Someone1234
This is a bad article. Let me summarize my thoughts:

\- The "security bug" it references isn't one at all. Accessibility Services
can draw over other apps and interact with them _by design_. They're designed
as an alternative way of interactive with android for disabled people
consequentially they can do anything a normal user can do. The security
"researcher" found a non-bug then convinced an ignorant journalist at zdnet to
publish an article about normal/correct Android functionality.

\- If it were somehow a bug, it is still impossible for Google Authenticator
to patch/mitigate it. Accessibility Services act as the user, therefore they
can do anything a user can do. You cannot block them for good reason (breaks
disable user's ability to use Android).

\- The third party apps they reference don't block Accessibility Services
either, making it hypocritical to criticize one while pointing to others with
the same fictitious flaw.

\- Switching to a random open source TOTP/HOTP 2F app might reduce your
security, not increase it. You'll either compile it yourself requiring
enabling "Allow installation from unknown sources" (bad) or you'll more
commonly just grab it from the app store, in which case that random OSS
developer's account can feed you evil-ware either intentionally or via
compromise. As soon as it is from the app store the "open source" nature is
completely irrelevant, it isn't a security guarantee.

\- No unpatched security bugs have been found in Google Authentictor. Google
Authenticator's lack of updates are annoying though (unfixed bugs, poor backup
support, QoL features like secondary pin, etc). Just not the way the article
frames it.

~~~
drewg123
> compile it yourself requiring enabling "Allow installation from unknown
> sources"

This is one of my biggest pet peeves about Android. I wish i could add my own
signing key for apps I compile myself, rather than just being given the choice
of Google play or anything at all.

~~~
Operyl
In a round about way you sort of can now. The “allow installation from unknown
sources” is per app-source now. You need to enable it for Google Chrome if you
downloaded the package from Chrome, or for F-Droid if you downloaded it from
F-Droid. So, the solution you’re looking for could be just a small shim app to
download from your own repository of sorts. Janky .. but it’s a bit more
possible than before I guess. As an added bonus you could do some signature
validations too!

~~~
boring_twenties
If you use F-Droid, you could also just set up your own local repository for
your custom apps.

~~~
Operyl
Yup! I was just running under the assumption the parent comment wanted no
other apps period, with a smaller surface to attack.

------
asdfasgasdgasdg
Wait. The vulnerability report says, "Abusing the Accessibility privileges,
..." the trojan can steal your OTPs. If you give a program accessibility
privileges, it can read the screen. Is that all we're talking about here? What
is the proposed mitigation that Google should implement on the app? You can't
block accessibility on the OTP app because then blind people will not be able
to use it.

~~~
derefr
> You can't block accessibility on the OTP app because then blind people will
> not be able to use it.

You can block accessibility from the specific field of the OTP app, if you
also have a system framework that retrieves exactly the contents of that field
into your paste buffer when you interact with a privileged UI element (i.e.
the keyboard-UI “autofill 2FA” accelerator.)

~~~
ihuman
That won't work if someone it trying to use the code on their desktop. The
screen reader won't be able to read the code to them, so they won't be able to
log in.

~~~
zepto
Thee is no reason not to have a special privilege level for screen readers.

~~~
akerl_
There is a special privilege level for screen readers. The issue is that the
hypothetical malicious app pretends to be a screen reader.

~~~
zepto
Do you mean it hypothetically actually functions as a screen reader but also
steals data, or something that just requests the privilege while being
something completely different?

~~~
akerl_
Either one, but realistically the latter.

In the former case, you just call your app SuperLegitScreenReader, prompt the
user to grant accessibility access, and then snarf up data. Bonus points if
you bundle in some open source or pirated screen reader code so your app can
act the part, but you could probably just say “fetching reader data, screen
reading will be functional in ~60 minutes” and count on most users to not
bother uninstalling the app or revoking permissions.

In the latter case, you call your app “CandyNinjaBirds”, and have it pop up
and say “to let you share cute stickers to your friends, you need to enable
accessibility access” and count on the vast majority of people to click
“allow”.

The latter case is way more common because the former case limits your target
audience to people who actually want a screen reader.

~~~
zepto
Ok - but given the small number of actual screen readers it would be easy for
a store to have extra policing for this privilege.

------
AdmiralAsshat
I switched to Authy some years ago. It took Google forever to add the ability
to Authenticator to let you migrate 2FA codes to new devices, and even then,
it was only Google codes. I got tired of having to _deactivate_ 2FA on my 20
or so accounts, switch to my new Android device, _reactivate_ 2FA, and then
scan the QR codes on the new device. Authy made it a painless experience,
particularly since I could verify codes were working on the new device before
factory resetting the old one.

~~~
whoisjuan
I use Authy, but God, I hate their UI and UX. Finding the accounts there is a
pain in the ass, and for some reason, I always end up with duplicated accounts
(when I just added them once). Also, it has been two months since their last
iOS update, so it's not like Twilio is taking care of it either.

~~~
zouhair
Give andOTP a try[0]

[0]: [https://github.com/andOTP/andOTP](https://github.com/andOTP/andOTP)

~~~
phs
I love andOTP, it does one job and gives me (not my phone's firmware) control
over the secret storage.

------
otachack
I recommend to use anything but Google Authenticator. andOTP is my preferred
considering you can make non-encrypted and encrypted backups of all entries.

I lost my phone once and was primarily using Google Authenticator at the time.
Because I didn't backup the seeds when registering entries to Google Auth, I
had to go through some recovery processes on many of my accounts which where
time consuming, nerve wrecking, and annoying. This was at the height of crypto
craze so one account was Coinbase in which I had to go through some in depth
recovery process (with an ID an all, which ended up crossing some legal lines
in my state).

Do yourself a favor and either use a service with a supported and up to date
app or take control with an app like andOTP and take backups yourself.

------
excerionsforte
I got rid of Google Authenticator in 2018 preferring Microsoft Authenticator
after feeling weary about having to setup 2FA on a new phone and subsequently
reading posts like [https://smartphones.gadgethacks.com/news/google-
authenticato...](https://smartphones.gadgethacks.com/news/google-
authenticator-is-not-best-2fa-app-anymore-0186776/) which made me aware that I
didn't have to go through that pain anymore if I dumped Google Authenticator.

~~~
antaviana
If you do not mind your phone contacts are shared with the app [1], Microsoft
Authenticator is fine.

[1] [https://docs.microsoft.com/en-us/azure/active-
directory/user...](https://docs.microsoft.com/en-us/azure/active-
directory/user-help/user-help-auth-app-faq)

~~~
prophesi
"Contacts and phone: The app requires this permission so it can search for
existing work or school Microsoft accounts on your phone and add them to the
app, helping to ensure your account works properly. This permission also helps
save you time while adding your personal Microsoft accounts, by automatically
filling in some of the info for you, like your first and last name."

Wow, they really did their best to find a sliver of justification for that
permission. I don't need an OTP app to autofill my first and last name.

And to those arguing about their opt-out for this permission, ask what
unnecessary permissions your coworkers/family/friends have denied on the last
few apps they installed.

~~~
excerionsforte
Recommend that you install the application first and check what it asks for
before coming to a conclusion based on this doc. The score would have taken a
hit based on what you are saying. Furthermore there is no argument here just
facts based on user experience.

> Contacts and phone. The app requires this permission so it can search for
> existing work or school Microsoft accounts on your phone and add them to the
> app,

Keyword here is requires. This doc is out of sync with the application,
unsurprisingly.

~~~
prophesi
Honestly, I wouldn't willingly install anything by Microsoft. Everything is
overloaded with unnecessary telemetry.

On that note, for anyone using Microsoft's VS Code, I recommend
[https://vscodium.com/](https://vscodium.com/)

------
Slartie
This looks like the same pattern observed with the iOS Google Authenticator
app. That one was neglected for multiple years as well, up to the point at
which it looked ridiculously out of place on newer devices because it was
running in some compatibility mode for old screen sizes and screen
resolutions. After multiple years of no support whatsoever, they finally
updated it. But apparently that was just random luck - the current version is
over a year old already as well, with the update news saying "Added support
for iPhone X".

I don't get it why Google apparently does not get the notion that they
basically "own" the brand identity of what we technically-minded people know
as the TOTP 2FA scheme - and they own it because of the Google Authenticator
app. Thousands of websites ask their users to install "the Google
Authenticator app" if the user wants to enable 2FA - they don't tell them to
install "an OTP app" or something like that, no, practically everyone refers
to this scheme and the associated apps as "Google Authenticator".

And it can't be too hard for a company able to fund and drive the development
of a leading web browser engine to keep a simple TOTP app up to date and well-
supported in the two major smartphone ecosystems. Heck, a single full-time
developer should be more than enough manpower to do that! And Google has like,
what, 100.000 of them?

Instead, Google lets other companies slowly chip away at their mindshare in
the 2FA market - during the years of Google's inactivity, lots of alternative
applications sprung up, and many password safe apps added TOTP support to
their feature catalogs. We're at a point at which most technically savvy
people advise other people to use ANY of those apps, but NOT Google
Authenticator, even if the website tells them so. It's just a matter of time
until the sites catch up and quit suggesting Google Authenticator (after all,
the shortcomings of Google's application, like inability to backup seeds,
probably cause additional burden on support channels for sites explicitly
mentioning Google Authenticator, and if there are other apps that cause less
problems, suggesting to use those at some point in time will be more
beneficial than the brand name recognition bonus provided by suggesting an app
by Google).

~~~
gerash
"2FA market". Wait now 2FA apps constitute a market? The whole article is
inaccurate and tries to jump on the stereotypes we see in the news about
Google to capture clicks.

Authenticator is still a secure 2FA app (unlike Authy) and the fact that the
devs did not ship a new build or updated the UI recently might not be great
but the app does its job.

If "awk" does not ship a new build in a few years would it be considered
abandonware?

~~~
Slartie
Command-line applications for consoles are not exactly comparable to
smartphone apps in that regard, because their natural habitat changes only at
a glacial pace nowadays, while the habitat of smartphone apps - the smartphone
OSes - evolved at ridiculous speed during the last decade.

------
kjaftaedi
The author doesn't explain why this is a google problem other than their code
is "old".

The way the source article reads, it seems like the vulnerability would affect
any OTP app.

~~~
edent
The latest version of
[andOTP]([https://github.com/andOTP/andOTP/releases](https://github.com/andOTP/andOTP/releases))
indicates that it protects some of the fields from accessibility hijack. I
suspect other apps will find a way to prevent this attack.

The problem I, the author, have is that it seems unlikely that Google can fix
this. What are the risks associated with suddenly changing a codebase which is
2.5 years old? Is there anyone there who works on it day-to-day, understands
how it works, and can release a verifiably fixed patch?

Security products need constant maintainance.

------
ThePhysicist
Good thing TOTP is an open standard, so there are some alternative apps
available.

I guess they consider TOTP as legacy and are focusing on U2F, I think in their
products you can’t even sign up for TOTP based 2FA anymore.

I amassed quite a collection of U2F Titan security keys that Google gave away
for free at conferences, some of them have become obsolete already though and
some had serious security issues (the Bluetooth one). I prefer using the
Yubikey for that reason, though I find them quite a bit overpriced.

~~~
nucleardog
You can still sign up, but it's a bit of a pain.

When you initially enable 2FA, you won't be given the option. But you can
register with SMS/U2F/etc. Once you've enabled the first authentication
method, you can go into your 2FA settings and add a virtual 2FA device. Once
_that 's_ done, you can go back and delete whatever you added initially to be
left with only a virtual 2FA device.

------
zouhair
And the usual Google neglect of its products continues. It's a vicious circle,
they keep neglecting apps, people start using them less and less and as they
notice people using them less they neglect them more and the cycle continues
until they kill it.

This is one of the main reasons I stopped using any of their new projects.

------
fredley
I recently switched to Aegis, it's so much better, and open source[0].
Crucially it has biometric encryption, and import/export so switching to a new
device isn't a horrific ordeal. It also has some great QoL features like
custom icons, highlighting, and reordering. To anybody looking to move away
from Google Authenticator, I highly recommend it.

0:
[https://github.com/beemdevelopment/Aegis](https://github.com/beemdevelopment/Aegis)

~~~
Satwell2
This looks good but I can't find any information about who is behind it and
why I should trust them. I wish they were collaborating with a well known
project like andOTP instead.

------
vzaliva
Potential vulnerability aside, I think the article leaves you with wrong
impression about stat of Google Authenticator app. In my understanding Google
Authenticator app you install from App Store is not the same as github app
authors talking about. As it clearly says in README "While this fork is open
source, the official version of the app still remains proprietary. There is no
guarantee that the open source repository will receive any changes made
upstream (or vice versa)."

~~~
edent
If you visit the Authenticator app on
[https://play.google.com/store/apps/details?id=com.google.and...](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en)
\- you'll see at the bottom that it was last updated on September 27, 2017 As
in, that's the last time an updated was published on the Play store.

I'm sorry I didn't make that clearer.

------
Avamander
I don't think it actually needs an update. Supporting new features would be
nice, but it's not a requirement.

------
darawk
Hmm. I see a lot of people here responding that disabling this would break the
Accessibility Services, and I completely agree.

However, it does seem to me like there is a genuine problem here. Perhaps the
solution is to have a two-layer accessibility permission system? One
permission for reading the screen of non-inherently-sensitive applications,
like web browsers and email clients, and another permission for reading high-
sensitivity applications like Google Authenticator. Enabling the second
permission would come with very strong warnings about security, and the
admonition that you should _really really_ trust this application provider a
lot more than your average screen reader app.

------
skyfaller
I recently switched to Aegis Authenticator:
[https://getaegis.app/](https://getaegis.app/) It seems to be as well-
maintained as andOTP, and I like that it is licensed GPLv3 rather than MIT.

------
zackify
The most frustrating thing about this app.... is that it ignores other
algorithms such as sha-256 or 512.

But get this!

On iOS it correctly shows the right OTP code for these algorithms.

On android it acts like it’s a sha-1 and has the wrong code....

------
acdha
I'm a big fan of using the Yubico Authenticator instead of Google's apps:

[https://www.yubico.com/products/services-
software/download/y...](https://www.yubico.com/products/services-
software/download/yubico-authenticator/)

In addition to being supported, it avoids the possibility of a future mistake
leaking TOTP seeds since they're stored on the key rather than the phone.

------
danso
FWIW, the iOS version was last updated on Sept. 12, 2018, a minor update for
iPhone X support and "Minor bug fixes". The second-to-last update, from 2.3.0
=> 3.0.0, was Feb. 2016:

[https://apps.apple.com/us/app/google-
authenticator/id3884976...](https://apps.apple.com/us/app/google-
authenticator/id388497605)

------
gaia
Surprised there (this far) no mention of Authenticator Plus
([https://www.authenticatorplus.com/](https://www.authenticatorplus.com/))
here. I welcome scrutiny of this option (but I am not affiliated in any
capacity with them)

------
ohazi
If Authenticator is actually abandoned, are there any suggested alternatives?

I know I can just get a yubikey, but I'm still not comfortable with the
process for temporarily authenticating on a computer or phone that isn't mine.
In those cases I much prefer to type in a code.

------
bilal4hmed
if you are on Android, I highly recommend Aegis
[https://github.com/beemdevelopment/Aegis](https://github.com/beemdevelopment/Aegis)

its open source, supports import of keys as well as export with a very active
dev.

------
lars_francke
I've recently tried switching to YubiKeys to store all my 2FA tokens and only
later learned that they have a hard limit of 32 stored tokens.

Does anyone know of an alternative hardware token that supports more than that
and also all the other protocols that YubiKeys do?

~~~
EthanHeilman
Why can't yubikey use a single root secret and derive all sub-secrets from
that root secret?

~~~
juriansluiman
Because usually the server sends the shared secret and there are just 32 slots
for shared secrets available.

~~~
EthanHeilman
Yubikey and webauthn[0] supports public key authentication where the client
chooses the secret.

[0]: [https://webauthn.io/](https://webauthn.io/)

~~~
juriansluiman
Yes but that's a whole different 2FA implementation, where sites must support
U2F (webauthn). Unfortunately, the implementation of TOTP is far more common
than U2F.

Ideally all sites will implement U2F as two factor authentication, but there
aren't that many users who have a U2F compatible token. The reach of TOTP is
far more beyond U2F, which is probably why sites use TOTP more than U2F.

When sites offer both, choose U2F. When sites offer TOTP only, use it. It is
better than nothing. When you have a yubikey already, use the Yubico
authenticator app to store the TOTP secret to make your TOTP attack surface
less and to have the availability to change your phone without losing TOTP
secrets.

~~~
EthanHeilman
>When sites offer both, choose U2F. When sites offer TOTP only, use it.

This, 100%

In some sense TOTP, basically HMAC, seems like it would be harder to screw up
than a public key system. RSA is amazingly hard to get right. I wonder if the
order of preference should be:

1\. U2F ECDSA/EdDSA

2\. TOTP

3\. U2F RSA ... Infinity. SMS 2FA

No idea where ECDAA [0] fits.

[0]: [https://paragonie.com/blog/2018/08/security-concerns-
surroun...](https://paragonie.com/blog/2018/08/security-concerns-surrounding-
webauthn-don-t-implement-ecdaa-yet)

------
srathi
I've moved to Authy. They allow a backup password to encrypt all tokens on
their servers. I think that is a valid tradeoff with a random password saved
in Keepass. Otherwise, changing a cellphone (or hard resetting) is an arduous
task.

------
mmis1000
It scans qrcode. It shows current 2fa code. It ensures no one will able to
generate your 2fa code without stole the device physically (because it can't
be backup).

What else do you need? Why do anyone need to update it if it is completely
fine?

------
exabrial
Wait, can it steal the stored secrets or just codes? I'd love for a utility
that can "steal" the secrets so I can migrate to my yubikey 5c.

~~~
pyt
If you have a rooted Android phone, I wrote a tool to pull secrets from most
popular OTP apps: [https://github.com/puddly/android-otp-
extractor](https://github.com/puddly/android-otp-extractor)

~~~
cesarb
You might not even need a rooted phone. For at least one of these apps, you
can extract the secrets from an ADB backup, which does not need root (it only
needs the developer mode).

~~~
pyt
Interesting. Do you know which still one allows backups?

------
dep_b
I remember even installing Google Authenticator for some kind of Microsoft
project, which seemed to legitimize it even more.

------
derefr
The fact that malware can steal Google Authenticator TOTP seeds, means that
non-malware apps on your phone—e.g. other TOTP apps—could _also_ steal (i.e.
import) these seeds, no?

I’d quite enjoy if e.g. 1Password would import all my Google Authenticator
tokens into itself automatically. I’ve been meaning to move them over for a
long while now, but it’s a whole process, since there’s no place in the Google
Authenticator UI to retrieve the original seed value.

~~~
plttn
It's just using the accessibility privileges to look at the contents of the
screen like a screen reader would, and copy the shown code. This isn't quite
as advanced as "stealing your seeds".

------
morpheuskafka
I thought the keyboard apps listed as abandoned at the end of the article were
all rolled into the main Gboard app?

------
metalliqaz
I use the lastpass authenticator and I like it. Works well in conjunction with
the lastpass app

------
bad_user
Website is blocking my access with a challenge that doesn't work :-(

~~~
edent
I've had a few reports of that. Are you using Tor or something similarly
exotic?

~~~
insomniacity
Assuming this is recaptcha, I have heard that sometimes your IP/cookie
reputation can be so bad that they reject valid responses to the challenge.

------
dagaci
Is Microsoft authenticator interchangeable with Google's?

------
thedance
This affects any totp app like Symantec VIP, doesn't it?

------
ISL
Is the app truly abandoned? If there's one 2FA app I wouldn't expect to be
abandoned, it is Authenticator.

------
stuff4ben
At this point should we assume that ANYTHING Google does will be supported in
the future? Fool me once shame on me, fool me over and over again and I'll
replace you with someone who cares. This is a pattern of consumer abuse
(privacy and abandonware) that Google continues to exhibit. Why should we
continue to support them?

