Encrypted(?) Storage

[kelna]

I have some questions: How does the app store keys? And how does it export them to external storage (e.g. GDrive)? Do you employ encryption? Thank you!

[Lekensteyn]

The tokens are not encrypted and I think that it is possible to have them backup up (either through adb backup or through GDrive).

allowBackup is true, which means that external backups and Google backups are allowed:

FreeOTPPlus/app/src/main/AndroidManifest.xml

Lines 38 to 39 in e7dfc62

	<application
	android:allowBackup="true"

The normal SharedPreferences storage is used with MODE_PRIVATE. This just means that other apps cannot access it, but it is not encrypted in any way:

FreeOTPPlus/app/src/main/java/org/fedorahosted/freeotp/TokenPersistence.java

Lines 49 to 52 in e7dfc62

	public TokenPersistence(Context ctx) {
	prefs = ctx.getApplicationContext().getSharedPreferences(NAME, Context.MODE_PRIVATE);
	gson = new Gson();
	}

To actually employ encryption, the KeyStore API should be used:
https://developer.android.com/reference/java/security/KeyStore

[kelna]

To actually employ encryption, the KeyStore API should be used:

Seems to be a good idea. Does this mean that the original FreeOTP stores the keys unencrypted as well?

[Lekensteyn]

Does this mean that the original FreeOTP stores the keys unencrypted as well?

That is correct, the original FreeOTP implementation also lacks encryption. Their developers are open to implementing it though, indeed using the KeyStore API: freeotp/freeotp-android#6 (comment)

There is one PR to implement this, I have not reviewed though and mention it since it was referenced from the previous issue: freeotp/freeotp-android#150

[itsKV]

Facing same issue. Everytime I take backup, the .json file remains on phone storage in plaintext. It's obvious to keep it on same location and forget about it. Also, keeping a backup in plaintext is not recommended.

@helloworld1 Kindly implement.

[helloworld1]

Yes, encryption support is still on my todo list. I don't think FreeOTP+ can actually use KeyStoreAPI because the data needs to be stored elsewhere and restored on a different device.
I am thinking about using simpler (weaker) symmetric crypto to just encrypt secret part of the data.
Also I would like to have PIN / fingerprint support which requires quite some more work. If you are aware of any libraries to help the UI of PIN / fingerprint, it would be a great help here.

[itsKV]

I don't do ('dont know', precisely) any coding part. But, while lurking on internet, I came to know about some of the open source encryption libraries which can be implemented in android applications very efficiently.

https://facebook.github.io/conceal/
https://github.com/google/tink
https://github.com/google/capillary
https://github.com/simbiose/Encryption

Hope, this helps.

[bluikko]

I don't do ('dont know', precisely) any coding part. But, while lurking on internet, I came to know about some of the open source encryption libraries which can be implemented in android applications very efficiently.

I understood the comment was asking about libraries for the user interface part for PIN or libraries for fingerprint, not for encryption.

[itsKV]

encrypting tokens using any of the suggested library with user PIN/fingerprint hash will be sufficient.

[unicorntaco]

encryption support is still on my todo list.

How about lifting from another project?

https://github.com/andOTP/andOTP

[helloworld1]

@unicorntaco I found the implementation of andOTP pretty good and convincing. I wonder what is the advantage of FreeOTP / FreeOTP+. Also FreeOTP+ provides the capability to migrate to andOTP.

[lemmy04]

One big advantage of the original FreeOTP is that it uses a decent layout on tablets... see #121

[helloworld1]

Let's consolidate the discussion in #128