I made this app.
A small, OTP authentication app. The OTP authentication app makes use of the new feature in Marshmallow to allow a app to check if a specific keypair is generated inside Secure Hardware, to make it impossible to copy or extract the private key materail. This makes the app a extremely secure authentication app.
Note that if your device for some reason fails to create the key inside Secure Hardware, the app will refuse to use the key. On some phones, the secure storage may need to be initalized by setting a secure lockscreen, then enroll using the app, and then clear the secure lockscreen.
Enroll code to enroll and put public key into clipboard:
[QRCODE]qrsa://e[/QRCODE]
Your website simply encrypt a one-time password, using the enrolled public key for a specific user, encode this encrypted RSA2048 message as URLSafe Base64, then creates a qrsa:// URL with this information embedded. The end user (having this app installed) simply scans the QR code or clicks a link on web site and gets the OTP on screen or in clipboard, depending on if website was accessed on mobile browser via the link or via QR code.
Note that the app CANNOT be launched manually and thus have no "Open" button inside play store, it will automatically trigger by visiting any url with the scheme qrsa://
GitHub page: https://github.com/sebastiannielsen/QRSA
(Does contain example code for the webservice aswell)
Google Play page:
https://play.google.com/store/apps/details?id=eu.sebbe.www.qrsa
What do you think? Any toughts?
Anything I can do better?
Related
Hi all, I have just released my first App onto the Android Market so I thought I would post about it on here.
It a simple lightweight App which allows you to store you login information for different websites that you use. The app will also allow you to quickly copy and paste the information into the fields on the website.
All the passwords are encrypted and stored into Android's built in database. When you want to login to a website you can the load the website from the App, which will automatically copy the username allowing you to paste it into the field on the website. Also, when you load the website from the App it will create a notification which, when clicked copies the password for the website you selected allowing you to paste in to the password field. This provides a simple and quick solution to logging in and it also means that people who are standing around you cannot see you enter your password.
The app can be found on the market by searching for Boardies Password Manager. There are two version, a free version which is ad supported and a donate version which has the ads removed.
I hope you find this app useful and would to hear your comments.
Great concept. Though, is there a way to do this without requiring the Full Internet Access permission? Knowing that it requires this is what is preventing me from giving it a shot on my own device.
Hi, thanks for your comment. The Full Internet Access is only there to allow you to send bug reports from the settings page and to allow the Adverts. I promise you know personal information is sent over the Internet.
Sorry if you sent the reply a while ago, I thought I would receive an email to inform me about a reply.
I have uploaded my first app on to the Android Market and haven't too much interest so far on XDA so I thought I would post a little bit more information about the app.
This is a simple and light weight app that allows you to securely store and easily login to different websites on your phone.
Do you have all your passwords saved into your devices web browser meaning that anyone who has access to your phone can log on to the websites that you’ve accessed. Do you regularly wipe your phone for whatever reason and get annoyed at having to keep typing in your username and password. Then this might be the app for you.
The app will store all the login information that you enter into the app, which include the company name, the web address, username and the password. Each login is listed on the front screen. If you click on the stored login it will load the website and copy the username to the clipboard allowing you to paste into the username field. Also, when you launch the website from the app it will also create a notification. Once you have copied the username you can then click on the notification to copy the password. This way you do not need to switch to and from the app and the browser to copy the login information. Once you have launched the website, the copying of the username and the password is done while the app is running in the background.
All passwords that are stored within the device are encrypted using AES encryption algorithm to ensure your data is safe.
To protect others from accessing the app you can enable a password that needs to be entered before getting access to the app. Also, for added protection you can enable a feature that will automatically reset the app back to first use if the password gets entered incorrectly 3 times.
The app enables you to backup and restore your stored logins to a file on the SD card of your device. Should you need to wipe your phone, or if you get a new device and want to restore the logins onto your new device you can use the file that was generated from the backup in order to restore your data.
Although the App has Internet Access this is only there to enable you to submit bug reports from inside the settings menu and to enabled adverts to support the app development. I promise you, know personal information that you store inside the app is sent over the internet.
The App can be found on the Android Market. There are two versions, one which is a free ad supported version and a donate version which is identical to the free version but doesn't show ads. Please search for Boardies Password Manager.
Thanks
A new update has been released today in order to enable support for Android 2.1 and up. Tests have also been made to ensure that the app works correctly on honeycomb
A simple password (and other secret stuff) manager app, with full material UI.
The app requires no permissions
Features
All the data is encrypted using a master password with AES-256 algorithm
Three types of login method supported (pattern, pin & password)
Data is synced using Google Drive
Supported creating multiple categories for organizing entries
Integrated one-time password (OTP) generator
For beta testing join https://plus.google.com/communities/113518654350315614230
Attached screenshots
App released
The app is not publicly released.
With an additional feature to store the Safe locally or any available SAF providers
https://play.google.com/store/apps/details?id=com.painless.safe&hl=en
At last, Mailinator is now on Android.
Some of you may have noticed that there is no good way to access Mailinator on your android phones. This is no longer the case, with my first ever app: Mailinator Fetcher.
Mailinator is a free service that allows for creation of any email address. You don't even have to create it: the address is created when the server receives a message addressed to it.
Inboxes can be saved to a favourites list that is displayed on the home page.
A non-mobile friendly interface is only required for use once to retrieve an API token to then enter into the app's settings menu.
DISCLAIMER: I am in no way associated with Mailinator or their service. I am simply somebody who wanted an app for this, but couldn't find one.
Great stuff!
Android (I'm specifically on Android L 5.0.2, CM12S, but I think this would apply mostly from ICS onwards) offers a KeyChain in which a user may store a Certificate.
When an app wants to use a certificate from the KeyChain, it calls an API to pop up a list of the stored certs and asks the user to choose one.
Maybe I'm just being blind (I hope so!) but I don't see any way to require a PIN/password prompt, specific to each stored certificate, before the user/app may make use of any cert in the KeyChain. In effect, it seems that "access to the phone" = "ability to sign with any cert stored in the phone's KeyChain".
On Windows (desktop), for example, each individual certificate may be locked with a certificate-specific password, to prevent someone with access to the user's session from being able to sign with a stored certificate; the attacker would also need the certificate-specific password/PIN of that certificate before the Windows CryptoAPI could access the cert's private key.
How do I set up Android KitKat and Lollipop's KeyChain to have a certificate-specific password or PIN which must be entered on each use of a particular certificate?
thank you,