amtjre / lwuitgauthj2me

Automatically exported from code.google.com/p/lwuitgauthj2me
1 stars 0 forks source link

"Edit account" mode mode reveals the key in plain text #4

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Steps to reproduce the problem:
1. Go to "Create new account" screen, fill in both fields, choose "Create 
account".
2. After step 1 software starts generating tokens. Go to "Edit account" screen 
for the account created in step 1, there we can clearly see the key in plain 
text. This allows any attacker with brief physical access to the device running 
this software to easily copy the key and later reenter it into any 
"google-authenticator" software thus creating a cloned authentication device 
operated by the attacker.

Possible fix:
1. In "Edit account" mode the key should be always hidden, no editing and only 
replacing it with a different key should be allowed.

Software version tested: 1.0.1
Operating system: Symbian OS version 9.3
Device: Nokia C5-00

Original issue reported on code.google.com by ain...@gmail.com on 6 Nov 2011 at 4:17

GoogleCodeExporter commented 8 years ago
Physical access is always difficult to counter. The app needs to store the key 
in a retrievable way, so there hashes are not an option like for user 
authentication. In order to increase security there would be the 2 
possibilities:

1. add an password with which the key is encrypted. Personally this would be a 
too great hassle for me to type an password each time I want to get an OTP

2. Hide and make the key uneditable. I implemented this solution in the 
attached version. The only drawback is that if you want to change the key you 
need to delete the account and create a new one.

Original comment by Rafael.B...@gmail.com on 6 Nov 2011 at 9:50

Attachments:

GoogleCodeExporter commented 8 years ago
Thanks for your quick reply.

I tested "GoogleAuthenticatorJ2ME_1.0.1 no password editing.jar". As you 
stated, this new version no longer allows editing of the key, which I think is 
ok and is a small price to pay for increased security. But it still shows the 
key in plain text on the screen. Could you make it so it is not shown on 
device's screen?

P.S. I would fix it myself but unfortunately I don't know java :(

Original comment by ain...@gmail.com on 7 Nov 2011 at 11:10

GoogleCodeExporter commented 8 years ago
I don't know why it still showed the key in plain text. Today I had bit of time 
and removed the secret key textbox from the edit account screen. This should do 
it.

Original comment by Rafael.B...@gmail.com on 9 Nov 2011 at 11:57

Attachments:

GoogleCodeExporter commented 8 years ago
Tested the latest version, now it works fine and the issue is solved.
Many thanks!

Original comment by ain...@gmail.com on 9 Nov 2011 at 2:04

GoogleCodeExporter commented 8 years ago
Your are welcome. I uploaded this version as Release 1.1.0 for everyone to 
download

Original comment by Rafael.B...@gmail.com on 9 Nov 2011 at 2:26