Sponsored Links

Running Android app on a PC

date and time are set automatically, however there does appear to be 1 or 2 seconds discrepency between the bluestacks emulator and my phone. I don't see an option to configure NTP from android. But I have to different windows PCs running bluestacks and both produce identical codes (because they are a clone of each other) but on the phone scanning the same QR code again, it's generating different codes.

I'm not sure how i can get it to exactly sync the same time on both phone and emulator.
You only need to bring the emulator to the correct time. Assuming it looks like an Android, do you have anything in Settings/Time or Settings/System/Date&Time? Something like "set time automatically"?
 
I'd still look at oathtool at least for some of these. Just read the qrcode, get the string then use it, you could even "cgi" it, make it available over the web (horrible security advice :D, might be ok behind VPN)

Selection_446.jpg
 
Thanks @Lucian will give that a try.
On another note I managed to sync the android with NTP using adb command

Code:
adb shell settings put global ntp_server time.windows.com

but it still generates different codes to the emulator.
 
decoding the QR code its

otpaut://totp/<MYUSERID>%40<DOMAIN OF MY COMPANY>?secret=<REDACTED>&display=<MYUSERID>&Secenrol=<URL OF COMPANY AD SERVER>

I don't think im going to be able to manage this one. Probably should just live with the emulator, at least I can RDP to that and carry it with me as a VM (It's running inside a windows VM on proxmox at the moment)
 
oathtool gives different codes too :(
time on the linux box is identical to the emulator time, down to the second. produces different codes. waah.
 
I have scanned every OTP that I have both on my iPad and my iPhone Google Authenticator App and I never ever had an issue with numbers not matching. I have OTP enabled where it is supported by the website/service. The time of the scan is irrelevant, since the token is generated based on the time of the device. The server allows for some minor deviations but in general the device has to have an accurate date/time.
 
Sponsored Links
I have scanned every OTP that I have both on my iPad and my iPhone Google Authenticator App and I never ever had an issue with numbers not matching. I have OTP enabled where it is supported by the website/service. The time of the scan is irrelevant, since the token is generated based on the time of the device. The server allows for some minor deviations but in general the device has to have an accurate date/time.
I agree, and for ones i've used microsoft or google authenticator for that works just fine. But I've ensured that the time on the phone matches the time in the emulator, and they produce different codes. I've tried the linux oauthtool as well and it too has different codes. I'm not sure why this doesn't work for me. I have 100% got the date and time correct, and scanned the exact same QR code as I screenshotted it before I used it. So I'm not sure why this doesn't work. I can only imagine that this particular app is doing something more than "just" time based. Like perhaps it uses a salt based on the device keys ? I can find nothing online about anyone having this issue or any documentation on it.

Our own IT department told me it's "not possible" to have this on two devices simultaneously. I tried with my tablet too, installed the app, scanned the QR code, again different codes are generated. Different from both the phone and the emulator codes. Which leads me to believe there's something more going on than just time based. In this instance, with this software (SecurEnvoy authenticator)
 
several hours later, rooted my old pixel4a, restored the app from an oandbackup restore.

loaded the app. no account setup.
decided F-it, re-scan the QR code.
surprise surprise, synced codes the same as the emulator.

I can only do this with the rooted pixel4a though. I tried re-installing the authenticator on my 6a, re-scanning the QR code .. nope, not synced , different codes. So my guess is that when you install the app, it installs *something* in the app data folder (but not your account?!) and then if you restore that, it works.

I think i'll have to root my pixel6a now that I've got this far.

rC5aynM.jpg


success. I am happy now. I have a mobile device with working codes, and a backup on my desktop and another backup on a VM. I would still rather not carry two phones around though, so I'm going to have to think hard about if I want to root my daily driver (the pixel6a), I'm not sure about all my bank apps working.
 
@dabigm hope you use Magisk for root, you can then "hide" it from banking apps from its settings ("denylist"). Works for me for the few apps I needed.
 

Attachments

  • Image3277440104814924853.webp
    Image3277440104814924853.webp
    30.1 KB · Views: 41
@dabigm hope you use Magisk for root, you can then "hide" it from banking apps from its settings ("denylist"). Works for me for the few apps I needed.
I wasn't using the pixel4a at all, so I didn't mind rooting it. It's been sat in a drawer for almost 2 years. I'm reluctant to root my regular 6a because while magisk can fix a lot of the problems, a new update comes along and ruins them and I got tired of playing the cat and mouse game with google. I still might do it, but on a few of the apps it's going to take a call to the bank to disable the old digital keys and enable new ones. Pain..
 
Yeah, you need to be persistent.. It can get tiresome.
 
Sponsored Links
This thread seems like a nice project but I think many people will be thinking that the point of 2FA is that someone must also steal the mobile to authenticate on the PC.

If the VM is on the same PC, we're no longer using 2FA but do have security through obfuscation which is only pierced by posting on a public forum what obfuscation has been done. 🤗

The pivot away from the original plan seems sensible.
 
This thread seems like a nice project but I think many people will be thinking that the point of 2FA is that someone must also steal the mobile to authenticate on the PC.

If the VM is on the same PC, we're no longer using 2FA but do have security through obfuscation which is only pierced by posting on a public forum what obfuscation has been done. 🤗

The pivot away from the original plan seems sensible.
Yeah true. But it's not on the same PC (although I did experiment with Android studio on the same laptop and got that to work too). So right now I can either VPN home, then RDP to a windows VM and get the 2FA code , or use my spare rooted mobile.

It also requires a password to log in with which is only in my head. So an attacker would have to compromise my home network which has nothing open to the world except wireguard, and have my laptop, the password to the laptop, and my password to work VPN.

Chances are though, if I get mugged or something they're going to get both my laptop and my phone. Although both are protected.
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6026)
  2. BT (3639)
  3. Politics (2721)
  4. Business (2439)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2146)
  8. FTTC (2083)
  9. Statistics (1901)
  10. 4G (1816)
  11. Virgin Media (1764)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1407)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules