search

google / google-authenticator-android

Open source fork of the Google Authenticator Android app
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
Apache License 2.0
1.59k stars 471 forks source link

Help request - decode otpauth-migration://offline?data= uri #118

Open hellozyemlya opened 4 years ago

hellozyemlya commented 4 years ago

Hi. I want to extract my original code to use it in third party apps. But offline migration url contains some strange info that I don't know how to extract. Can anyone help extract data in such url payload?

OmarWKH commented 4 years ago

The data is in google's protocol buffer format and encoded with base64.

Aegis is already able to decode it.

It would be nice to have more official documentation like the one for otpauth.

alexbakker commented 4 years ago

I wrote a brief article about the format here. That should have all the info you need to parse it.

dim13 commented 4 years ago

I wrote a brief article about the format here. That should have all the info you need to parse it.

The digits field is however an enum. As far, as I could reverse-engineer the format, the proto file should read:

syntax = "proto3";

message MigrationPayload {
    enum Algorithm {
        ALGORITHM_UNSPECIFIED = 0;
        ALGORITHM_SHA1 = 1;
        ALGORITHM_SHA256 = 2;
        ALGORITHM_SHA512 = 3;
        ALGORITHM_MD5 = 4;
    }
    enum DigitCount {
        DIGIT_COUNT_UNSPECIFIED = 0;
        DIGIT_COUNT_SIX = 1;
        DIGIT_COUNT_EIGHT = 2;
    }
    enum OtpType {
        OTP_TYPE_UNSPECIFIED = 0;
        OTP_TYPE_HOTP = 1;
        OTP_TYPE_TOTP = 2;
    }
    message OtpParameters {
        bytes secret = 1;
        string name = 2;
        string issuer = 3;
        Algorithm algorithm = 4;
        DigitCount digits = 5;
        OtpType type = 6;
        int64 counter = 7;
    }
    repeated OtpParameters otp_parameters = 1;
    int32 version = 2;
    int32 batch_size = 3;
    int32 batch_index = 4;
    int32 batch_id = 5;
}
crazygit commented 4 years ago

as I could reverse-engineer the format,

Could you share how to reverse-engineer the format, thanks!

dim13 commented 4 years ago

Careful thoughts and some help from apk decompiler for the clues. As far as I can tell, the version above is correct and complete.

If you like, take also look at my go implementation of link-extractor: https://github.com/dim13/otpauth

crazygit commented 4 years ago

Careful thoughts and some help from apk decompiler for the clues. As far as I can tell, the version above is correct and complete.

If you like, take also look at my go implementation of link-extractor: https://github.com/dim13/otpauth

thanks

alexbakker commented 3 years ago

@dim13 You're right, I checked again and it appears I missed some stuff. While Google Authenticator certainly doesn't support the extra digits/algorithm options, I've updated my post for completeness sake.

dim13 commented 3 years ago

@alexbakker on a second thought, as it looks like, all int32 fields may be unsigned however. Not quite sure about counter filed too. From compiled files in it is not quite clear which to choose, as they converge to same type in Java: https://developers.google.com/protocol-buffers/docs/proto3#scalar But I've run into negative version numbers, which indicates unsigned types.

alexbakker commented 3 years ago

@dim13 I've only seen negative batch id's. While more correctness would be nice, the other integers are unlikely to ever be large enough for sign to matter.

dim13 commented 3 years ago

@alexbakker You're right, I think it was a batch_id, I've run into.