Open Tethik opened 4 years ago
ThomasHabets
commented
4 years ago Thank you! I'll try to find the best person to review this, and make sure it gets into the Play Store version.
I'm bouncing round the world at the moment, so apologies for delays.
Tethik
commented
4 years ago No worries. I'm actually aiming to implement another feature (folders), so I took this one from the issues as a sample to get into the code. From my end there is no rush to release this :)
frankenstein91
commented
4 years ago Since according to the German press there is a malicious code in the works that is supposed to take advantage of this missing protective function, but we can take the wind out of the sails with the combined power of OpenSource... what help do @ThomasHabets need from the community? I think we could find a good helper for each area.
ThomasHabets
commented
4 years ago Partially copying this from the other bug
The issue recently in press recently is, as I understand it, entirely about accessibility functionality that can't (?) be disabled (and for good reason, because accessibility), not about this issue which is about screenshots.
Also, for other people coming here from ZDNet:
FYI: The version in Google Play Store / Apple App store is not the same as this opensource version. They've diverged. This opensource version is also unlikely to end up in the app stores. This open source version doesn't get much love, but I'll accept well-written pull requests.
In other words: This bug does NOT track the issue describe in the article, for two reasons:
So guess, @frankenstein91, what the community can do is to confirm what API exactly is the relevant one. This pull request seems to disable screenshots, yes, but does it do anything at all to the risk mentioned in the press with this malware? "They" tell me no, it won't.
frankenstein91
commented
4 years ago I didn't know about the split, sorry.
I found this article in the online magazine https://www.golem.de/news/google-authenticator-2fa-codes-lassen-sich-einfach-abgreifen-2003-147119.html. Since the second link led into this software, I thought it could be solved by the already opened request.
I think the article, which at least I read, is only about the screenshot function.
Diesmo
commented
4 years ago Also, for other people coming here from ZDNet:
In other words: This bug does NOT track the issue describe in the article, for two reasons:
- This bug is about screenshots, which AFAIK is not the same issue
I'm a bit confussed, you are talking about the ZDNet article and how the security flaw they describe over there is not relevant to this PR/Screenshot function, but then again this is what the ZDNet article which you linked says:
If an account was protected by 2FA, and namely by the Google Authenticator app, the malware was designed to allow the Cerberus gang to connect to a user's device manually, via its RAT features. Hackers would then open the Authenticator app, generate one-time passcodes, take a screenshot of the codes, and then access the user's account. ThreatFabric's discovery was a significant one. Not only was Cerberus the first-ever Android malware that was stealing one-time 2FA codes, but it was also doing using a simple technique -- by screenshotting the Authenticator app's interface.
For me this sounds exactly like the problem that the PR approaches. Removal of screenshot function inside a 2FA app so Malware can't send the codes somewhere.
And reading six digit numbers from a picture is not hard by any means, there are more than enough pre-trained models for this task, which can be set up and running in 10 mins.
Change Description
This adds a toggleable setting to block screenshots from the main AuthenticatorActivity. By default that setting is set to
true. Fixes #50Unfortunately I haven't been able to run the tests as they make my poor laptop go OOM. I tested it on a test device though. I've also had to upgrade the build tools etc to get the project to run, but I omitted it from this PR to keep it contained.