Interested in creating an alternate 2FA app for Android?

[CIYAM]

I didn't check the details but I assume it does that for time synchronization.

That'd be another improvement for a version based on it : issue a warning (or disable the key altogether) if the devices goes back in time. With the current version it's perfectly fine to enter flight mode, set the time at some point in the future, store the generated code and set the time back.

A good point and something for further investigation.

Oh, and btw, in case you missed this, Google Authenticator is open source (Apache License) : https://code.google.com/p/google-authenticator/

BTW as the CIYAM open source project uses MIT/X11 is that going to make it problematic to simply drop in that source code (as I am only interested in using the pretty much open slather licensing that MIT/X11 allows)?

[btchip]

http://www.tldrlegal.com/compare?a=MIT+License&b=Apache+License+2.0+(Apache-2.0) seems to agree on merging code (with conditions, not replacing one with the other, of course)

(btw, great site name  )

[CIYAM]

Well - I have put together my own version (to avoid licensing issues) that does "Google 2FA" now (the following sample source is using a test vector that I found in researching this so both the "key" and "tm" are hard-coded for the test):

Code:

string key( "MZXW633PN5XW6" );
string secret = base32::decode( key );

uint64_t tm = 43499885;
uint8_t challenge[ 8 ];
for( int i = 8; i--; tm >>= 8 )
   challenge[ i ] = tm;
string message( ( const char* )&challenge[ 0 ], 8 );

uint8_t hash[ 20 ];
hmac_sha1( secret, message, hash );

int offset = hash[ 19 ] & 0xf;
unsigned int truncatedHash = 0;
for( int i = 0; i < 4; ++i )
{
   truncatedHash <<= 8;
   truncatedHash |= hash[ offset + i ];
}

truncatedHash &= 0x7fffffff;
truncatedHash %= 1000000;

string pin = to_string( truncatedHash );
while( pin.length( ) < 6 )
   pin = '0' + pin;

It's much uglier than the 3 line algo using SHA256 but I guess I won't be lectured now for "rolling my own crypto" with it.

Also interestingly enough from what I've read Google Authenticator does *not* strictly adhere to the RFC (I think this might be due to the way it does base32 conversions as it doesn't deal with padding).

[CIYAM]

Okay - I did find this fork of Google Authenticator: https://github.com/kaie/otp-authenticator-android but it stills needs the Network permission to install the .apk.

I don't think it is worth 5 BTC to just remove this capability - but if someone would like to clone it and do just that then I will be happy to offer a 2 BTC reward.

[kactech]

Indeed, very little work
https://github.com/kactech/otp-authenticator-android/commit/ed1a664a23c75f53f813a690987060b042d134f0
binary
https://dl.dropboxusercontent.com/u/24177759/tmp/Google_Authenticator.apk

[CIYAM]

Indeed - I had no idea it would be a one-liner.

Well - if you don't mind could you also remove the "vibrate" permission (I don't see any reason for it to be doing that either) and then give me a BTC address.

[kactech]

Here you go https://github.com/kactech/otp-authenticator-android/commit/1591300b8c8a957e0db8222e3bfa0eda76e5b421
Binary updated.
But I have to check if it won't crash without vibra!

[CIYAM]

Thanks - and a promise is a promise so I will pay 2 BTC for this (you can PM the address if you don't want it public or just put it in a reply here).

[kactech]

My BTC address 1KFy5cc4tkLXZm2FVKgeUxouMs4M7UYp7A

[CIYAM]

My BTC address 1KFy5cc4tkLXZm2FVKgeUxouMs4M7UYp7A

2 BTC sent - https://blockchain.info/tx/ff7973b3c7129562dc94a70ebcf2b848c19eb5d7aba60679b6701a17a699f34c - well done!

Also if you are interested in http://ciyam.org/open/?cmd=view&data=20121223024638595000&ident=M100V131&chksum=06d7fdb4 then I might put some BTC towards that.

[kactech]

Thank you CIYAM Open!
What a great people here, why I waited so long to join this forum?
Had to PM this MAN, incredible...