raivo-otp / ios-application Goto Github PK
View Code? Open in Web Editor NEWA native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP!
Home Page: https://raivo-otp.com
License: Other
A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP!
Home Page: https://raivo-otp.com
License: Other
Describe the bug
Description says 'Optional FaceID or TouchID unlock. However, on iPhone XS the only option I have is to enable TouchID. Selecting this option asks for the iPhone PIN with iPhone XS. Deselecting does not provide an option for FaceID.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The option for FaceID or TouchID should be relevant to the device which the application is running on. Devices that do not posses TouchID should not have the option, and vice-versa with FaceID.
Smartphone (please complete the following information):
Hi i tried to send my encrypted database per mail (what is used to send the mail?) and i didn't receive an email even though i send it out multiple times?
Also what does the second number in grey mean? I assumed it was the next code after the active one but the next code if completely different?
Also i mistyped my pin code once and it told me 5 tries left? Is everything deleted afterwards?
I like the app and switched from Authy for it but i hope the app is secure and sound!
Option to hide/show icons? Thank you.
Love the app just wish there was an option to save the backup files locally to the files app or iCloud rather than exporting by email?
Had ago at trying to copy and save the zip from the generated email but IOS wouldn’t permit it :(
For easier import, it would be great if the otpauth:// URL could be supported.
Some other open source iOS 2FA apps do support it:
https://github.com/mattrubin/Authenticator
https://github.com/calleerlandsson/tofu
Hello,
First, thank you very much for your amazing work ! Really, thank you to provide open source apps on iOS !
I have a request, can you add in a future update 2 icons ?
Thank you :)
As the title says, apple watch support would be amazing since a lot of iphone users are hooked to the apple ecosystem and use an apple watch as an addition to their phone.
Plus, there is a growing number of people acquiring Apple Watches and the upcoming one is already making a lot of noise because there will be even more health related features packed into it that will make a lot of people to buy one.
Is your feature request related to a problem? Please describe.
Just as the title states, a dark mode! Especially for the OLED iPhones.
https://i.imgur.com/bRjLiXP.jpg
During first startup a "Encryption Password" is asked.
This Password is only asked once instead of two times two insure there are no typos.
Hi,
Thanks for this great app! Would it be possible for native iPad support?
Kind regards
The README.md contains a link to a manual on how to switch from Authy to Raivo. Unfortunately, the solution requires Google Chrome (I don't want to install or use Google software) and the Authy Chrome Extension, which has been EOL for quite some time now.
Therefore, I'd like to ask if there is a different and up-to-date way to migrate from Authy to Raivo. It would be great if that solution would replace the info in README.md.
Is your feature request related to a problem? Please describe.
When switching between apps the list of 2FA codes should not be visible.
Describe the solution you'd like
Similar to all banking apps or password manages, when switching apps the screen should be blanked so that the 2FA codes can’t be seen.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
I think the guide on how to migrate from Authy to Raivo OTP could be a little bit more extensive to prevent users to become frustrated because they can't find some little things. :) Some screenshots could be a nice addition.
I now notice that the guide isn’t mentioned on this Github page or wiki. I think the guide makes it a lot easier to switch to or test Raivo OTP so I would definitely mention it somewhere.
Describe the bug
Was evaluating Raivo OTP. I added a bunch of fake entries, deleted a bunch and later tried an export. The raivo-otp-export.html
seems to have the current list of accounts that I see in the app interface. The raivo-otp-export.json
seems to also include the entries I had deleted.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I am not entirely sure what to expect here, since I am a new to this application and evaluating it.. Having the deleted entries in the JSON could be potentially useful to people, though it might be more useful if the JSON included a field mentioning that the entry was deleted and when.
I included the contents of an export files here.
Smartphone (please complete the following information):
Conclusion
Anyway I am not sure if this is a bug or what you would want to change here. Just adding this issue since the results were not what I would have expected.
Is your feature request related to a problem? Please describe.
My problem is that I see an option to export the data but I cannot import them (which would come in handy e.g. when migrating to a new phone).
Describe the solution you'd like
An option to import the exported data. Something like "Import OTPs from ZIP archive" or whatever would work.
Describe alternatives you've considered
Using the sync option but I don't want to store sensitive 2FA data in the cloud. Also I don't even know if this feature would solve my problem as I have (obviously) never used it.
Additional context
This feature might also be compatible with other 2FA apps that have an option to import & export 2FA data.
This OTP application is fantastic clean, and well designed. I would like to take a moment to say thank you for developing this application. One thing that would be extraordinary if the app had iPad OS and Apple Watch support.
Thank you once again!
Describe the solution you'd like
Please add an Option to Edit/Change Icons after the creation of a new entry.
The Google Authenticator app on iOS and Android provides the option to export the accounts via a QR code. You can export the account from 1 up to 5 simultanious accounts. This export method would greatly simplify moving from Google Authenticator to Raivo OTP.
The searchbox at the top is not shown by default, only when I slide the screen or click the search button at the bottom.
Describe the bug
The storage provider page would not finish loading.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The app will finish loading
Smartphone (please complete the following information):
Additional context
Add any other context about the problem here.
The search function is great but I think it would be a nice addition to be able to organize the OTPs. With this option I would prioritize them from most frequently used to least frequently used. For the OTP's that I use less frequently I would use the search function.
An option would be something like this:
Show sync status in settings, such as time, iCloud account, etc.
I use Authy now. Private and business wise.
The two thing I like about Authy is:
I like your tool very much, but have to continue using Authy as long as Raivo cannot sync or is on Windows.
Will you make this possible?
Is your feature request related to a problem? Please describe.
Not really an ongoing problem but rather a QoL and a bit of enhanced privacy addition if you will.
This would be an opt-in option so as to not bother other users who may not want to make an extra click/press.
Describe the solution you'd like
So, on the homepage where the tokens are listed, instead of all of them immediately being shown at once, there would be another visual filter that will hide the numbers first unless clicked/tapped/selected. Kinda like this:
After tapping on the account you need, it will then show you your code/s and "highlight" your selection as well.
Describe alternatives you've considered
Unless I was too blind to see these options in the Settings, I apologise.
Additional context
I also use Aegis for my Android devices and this is where I got the idea from. Hope you could look into it since I think it can also help with looking at which token is the correct one easily, particularly on services with multiple accounts listed. Thanks for the awesome work!
Is your feature request related to a problem? Please describe.
I'm always frustrated when I have to tap on the link to use biometric login.
Describe the solution you'd like
There should be an option to use a certain method as default. Specifically, in the settings whete TouchID unlock is on, another option appears that says something like "Make default".
Is your feature request related to a problem? Please describe.
Some have multiple iCloud account. Since the account email is not shown in the Settings, I have to check if the right iCloud account is synced to.
Describe the solution you'd like
Instead of Personal iCloud
, it should show the email of the iCloud account connected.
Describe alternatives you've considered
Another way is to show the email when Personal iCloud
is tapped on and allow users to go to the relevant iOS setting page.
PS: I am a UX designer. Please don't hesitate if you need a simple prototype. I can provide them if you provide me access to your design files.
Is your feature request related to a problem? Please describe.
I hope you can add these cloud logo icons, thank you
Describe the solution you'd like
1password's logo
Nutscloud‘s logo
Is your feature request related to a problem? Please describe.
Currently we have 3 backup/sync options:
It would be nice to have and option to backup/restore from a self-hosted server.
Describe the solution you'd like
An option to backup/sync to a self-hosted or other server
Describe alternatives you've considered
Local backup when it is available but that seems like a manual process to store on a server i control.
Describe the bug
After Update to iOS 13 the App behaves as it is started for the first time. Including loss of all data.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The state before the Update should be shown.
Smartphone (please complete the following information):
If i look at the screenshots, I see synchronization with iCloud. But I can't enable it.
And i don't see an option to enable it.
Any idea?
Font feature, if possible to make the font of the items in smaller sizes.
Describe the bug
If you choose offline during initial setup and then later want to add synchronization you cannot. Maybe this is a design choice but I don't see any documentation so figured I'd bring it up.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The option to add your iCloud for synchronization post setup.
Smartphone (please complete the following information):
Describe the bug
The exported HTML page with OTP secrets is vulnerable to cross-site scripting (XSS). A specially crafted image can be used to execute code and potentially leak other OTP secrets via the export file.
A specially crafted issuer name such as {{secret}}
can also be used to inject values in the wrong places. The info leak impact of this is somewhat limited as the available values are those from a single entry. However by chaining fields, one can cause excessive expansion and memory consumption, similar to the Billion laughs attack. Consider for example issuer {{account}}{{account}}...
, account {{secret}}{{secret}}...
, and so on which will result in exponential expansion. This is not exploited below however.
To Reproduce
Steps to reproduce the behavior:
otpauth://totp/xx%3Cscript%3Ealert(/xss/)%3C/script%3E?algorithm=SHA1&digits=6&issuer=%3CI%3Exss%3C/i%3E%7B%7Bdigits%7D%7D&period=30&secret=DUMMY
raivo-otp-export.html
file.Expected behavior
The data should be displayed as-is, with proper HTML escaping if needed.
Inputs should be validated. While the secret field happens to be validated against Base-32 when scanning the QR code, one can still manually enter invalid characters. The above QR code uses DUMMY
for this reason, if I manually enter <u>lol{{kind}}</u>°%c1x#x
it will result in an invalid URL where the &
is not escaped and #...
is dropped.
Smartphone (please complete the following information):
Additional context
The HTML representation is insecurely generated. It should not use plain text.replacingOccurrences
calls as that results in confusion between parameter placeholders such as {{secret}}
in the template, and parameter values such as Evil issuer: {{secret}}
in the issuer
field.
ios-application/Raivo/Features/DataExportFeature.swift
Lines 87 to 92 in 972085e
The secret should be URL encoded just to be sure, or sanitized/validated before use to avoid URL injection:
https://github.com/raivo-otp/ios-application/blob/master/Raivo/Features/DataExportFeature.swift#L120-L123
I would also recommend including <meta name="robots" content="noindex,nofollow">
to avoid well-behaved crawlers from exposing accidentally exposing exported secrets.
And maybe hide the seed and QR code by default and require pressing a button to unhide it. This can be done with just CSS.
I would like to sync Raivo with my iCloud, however I am unable to do so. In settings, it says "Synchronization is currently disabled" with both Account and Provider saying "offline".
I just deleted an OTP and I noticed that, after deletion, you can't undo this and the OTP is deleted permanently. Maybe you could implement an option where you would be able to retrieve it for x hours after deletion like Authy. Or archive it for x hours/days. It's not like it's insecure to keep an (old) OTP a little longer. ;)
I also think you can prevent a lot of accidentally deleted OTP's by explaining that deleting them is permanent and prevents access your account.
I really love Raivo and I switched from Authy after a couple of hours already. Of course I’ll keep Authy as backup for a couple of weeks but I’m really confident that Raivo will eventually replace Authy. Keep 'm going! :)
Describe the bug
Opening the app, the backup option is cutoff and you cannot scroll to see more.
EDIT: Found out it is how the font size in iPhone works, so maybe the dynamic sizing of the font or app isn't set right. Smaller font size makes it fit better.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Should be able to see what is available or not.
Smartphone (please complete the following information):
Additional context
Add any other context about the problem here.
iPhone 8, iOS 14.6, Raivo 1.1.16
Exporting a zip to iCloud or local storage works but the process never finishes visually (the spinner on the "Export" button at the bottom of the screen never stops, which is quite confusing because you don't get feedback that the Export has, in fact, finished).
The zip seems to be exported correctly nevertheless.
Looks like the cert recently expired. https://tij.me/blog/migrating-your-one-time-passwords-from-authy-to-raivo-otp/
Is your feature request related to a problem? Please describe.
I'm always frustrated when I have to find and open the app, authorize myself and wait for the codes to show up in order to use them.
Describe the solution you'd like
Widget with 2FA codes (in Notification Center or so)
Describe alternatives you've considered
Somehow speed up the authorization and animation but it would still not be as convenient as a widget.
Additional context
I know this might cost some security but it would be optional (might even have a toggle inside the app that makes the widget visible/invisible or something like that).
When I open the APP, the default unlock method is to enter the unlock passcode,please change to unlock with touchID or FaceID by default.
It is possible to import your specific secret code from the Steam Authenticator app to allow centralisation of all 2FA codes, however at this time Raivo OTP does not support 5 digit codes. I am unsure if simply allowing a 5 digit code would generate an alpha-numeric code in steams format, or if that would have to be explicitly supported.
Adding this feature would increase the versatility of the app.
This is about discussing the current state of the code.
I would like to discuss about the current implementation of the code and, if possible, have a better understanding of what's going on. I may be wrong or have a wrong understanding of the code, this is why I'm opening this.
Context:
The data that is sent to CloudKit is AES-256 encrypted using your encryption key. Your encryption key (that was defined during setup) is stored in Secure Enclave.
The Security Policy is stating that when using Apple iCloud the data that is sent is encrypted using our encryption key. From my logic, if the data sent is encrypted using our encryption key (exactly like our local data), it should not be decrypted when it's leaving the app.
Observation:
If I'm looking at the code, it seems like the data that is sent to CloudKit is decrypted.
Line of code where the secret is re-encrypted retrieved from the cloud:
Line of code where the secret is decrypted before beign sent to the cloud:
Do I have a misunderstanding of how CloudKit works? Why our local data, which is already encrypted in it's current state is decrypted before being sent to CloudKit? I have deduced that the data is decrypted before being re-encrypted by CloudKit and not by the app. In this case, what's the Situation used?
Context:
This is more about what Raivo-OTP should use for best security. For more information on these protections and what they offer, I encourage reading this report from security researchers at Johns Hopkins University that details limitations of encryption and the type of encryption available for applications to use. It explains how the decryption keys of the application is handled and when it's decrypted.
Observation:
Without stating the entire report, it made me aware that the vast majority of apps available are using "Protected Until First User Authentication (a.k.a. After First Unlock) (AFU)" where the encryption keys are decrypted into memory when the user first enters the device passcode after a reboot, and remain in memory even if the device is locked. This practice used by Raivo OTP is sensible to attacks since everybody, I assume, reboot their phones only rarely and the phones are carried in a locked-but-authenticated state. Since Raivo OTP does not select a different protection class, it uses the default class (Protected Until First User Authentication).
Question:
For this type of protection, which Data Protection class Raivo-OTP app is currently using?
Is it possible to use the best protection available (Class A: Complete Protection, data are evicted shortly after device lock - 10 seconds)? Since the app does not need to be running in the background (the sync with icloud could only happen when the app is actively open), this level of security should not affect user experience and would give the maximum protection for the user.
Thanks for all your good work! 👍
Describe the bug
I find impossible to download icons from the repository, I always get this error: "Update Failed - An SSL error has occurred and a secure connection to the server cannot be made."
I tried with WiFi, data connection or vpn and I get always the same error.
Smartphone (please complete the following information):
Is your feature request related to a problem? Please describe.
I feel like it would be better for security if the stock iOS keyboard was used throughout the app (e.g. the Secret/Seed textfield).
Describe the solution you'd like
Forcing stock keyboard (like iOS does when typing in a password etc.)
There are currently implementations for biometrics and 6-digit passcode authentication, and they seem to work great.
To help provide users with more freedom in customizing their security level, alphanumeric passcodes would be a great idea. It would be the next logical progression in securing users' devices, and it is also frequently a feature for other apps that lock themselves behind passcodes/biometrics.
Would this take long to implement? Other TOTP providers that offer similar authentication already seem to allow alphanumeric passcodes, but not sure how easy those are to implement compared to numerical passcodes.
Hi!
Could it be possible in the future to change the encryption password after setting up the app?
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.