Motivation:
I do not actively use gpg on my phone but would like to use it to encrypt backups.
I have OpenKeychain installed and my personal public key imported, but I keep no private gpg key on the phone.
This should be sufficient to encrypt the backup, I am aware that I could not re-import the backup like that.

Setup:

• andOTP and OpenKeychain installed
• Setup up accounts in andOTP
• Empty keychain in OpenKeychain
• Import just a gpg public key in OpenKeychain (still no entry in "My Keys")
• Set OpenKeychain as gpg provider in andOTP
• Try to select the imported gpg key for encryption

Result:

• The imported gpg key can not be selected to be used for encryption

Expected:

• I can use a gpg key without a private key on the android device to encrypt my backups

If the font size of entry labels could be adjustable then the whole entry would be readable.

I just tried to add 3 times the same account (label, issuer and key always the same) and I ended up having 3 identical entries.
IMO, this shouldn't be allowed. What should be allowed instead is having same label & issuer but different key.

Would be really nice for getting automatic updates without relying on Google Play.

https://f-droid.org/

Dear all,

my system:

• Motorola Moto G3 https://en.wikipedia.org/wiki/Moto_G_(3rd_generation)
• LineageOS as a replacement for stock Android https://download.lineageos.org/osprey
• andOTP 0.2.6 https://f-droid.org/packages/org.shadowice.flocke.andotp/
• before: lineage-14.1-20170914-nightly-osprey-signed.zip 2017-09-14 18:38:33
• after: lineage-14.1-20170921-nightly-osprey-signed.zip 2017-09-21 12:23:08
• no such thing like root/SuperUser/SU

issue:

• after update of LineageOS all tokens are lost within andOTP (as seen in GUI)
• I do have a backup otp_accounts.json.aes
• but when trying to import: no question for password
• tokens not restored (as seen in GUI)

maybe similar issue:

• #16

actions taken so far:

• actually none
• waiting for questions

Thank you for any help!

Kind regards,

Gunner

Hi!
I have more than 20 OTPs, and it's really hard sometimes to search required one.
What if OTPs could be grouped by tab?
I.e. mail tab: and all OTPs for all mails, then work tab: and all OTPs for work.
Thank you.

Using OpenKeychain with a security token ends up in an infinite loop.

OpenKeychain prompt says it has finished succesfully and then then it asks again to put the token near the device.
Using another key that doesn't require security token works as expected.

Tested on 0.2.3(F-Droid) and 0.2.4(Google Play)

Thank you for keeping this awesome project alive 😄

I backed up the encypted JSON.

When backed up, it shows, 'Import from external storage sucessful', but with no output.

Log: https://pastebin.com/xLEjXdrM

Help wanted: Please see the first comment and tell me your opinion.

While swiping is quite useful in applications like emails it may not be so much of a daily use in an application like andOTP that deals with pretty static entries. I mean have cliking on the three dots to remove an entry is enough.
I find the swipe quite dangerous since it doesn't remind the name of the entry to be removed in the confirmation pop-up. It would be nice to have an option to completely disable such swiping feature and avoid unexpected removal.

General information

• App version: 0.2.7
• App source: Google Play
• Android Version: 5.0.2

Expected result

I expect that after I click Backup (both plain text and OpenPGP) app will create file somewhere and tell me where is that file.

Instead "Turn on Documents in Settings > Installed apps first" popup appears.
I don't have such option in settings, all permissions are turned on.

Logcat

I tried to get log specific to this app using following command adb -d logcat 'org.shadowice.flocke.andotp:E' but it was massive spam. I'm not Android dev, I'd be grateful for hints how to get useful logs. Anyway here is raw logcat dump I created following linked instruction: Gist

Steps to reproduce

• click Backup > Backup (plain text) or Backup (OpenPGP)

• Authentication passwords
• Backup password

This is just a reminder for myself to implement some kind of encrypted/hashed storage for the authentication passwords (password and PIN) and the backup password.

Until now both are stored in plain-text which is not really secure at all.

For the authentication it should be sufficient to simply store the credentials hashed.

For the backup password this is not really an options since the hash of the password is used to generate the key, so knowing the hash would allow someone to decrypt the backups. The simplest solution would be to don't store the backup password at all and ask every time a backup is created or imported. This on the other hand would break support for automated encrypted backups since it would require user-interaction.

Help wanted: I would like to hear some opinions of the users what would be their preferred solution to storing the backup password.

General information

• App version: 0.2.7
• App source: F-Droid
• Android Version: 7.1.2 (LineageOS 14.1)

I was migrating from Google Autenticator, so I've copied its sqlite database from /data/data/** and created otp_accounts.json file in the format andOTP expects. However, only those secrets that were in uppercase generated the same codes as Google Authenticator, those that were lowercase generated wrong codes. As soon as I've converted all lowercase secrets to uppercase, they've all started to generate correct codes.

Following generates wrong codes:

{"secret":"xyz","label":"[email protected]","period":30,"digits":6,"type":"TOTP","algorithm":"SHA1"}

Following generates correct codes:

{"secret":"XYZ","label":"[email protected]","period":30,"digits":6,"type":"TOTP","algorithm":"SHA1"}

I haven't read the spec whether these codes should always be uppercase, but looks like they should.

I think this is something that can/should be fixed (converted to uppercase on backup restoration), but feel free to close this if it is not relevant.

In short

• Change PanicKit wipe data response to opt-in rather than always-on
  • Recommended by Guardian Project's design patterns
  • Avoids unexpectedly losing tokens if using an 'anxious trigger' instead of panic
  • Allows choosing to keep OTP while using a panic trigger for other apps
  • Requires a new settings activity, possibly modeled after Zom with multiple destructive responses and a default lock response

This would build upon the excellent work in pull request #27.

Standard template

General information

• App version: 0.2.6
• App source: GitHub
• Android Version: N/A

Expected result

What is expected?
On triggering the Panic button, nothing happens by default.

The panic settings must be manually configured to enable wiping OTP data.

What does happen instead?

On triggering the Panic button, OTP data is wiped without any opt-out.

Logcat

[Not recorded, but if needed I can set up the Android emulator to test this]

Steps to reproduce

• Install and set up andOTP
• Install some form of panic-button app, e.g. Ripple
• Check the panic app configuration for an Edit option
• Try triggering a panic

On the latest 0.2.7 version from F-Droid having both an authentication method enabled combined with the "Reset app settings" panic trigger, results in bypassing the password/pin prompt after triggering a panic.

Steps to reproduce

• Install app
• Set 'Authentication' to "Device credentials" (or any other)
• Set 'Panic Trigger' to "Reset app settings"
• Add some tokens
• Exit app
• Open app to confirm that its locked and exit again
• Open panic app (eg. Ripple) and trigger a panic
• Open andOTP
• See keys without having to enter password/pin

Ways to fix

• clear() needs to be amended to not reset the settings for Authentication
• or simply remove the "Reset app settings choice", although "Wipe all accounts" is pretty aggressive, simply locking the app should be the default

Check if all requirements are fulfilled otherwise the issue will be closed without any comment

• Add details to fields below
• Use search. Check if the issue is already reported before creating a new one.
  https://github.com/flocke/andOTP/issues
• Try again after clearing the apps data before posting
• Record a logcat: https://goo.gl/mc71vk
• Bug reports without logcat will be closed (I can not reproduce every bug myself and I can not fix them without logs)
• Delete this info block

General information

• **App version: 0.2.8
• **App source: F-Droid
• **Android Version: 6.0.1

Expected result

What is expected?
Want to create a backup of my accounts

What does happen instead?
App crashed with: unfortunately app has stopped

Logcat

Log-Bericht - build.board: MSM8974
build.bootloader: s1
build.brand: Sony
build.cpu_abi: armeabi-v7a
build.cpu_abi2: armeabi
build.device: D5803
build.display: 23.5.A.1.291
build.fingerprint: Sony/D5803/D5803:6.0.1/23.5.A.1.291/2769308465:user/release-keys
build.hardware: qcom
build.host: BuildHost
build.id: 23.5.A.1.291
build.manufacturer: Sony
build.model: D5803
build.product: D5803
build.radio: unknown
build.serial: YT9112LXDF
build.tags: release-keys
build.time: 1467083751000
build.type: user
build.user: BuildUser
version.codename: REL
version.incremental: 2769308465
version.release: 6.0.1
version.sdk_int: 23

11-09 08:25:30.740 I/Timeline(1816): Timeline: Activity_windows_visible id: ActivityRecord{832061f u0 org.shadowice.flocke.andotp/.Activities.MainActivity t12129} time:22655894
11-09 08:25:32.716 I/Timeline(10601): Timeline: Activity_launch_request id:org.shadowice.flocke.andotp time:22657871
11-09 08:25:32.717 I/ActivityManager(1816): START u0 {cmp=org.shadowice.flocke.andotp/.Activities.BackupActivity} from uid 10440 on display 0
11-09 08:25:33.198 I/ActivityManager(1816): Displayed org.shadowice.flocke.andotp/.Activities.BackupActivity: +436ms
11-09 08:25:33.211 I/Timeline(1816): Timeline: Activity_windows_visible id: ActivityRecord{d265ec3 u0 org.shadowice.flocke.andotp/.Activities.BackupActivity t12129} time:22658365
11-09 08:25:35.663 E/AndroidRuntime(10601): Process: org.shadowice.flocke.andotp, PID: 10601
11-09 08:25:35.663 E/AndroidRuntime(10601): 	at org.shadowice.flocke.andotp.Activities.BackupActivity.showSaveFileSelector(BackupActivity.java:329)
11-09 08:25:35.663 E/AndroidRuntime(10601): 	at org.shadowice.flocke.andotp.Activities.BackupActivity.saveFileWithPermissions(BackupActivity.java:354)
11-09 08:25:35.663 E/AndroidRuntime(10601): 	at org.shadowice.flocke.andotp.Activities.BackupActivity.access$200(BackupActivity.java:65)
11-09 08:25:35.663 E/AndroidRuntime(10601): 	at org.shadowice.flocke.andotp.Activities.BackupActivity$8.onClick(BackupActivity.java:402)
11-09 08:25:35.665 D/ActivityManager(1816): New dropbox entry: org.shadowice.flocke.andotp, data_app_crash, a4e35840-9a39-485a-b09c-f603c346cd07
11-09 08:25:35.666 W/ActivityManager(1816):   Force finishing activity org.shadowice.flocke.andotp/.Activities.BackupActivity
11-09 08:25:36.172 W/ActivityManager(1816): Activity pause timeout for ActivityRecord{d265ec3 u0 org.shadowice.flocke.andotp/.Activities.BackupActivity t12129 f}
11-09 08:25:39.446 I/WindowState(1816): WIN DEATH: Window{36d2496 u0 org.shadowice.flocke.andotp/org.shadowice.flocke.andotp.Activities.BackupActivity}
11-09 08:25:39.450 I/WindowState(1816): WIN DEATH: Window{8c306e u0 org.shadowice.flocke.andotp/org.shadowice.flocke.andotp.Activities.BackupActivity}
11-09 08:25:39.453 W/InputDispatcher(1816): channel 'f84af0a org.shadowice.flocke.andotp/org.shadowice.flocke.andotp.Activities.MainActivity (server)' ~ Consumer closed input channel or an error occurred.  events=0x9
11-09 08:25:39.453 I/Windo

Steps to reproduce

• everytime I want to backup data, no matter if with or without encryption.

Support HOTP tokens in addition to TOTP

On my device there is no scroll bar on the backup page. So I'm not able to see all options.
LineageOS 14.1 (Android 7.1.2)

Having only one field to enter a password without a button to reveal it is not safe. You could also implement 2 password boxes where the user has to enter the same password twice which IMO is the best way.

We can all make mistakes typing and this is a must have feature!

Currently we need to click the clipboard icon to copy the Token. For easy copying Clicking on the entry to copy is good. Like freeOTP app

When the label of an entry is long enough, it will be displayed behind the "copy" and "menu" buttons.

General information

• App version: 0.2.5
• App source: F-Droid
• Android Version: Android O 8.0

Expected result

OTP list remains empty after restoring the app from a TitaniumBackup or restoring a previous backup using the built-in backup feature. When restoring a JSON backup, app states that import has been successfull. Tried to clear cache as well but that didn't help.

In order to quickly select the right entry or simply view the associated OTP in a faster way it would be nice to have a user selectable little icon/picture for each line.

How can I import my codes from FreeOTP? They are stored in a xml file, entries look like this:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="example@example:Example">{&quot;algo&quot;:&quot;SHA1&quot;,&quot;counter&quot;:0,&quot;digits&quot;:6,&quot;issuerExt&quot;:&quot;example@example&quot;,&quot;label&quot;:&quot;Example&quot;,&quot;period&quot;:30,&quot;secret&quot;:[98,-92,-87,46,76,-1,117],&quot;type&quot;:&quot;TOTP&quot;}</string>
    <string name="tokenOrder">[&quot;example@example:Example&quot;]</string>
</map>

Help wanted: Please head down to the poll and vote for a name for the andOTP launcher icon

Android 7.1.1
andOTP 0.22

Steps to reproduce

1. Install app from F-droid

Actual result

App name is 'OTP Authenticator' in app drawer/Android Home, and in the main screen of the app. App is named 'andOTP' accurately in the about section of the app and in Settings>Apps

Expected result

App name should be 'andOTP' in every instance

General information

• App version: 0.2.7
• App source: F-Droid
• Android Version: 7.1.2 LineageOS (no GAPPS)

Currently we have 2 backup options, plain text JSON backup and encrypted OpenPGP backup.

Plain text is not safe and OpenPGP is safe.

The problem is not everyone is using OpenPGP and some are not interested in using OpenPGP and the remaining others dont know how to use OpenPGP.

For me i dont know how to use OpenPGP and i dont like to use it.

My idea is to add a master password option to the app and encrypt the backup using that master password (like password manager apps are doing)

This help the people who are not using OpenPGP.

Current issues :

1. Already password/lock option is available.

Solution : For this implimentation we need to remove the current lock method we are using in the app (using the device default lock method )

2. Hard to type password everytime to open app.

Solution : We can add a PIN option to easily unlock app. (like password managers)

Hi,

first of all: great app! Thank you very much.

But I'm having trouble importing a backup. I keep getting the following message:
"Import vom externen Speicher fehlgeschlagen"

I really love dark themes and enable them on every app that offers them. Right now I'm using Google Authenticator for its dark theme but I much prefer this app because it lets you backup your keys in a simple JSON or encrypted format.

I know there is already an automatic backup ticket but this request is a bit broader.

I use Syncthing to synchronise files in a decentralised manner across devices. It would be great if andOTP would automatically read from and write to the unencrypted / encrypted backup file, so that it can be then picked up by Syncthing (pure file based synchronisation) and sent to other devices, to for example another Android device with andOTP, which can then automatically synchronise any new changes.

andOTP Device #1 <-> entries.json.aes <-> Syncthing <-> entries.json.aes <-> andOTP Device #2

Hi!

I fixed a lot of mistakes in the French translation, and discovered a few display bugs:

Screenshots are blocked by the app for the screen were translation 3 appears, but here is a screenshot where you can see translations 1 and 2:

Let me know if I can do something more!

I would like it to re-lock and request device credentials again:

• Immediately after the screen has been locked
• After a certain time of non-usage (e.g. 60 seconds)
• Maybe: when exited through the back button

If this is not too difficult and time consuming, please add the ability to switch languages in the application. Sometimes it is more convenient for people to use the application in the original language, and OS in their native language. In addition, it will be useful for translators (an example for me, yes) — it is more convenient to check the translation.

Hello,
I'm implementing a GTK+ OTP client for GNU/Linux and I would like to add support to import andOTP encrypted backup files.
Looking into the source code, I saw that you are using AES128 GCM with a 12 bytes IV.
So the final encrypted file struct is IV+ENC_TEXT+TAG, right? And what about the key? It seems that it is not entirely user provided, so things here are getting complicated. Or am I missing something?

Thanks :)

Just a little improvement - When tapping on entries while "tap to reveal" is enabled, show the OTP when tapping anywhere on the entry, not just the title.

andOTP uses the default token length 6 for new tokens.

Please add an option to select another token length (6,7 or 8).

Just migrated from freeOTP to andOTP. I like the support for fingerprint authentication and also import/export functions.
I have quite a number of entries in my list and would find very usefully to have an option to sort the entries based upon the label.

Is there a way to import the Google authenticator data?

Password-based encryption:

This issue is the result of an upstream bug in certain custom ROMs. Since version 0.4.0 everyone facing this problem can switch the database encryption to the new password-based encryption in the Settings, which SHOULD solve it.

Help wanted:

Could everyone facing this problem please tell me those things:

• Model of your phone
• Which ROM are you using (exact version please)
• Which Gapps are you using (as well with the exact version)
• Which method are you using to lock your phone (PIN, Pattern, Swipe, Facelock, Fingerprint, ...)

You can add those information directly to the wiki or post them here.

Original issue

Since the last update all my tokens are gone if i restart the app (or even if it it just moved to the background).

Steps to reproduce

1.) add new token via QR-Code scan -> token is listed in the app
2.) go to homescreen
3.) switch to app again

Expected Behaviour

added token is still there

Actual Behaviour

no token listed

App Version: 0.2.3 (Play Store)
Android Version: 5.0
Device: BQ Aquaris E4.5

I suggest to include the option to define an individual password/PIN to protect the app. Currently, (v0.2.4 F-Droid) only the phone credentials can be used.

I can not select a OpenPGP key from OpenKeychain (all version app from F-droid)
Meizu Pro5, Android 5.1 stock
Also in OpenKeychain is no andOTP in the list of applications
But everything is good on BQ Aquaris M10 FHD with Android 5.1 stock

Hi,
seems there´s a hardcoded hash algorithm (sha1).
in redhats FreeOTP (also on F-Droid) for example you can choose between md5, sha1, sha256, sha512.

I´m trying to avoid changing the algorithm on our companys OTP server :)

a black theme would make the app perfect for me (and my OnePlus 3 with an OLED screen)
thanks

Maybe useful to you or other users:
https://github.com/asmw/andOTP-decrypt

I guess this could also be extended to create valid import files.

TODO before release v0.2.9:

• Add option to scroll the label if truncated
• Adaptive icon (WIP, see #65)

Hi,

The Steam Mobile Authenticator uses standard TOTP passwords, but differs in that it generates a 5 character string. Is this something that could be implemented in andOTP?

For reference WinAuth has this implemented here, see this for a short write up about it. The KeeTrayTOTP plugin for KeePass2 has a somewhat more concise implementation here.

Would be convenient with one less authenticator app on ones phone :)

Version: 0.2.2

Steps to Reproduce:

1. In Settings, check "Require device credentials"

2. Swipe the app off the overview screen, so you start from a clean slate

3. Restart the app from the home screen, and authenticate against the device

4. Rotate the screen

Expected Results: Nothing out of the ordinary

Actual Results: You have to authenticate again

Right now, you execute these lines for every onCreate() of MainActivity. Hence, on a configuration change, we have to re-authenticate, which IMHO is aggravating.

Some options for addressing this:

• Only execute that code if savedInstanceState is null. This requires re-authentication after the task expires (~30 minutes or until manually removed from the overview screen).

• Use onRetainNonConfigurationInstance, the Architecture Components' ViewModel stuff, or a retained fragment to retain your view model (entries data, a have-we-authenticated boolean, etc.) across configuration changes, retrieving it in onCreate() via getLastNonConfigurationInstance(), and only re-authenticate if we need to load the data again

• Block configuration changes in the manifest via android:configChanges on the <activity> element. Personally, I don't recommend this option.

• Say that this behavior is working as intended. :-)

I have over 15 entries in the app, however I can't edit the last one since the + button is in the way.

Simplest solution should be to hide the button when scrolling down or when scrolled to the bottom.

Add a switch to disable replacing all current entries when importing a backup and append them instead.

Option to schedule backup daily/every 2 days/weekly/monthly similar will be a good idea