Hacker News new | past | comments | ask | show | jobs | submit login
Raivo OTP just deleted all tokens after update and is now asking for money (github.com/raivo-otp)
102 points by parody577 4 months ago | hide | past | favorite | 60 comments



This seems like a case where Tim Apple needs to step in. 'Mobime' should be banned from the app store and Raivo reverted to a known good version. They have literally shipped ransomware

Otherwise what point is there in the apple walled garden and trying so hard to avoid sideloading (aka installing)?


It's almost as if the argument of app reviews being both necessary for and effective in increasing app safety was always just a fig leaf, and the real reason is maximizing Apple's "services" revenue.


In this case the App Store is actively harming people by removing their ability to install updates themselves or even access the data files the app is storing on their own device.


You _can_ disable automatic updates and install updates manually. This is what I actually do, ironically for this very exact risk about the Raivo app. I like raivo, but since it was bought by this shady guy, I thought that by blocking automatic updates I could use the app without risk of some shady update coming. The only issue is that this is all or none; meaning that from time to time I have to go through my list of apps and manually tap on the upgrade button. So glad for that decision now.


"Install updates manually" isn't a very good description of your options here. You can take or leave the updates they choose for you. You have zero ability to inspect or audit said updates, or choose different updates yourself, or go back to previous updates. Rejecting updates may very well leave you exposed to security vulnerabilities and there's nothing you can do about it other than accept the updates or delete the app. And if you want the data stored in the app, you have no option to retrieve it other than what the app developer provides, because Apple prevents you from reading the data stored on "your" phone in any other way.


Apple has a contract with their developers that probably prohibits just rolling back to an old version. As long as the app works, does not violate the AppStore terms and is intended as per the developer, who is Apple to say what they do with it?

I'm not saying that this is should not be handled, but .. I don't see many good outcomes here.


I think It has violated app store procedure? The app was under and open source license before, and now it is not, and users were not notified. I think complaining to apple would be a good move?


Only that the app was never really under open source license, at least not since 2019. It used to be under CC BY-NC 4.0 but then it changed to a "source available" type of status [0], where any modification, redistribution etc was prohibited. The previous author explained "Unfortunately I had to apply these restrictions in the license, as people started to redistribute my app to the appstore" [1]. I do not judge the fact of stopping open sourcing it, but he did not stop advertising it as "open source". Even now, that the source code is not even available any more, its website calls it "open source" [2].

[0] https://github.com/raivo-otp/ios-application/commit/03791edd...

[1] https://opensource.stackexchange.com/a/13801

[2] https://raivo-otp.com/


Updated URL, after Mobime disabled issues entirely on the repo: https://web.archive.org/web/20240531085449/https://github.co...

See also this conversation, where Mobime request respect and to "acknowledge the efforts being made to resolve the situation" while blurting out things like "We could have easily suspended the entire repository, but we have chosen to keep it open to reassure you that we are taking all necessary steps to resolve this". Classy.

https://github.com/raivo-otp/ios-application/discussions/369


If anyone is wondering another discussion was completely deleted from that repo earlier: https://archive.ph/cBcTD


All discussions in the repository are now gone. I'm guessing the update they were promising didn't fix anything at all. Yet another reminder why the two big app stores are dangerous and promote anti-user behaviour.

>The newer version is now approved and should be available for download in the next few minutes. This version has been thoroughly tested by our team. iCloud restore is expected to work flawlessly. We are unlocking the discussion to closely monitor the situation. We sincerely apologize for the inconvenience caused.

https://archive.ph/fGnO3


Related discussion: https://news.ycombinator.com/item?id=40521655

The App Store should pitch in and do something for this.


Whenever an app like this is sold to some unknown company there's people who say to give the new owners a chance. This is proof of why that's inherently the wrong approach. Migrate the second you can.


I am one of the victims. Only noticed something is wrong today, Raivo on my iPhone got renamed to Raivo Debug and repeatedly crashed on start.

I've updated the app - what could go wrong - and it seems like I am one of the unlucky ones that got their 2FA codes wiped forever.

There was no option shown for recovery that others mentioned here, and they did not ask for money either.

Now I am going through the pain of recovering each one of my dozens of accounts one-by one and moving 2FA codes to 1Password (and 1Passwords own 2FA to Google Authenticator on my iPhone). Quite ironically, I've switched to Raivo in an attempt to use fewer Google products.

I would like to report this to Apple (although they did review and approve all revisions - sounds like very little fu*ks they give), but not sure how. The report categories are "Request a refund, Report a quality issue, Report a scam or fraud, Report offensive abusive content, Report illegal content". I've tried "Report a quality issue" (closest to my situation) but then I get "Reporting not available".


Wow, that's horrible. I hope it's something reversible involving the ownership change (the app seems to have been acquired – maybe a new team identifier is preventing access to old keychain groups or something).


So it's "open source" but that doesn't really help people because Apple's policies don't let you sideload a new version yourself, is that right?


Raivo is the Finnish word for “rage”. Seems fitting.


I went on today to realize that the app is acting like this is my first time setting it up and started asking me to pay a subscription. Thank god I exported my data weeks before...I don't even want to imagine what other people are going through right now. I'm so angry and betrayed.


This is oddly similar to the insomnia http client moving to a paid model only. Always turn off auto updates!


Glad I switched to Ente with (local no cloud)months ago AND that I have a backup of all my codes as well.


Well, with all the positive vibes about Ente, it lacks 1 very important feature: backup code for manual restore. They only offer the option to export either plain text or an encrypted file that I have no idea how to decrypt.

And the Mac companion was a very useful feature that nobody had done before.


Actually Raivo OTP had a Mac companion app too. Two of them even. One that acted as the same OTP app as mobile, and one that somehow synced the clipboard when copying an OTP code on your mobile app, so it was immediately available on the Mac.

I always assumed that last one was redundant with Continuity that does exactly the same thing, natively, on the Mac though...


> one that somehow synced the clipboard when copying an OTP code on your mobile app, so it was immediately available on the Mac.

Iphones and macs already do that (syncing their clipboards) as long as they are on the same network or sth. It usually works when they are on the same wifi, or if the iphone is connected to the mac through usb.


It's via Bluetooth when they're both logged into the same iCloud account.


yes if you had read my next sentence, I did call out that feature from Raivo as being redundant...


oops


Lockdown (the TOTP app, not the VPN/firewall app) has both, but it is essentially abandonware now. I wrote my own exporter for it:

https://blog.majid.info/lockdown-export/


Here is how you can decrypt the encrypted file: https://help.ente.io/auth/migration-guides/export#how-to-use...


Sounds like that's still a way out, for anyone who switches now:

https://github.com/raivo-otp/ios-application/issues/332#issu...


Only if you haven't already updated the app, as far as I can tell. (iOS does not offer any way to downgrade apps.)


Ente looks nice, but lacks Apple Watch support. Sticking with 2FAS for now.


Me too after the mobile Authy fiasco. Ente Auth for the win!


What was the mobile Authy fiasco?


I was able to restore my entries after clicking the “Restore” button, and choosing iCloud. However, the export feature is now paywalled.

This is hostageware, plain and simple.

I even had a todo to move away from it after I heard it had been acquired… guess it’s my fault for getting busy and not getting around to it.

One of my rules is to only use software where you can export your data easily. I guess I need to add another rule where I only use software where I control when it updates. That might be impossible with Apple devices though…


It is (or at least used to be) possible to deactivate automatic updates on iOS, but I have them enabled, since it makes sense to me from a security point of view – but maybe this will make me reconsider...

This really makes me appreciate OSes where I can access the data of any application, without the app developer being able to hold it hostage (for a literal ransom, in this case!) on my own device.


Update: If you swipe each individual item to the left, there’s a QR code option. I’m using that to manually export everything to https://itsfoss.com/authenticator/


I think this was little fucked up of Tijme Gommers at Northwave Cyber Security https://northwave-cybersecurity.com/ original author of this app i assume.

Things I get and appreciate:

- Before selling, great software, nicely working UI etc.

- Taking the risk to create this software.

- Wanted get some money out of the project.

Things that I don't get:

- Working for a Cyber security company and selling your "open source" project to some fishy company without really informing the users with big banners (or changing name of the app. e.g. Raivo OTP Mobime)

- Knowing fully the risks and importance of this kind of app.

- Not speaking out when shit hit the fan. (or helping)

There is no accountability here, only the social goodwill has been broken.

Lessons:

- Don't use automatic updates.

- All software is shit.

- Backup before updates.

- Trust nothing and assume it's going to break at some point.

- Go to the forest and never come back.


I feel like Tijme Gommers should be held accountable for this fiasco as well. He knew exactly what he was doing when he sold to this shady as fuck company and announced it as minimally as possible. For someone who works in an industry so reliant on ethnical standards, he has demonstrated that he has absolutely no ethics whatsoever.


Repeat after me: I will never, ever, use proprietary software for important data again.


I genuinely didn't even know about it being sold to a proprietary company until this whole fiasco.


I recently got an apple phone never before having owned one. I was dismayed about the options for 2fa apps, that there seemed to not be any foss ones. I installed Raivo since it was at least source-available and had export features. But you just can't trust anything from the app store since anything can be uploaded there and you can't roll back. Luckily, I had put off migrating the tokens and looks like I will be carrying two phones for a while more.


StrongBox and KeePassium are foss, although not free as in beer. Been using both for years, pretty happy overall.

- https://github.com/strongbox-password-safe/Strongbox

- https://github.com/keepassium/KeePassium


It was a disaster waiting to happen. I had entirely disabled automatic updates for my iphone apps specifically this kind of risk with this specific app. An OTP app is sold to some totally shady guy, what can go wrong. Though tbh I must say I did not expect extortion but rather I was more afraid of malware that would just steal the TOTPs and sell them in the dark web.


The problem with defending against this "attack vector" orchestrated by Tijme Gommers and MobiMe is that you basically have to check your apps intermittently to make sure they haven't been sold and disable all updates, as you say.

The lesson I've learned is: don't trust anything on the app store controlled by a single guy. In the end the incentive structure is there for him to sell all my data and fuck me over, and indeed that is exactly what he did. Now I just use Apple's own TOTP manager. It's not open source, but they are not incentivised to fuck me over in the way Tijme Gommers did, at least.


I was one of the users who also participated in the discussions, while also participating in inquiries to discover who MobiMe actually is. I think we affected users figured it out, and the person behind MobiMe is the same person listed as the Key Principal for MobiMe's profile on Dun&Bradstreet [3]. There's also other corroborating evidence, while circumstantial and coincidental, that was noteworthy and generated a further sense of suspicion. He would delete every post containing BENABID's full name, and then lock the discussion or delete the discussion entirely. (Don't worry, his name is in public records for the company, it was never private information)

Throughout the entire ordeal, from the beginning of responding to users, to the very end, he continued to lie, attempted to deceive, and assumed that we, the damaged users, were fools. I really don't know what he was thinking. Or if he was partially using an LLM to generate responses. If you look at the series of events, from the App Store log of Raivo, to his enumeration of the problematic events in question & their causes, which changed multiple times throughout the timeframe of his responses, you would come to the conclusion that he was not acting in good faith at all (which I presumed was happening from the beginning). Any reasonable and impartial observer would come to the same conclusion. Some users lost their 2fa codes, and were locked out of accessing some of their most sensitive and valuable data. Yes, there is an element of personal responsibility (having backups codes, etc), but the actions committed by MobiMe were and are against not only the App Store TOS, but are also morally wrong (as if he cares about that), and perhaps legally wrong (civilly wrong or even maybe criminally wrong if there is more we don't know). IANAL -- we all know that practically no legal action, civil or especially criminal will ever come of this. I'm almost certain he is living in an unfriendly jurisdiction that does not enforce cybercrime laws.

Ultimately in the end, like I mentioned above, he eventually deleted all discussions (after previously deleting all issues), then closed all PRs, blocked many users from interacting with the repository, and prohibited anyone from forking the repository and creating a PR. He also reseted/removed all poor reviews of Raivo on the App Store. Basically he did everything he said he wouldn't do. Then again, I'd be surprised if he actually kept his word.

Hopefully if enough people report Raivo OTP to Apple, the new/current dev in control of the project (MobiMe aka Soufiane BENABID), he won't be able to intentionally lock out users from their 2fa tokens, because he wouldn't have an Apple Developer account. He currently operates 2: the first is MobiMe, which operates Raivo and some other apps, and the second is Soufiane Benabid, which operates some apps that are very similar to the apps under MobiMe. Basically the theme with him is that he tries to squeeze as much money out of the user as possible. He controls a few domains under his belt too (literally just ~4 IIRC).

In sum, he sucks & the (impulsive?) decision to sell Raivo (which was never open source to begin with, despite marketed that way) to a super shady company without a proper transition, coupled with said shady company proceeding to turn the app into ransomware-lite is just an unfortunate and regrettable series of events.

If you want to read the lore regarding this entire incident (you've already read enough of this comment), here you go [0][1][2][3].

[0]: https://archive.ph/fGnO3

[1]: https://archive.ph/m8xk6

[2]: https://archive.ph/X8shn

[3]: https://archive.ph/094wM


Very well put together. Did you report his dev account? I did.


I've reported his GitHub account [0], & reported Raivo (on his first account) [1] but I haven't reported an app from his second account [2] because I have yet to see evidence of wrongdoing, but I would be surprised if there is absolutely no wrongdoing of any kind. Additionally he controls the following domains [3] [4] [5] [6] [7]. If his real name isn't Soufiane Benabid, whatever his real name is, he (MobiMe) also uses the name Soufiane Benabid to publish other apps on the App Store under that respective account.

[0]: https://github.com/mobime-org

[1]: https://apps.apple.com/us/developer/mobime/id1502822219

[2]: https://apps.apple.com/us/developer/soufiane-benabid/id93880...

[3]: https://mobime.org/

[4]: https://mobime.ma/

[5]: https://plantme.ai/

[6]: https://cryft.com/ (see https://cryft.com/terms & https://cryft.com/privacy)

[7]: https://benabid.me/


I reported it to the App Store and all users should. This was a train wreck random attempt


Wow, there are a lot of unhappy (now ex-)users filing issues in that repo. :( :( :(


The repo for the iOS app has not been updated in months so the new company that purchased the app last year (and was known at the time to be sketchy) has clearly made whatever changes behind the scenes.


Tweet for acquisition announcement,

https://x.com/RaivoOTP/status/1683372954002808833

Happened in July 2023 and got acquired by Mobime.


Heh Heh Heh

    Rest assured, nothing will change for you, except for more support and development
    on the Raivo ecosystem.
Doesn't seem like that's gone at all according to plan.


They support Raivo like a noose supports the hanged man.


I don’t ever think I’ve seen an issue tracker that upset before.


get filtered by trusting a third party with your passwords


This is ridiculous. I'm just thankful for the fact that I added all the OTP secrets in BitWarden if I ever where to upgrade to Premium. Today I did that...


but their site says "This website is a labor of love by Raivo's community on Github."

certainly repeating "love" and "community" while getting donated graphic design is all the proof anyone needs </s>


New owner, unchanged marketing site


How much more insanity can we manage to wrap around hash(key + timestamp)?

https://news.ycombinator.com/item?id=33245042


The hash isn't hard; storing the key both securely and in a way that prevents accidental loss is quite hard.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: