airlock / airlock-example-scripts

MIT License
0 stars 1 forks source link

Airlock 2FA on GrapheneOS? #4

Open jonathancross opened 2 years ago

jonathancross commented 2 years ago

Hello @orltom, I was not able to find a repo for the actual Airlock 2FA Android app, so please excuse me adding this here. I am trying to use this app on GrapheneOS (a fork of AOSP). The app seems to be working fine with Google Play Services installed, but simply doesn't recognize the account setup QR code. Any tips / suggestions would be appreciated. Thanks!

Cross posted: https://www.reddit.com/r/GrapheneOS/comments/wpqhkm/airlock_2fa_app_on_grapheneos/

mdoujak commented 2 years ago

Hi jonathancross,

The Airlock 2FA app is officially supported only for devices running iOS or Android operating systems, and for the last, having the google services up and running. Nevertheless, we are aware of reports from a few users that were able to install and use the app in some alternative setups like for instance devices running the e OS ((https://e.foundation). We haven't heard from any user running GrapheneOS but it should be similar in most aspects. 

In your case, we have understood that the app seems to run correctly, but the enrollment seems to fail. Such failure can have multiple causes:

  1. Time and date synchronization only allow a drift of a couple of seconds.
  2. The QR Code to be scanned must be issued by a service that is integrated with the Airlock 2FA app. Some service providers use custom apps and the Airlock 2FA app will report an invalid QR code.

Please note: the majority of the app's functionalities may work in such a setup, but some may not work. It may be that push notifications are not delivered since they rely on Google's Firebase messaging. You will still be able to authenticate by manually opening the app during authentication.

I hope this helps. If not, can you provide us with more details as to what seems to be working and where the problems start?

mike

jonathancross commented 2 years ago

Thank you Mike!

In your case, we have understood that the app seems to run correctly, but the enrollment seems to fail.

Well, it doesn't even fail... the QR code scanning for enrollment loads the camera, shows me the target, but simply doesn't recognize the QR code my bank is displaying. No error is shown by the app at all, it just continues to act as though the QR code is not on screen yet. I've tried zooming (larger QR code), moving phone closer, farther holding still for 30+ seconds, etc.

The built-in QR code scanner works fine and scans the QR code in < 1 sec.

NOTE: This enrollment process works fine with Airlock 2FA running on an Android phone.

Time and date synchronization only allow a drift of a couple of seconds.

Okay, that is a very tight window. I'll ensure the clock is correct and try again.

Okay, I checked and time is perfect.

Still, I would expect an error message (eg "bad TOTP") if the time sync fails, correct?

The QR Code to be scanned must be issued by a service that is integrated with the Airlock 2FA app. Some service providers use custom apps and the Airlock 2FA app will report an invalid QR code.

The bank is working with Airlock 2FA exclusively. Enrollment and authentication are currently working perfectly from Android phones. After a few minutes, the bank website shows an error and says to try again, but I think it is just a normal timeout.

Given that I can scan the QR code data (with the built-in app) -- Is it easy to decode this QR code value to something I can manually input into the app? (I understand there might be security concerns, but I can ensure the seed is wiped from computer, etc)

the majority of the app's functionalities may work in such a setup, but some may not work

Yes, of course. I'm prepared to deal with these small pieces of missing functionality.

Thanks!

Edit: Updates made above after trying your suggestions.

jonathancross commented 2 years ago

RE: Google's SafetyNet attestation service vs hardware attestation... This might be helpful: https://grapheneos.org/articles/attestation-compatibility-guide

Generally, Android apps work perfectly on Graphene, unless they assume access to a feature which the OS restricts for privacy / security reasons. Any suggestions where I might look? Are these required for example?

mdoujak commented 2 years ago

Thanks for the additional information.

Generally, Android apps work perfectly on Graphene, unless they assume access to a feature which the OS restricts for privacy / security reasons. Any suggestions where I might look? Are these required for example?

  • Sensors

I would suggest that you investigate the security settings for the sensors. It may be, that the Airlock 2FA is not able to scan the QR Code because it is not allowed to use the camera. This would of course work in the native camera app.

I hope this helps! mike

jonathancross commented 2 years ago

The camera seems to be working fine, shows video in the app with overlay of the QR code "target", etc. Does it use Google services somehow to recognize the QR code?

RE: Sensors...

No permissions are denied to the app.

I don't think there is anything I can necessarily do, but are there particular other sensors that the app uses?

Given that I can scan the QR code data (with the built-in app) -- Is it easy to decode this QR code value to something I can manually input into the app?

Any info you can provide about decoding the QR data for manual input?

Thanks.

mdoujak commented 2 years ago

Our app uses the underlying features of the operating system to scan and interpret QR codes.

GrapheneOS provides this tiny bit of information on the camera:

Google Camera Google Camera can be used with the sandboxed Google Play compatibility layer and can take full advantage of the available cameras and image processing hardware as it can on the stock OS. It currently only depends on GSF and can be used without Play services (GMS) or the Play Store.

Since you wrote earlier that the Airlock 2FA app seems to work with the "Google Play Services" installed, I think you already have this compatibility layer. So as a result, I would expect the app to work, even if Graphene OS is not on our list of supported operating systems.

Unfortunately, the implementation of an enrollment service that does not require a camera, is still quite some time in the future.

I am sorry that I was not able to be of more assistance to resolve this issue. Should you gain more insights into what is causing your problem (e.g. local logs from your operating system) or even better find a working solution, please let us know.

regards, mike

jonathancross commented 2 years ago

"Google Play Services" installed, I think you already have this compatibility layer. So as a result, I would expect the app to work...

Yes, it is installed and setup. I also expected it to just work.

Unfortunately, the implementation of an enrollment service that does not require a camera, is still quite some time in the future.

The app has a tab for "Manual Entry" of an "activation code"... Is this not a way to enroll without QR code?

mdoujak commented 2 years ago

Yes, the app already supports this functionality but the server does not (yet) support it. As I wrote, this feature is on the roadmap, but it is still quite some time in the future. I cannot be more specific since the implementation of the feature is one thing but then there is also deployment into the production environment of your specific service provider. This takes at least several months up to several years.