Support for importing FreeOTP 2.0 encrypted backups

beemdevelopment / Aegis

A free, secure and open source app for Android to manage your 2-step verification tokens.

https://getaegis.app

GNU General Public License v3.0

8.72k stars 369 forks source link

Support for importing FreeOTP 2.0 encrypted backups #1084

Open johnnynoone opened 1 year ago

johnnynoone commented 1 year ago

In version 2.0, FreeOTP gained the ability to export backups. The backups are encrypted and Aegis is currently unable to import them.

Additionally, 2.0 update notes say that tokens were migrated to KeyStore. As far as I understand, this might mean that the old method of importing the xml file no longer works.

alexbakker commented 1 year ago

Sounds good to me, feel free to submit a PR!

(And indeed, the fact that FreeOTP now uses the Android Keystore for encryption means that we probably can't import directly from the app's internal storage anymore. Importing the backup file should be possible, though)

corobin commented 1 year ago

wow freeotp got an update? I thought it was abandoned!

Greenheart commented 1 year ago

What would this require technically? As an user, it seems like FreeOTP encrypted backups creates a file called externalBackup.xml which actually contains a mix of JSON and plain text data. Interestingly this file contains cleartext details about the tokens in the backup (including emails and app names). Only the actual HOTP/TOTP secrets seem to be encrypted.

To load the FreeOTP backup into Aegis, all that seems to be needed is the main passphrase that was entered into FreeOTP when first installing the app (or upgrading to v2+). For implementation details, perhaps the FreeOTP codebase can show how to make the import of decrypted backups.

Since FreeOTP uses the Apache 2 license, it should be possible to include code inspired by FreeOTP (for example related to handling encryrpted backups) in Aegis.

alexbakker commented 8 months ago

I took a quick look at this today, but I don't think we'll be adding support for this until https://github.com/freeotp/freeotp-android/issues/381 is addressed.

AdamWill commented 4 months ago

just to confirm, there's no functional way to import from freeotp at all atm (not just backups), as the original reporter and alex suspected. the 'import from app' route tries to import from a file called tokens.xml that doesn't exist any more, if you copy tokenStore.xml to tokens.xml it fails with a bunch of errors about missing algo and secret values. might be good to change the title of this issue to make the scope clearer?

alexbakker commented 4 months ago

Only import from FreeOTP 2.0 and newer doesn't work. We've added a hint to allude to this (#1204) but perhaps there are a couple more places where we should make this explicit. Patches welcome.

juleskers commented 1 month ago

Only import from FreeOTP 2.0 and newer doesn't work. We've added a hint to allude to this (#1204) but perhaps there are a couple more places where we should make this explicit. Patches welcome.

I've found an additional spot to add "1.x": in the import-file dropdown, see PR #1408