[APP][4.1+][v0.91 - 20141220] Easy Token - OSS SecurID token with lock screen widgets

Search This thread

cernekee

Senior Member
Jun 2, 2013
186
427
Highlights

  • Convenient lock screen and home screen widgets provide instant tokencodes without navigating to an app.
  • Optionally save your PIN.
  • Supports SDTID files, importing http://127.0.0.1/... tokens from email, and QR tokens.
  • 100% open source (GPLv2+)

Requirements

  • A token seed file from your system administrator
  • JB 4.1+

Downloads

Binaries are attached to this post and available from Google Play.

Source code: https://github.com/cernekee/EasyToken

Changelog

Code:
v0.91 - 2014/12/20

 - Use more specific MIME type matches so that Easy Token associations don't
   show up in Contacts.

 - Update libstoken to v0.81 and switch from tomcrypt to nettle.  Most of
   the changes in v0.8/v0.81 won't matter on Android, but it is now possible
   to import hard token seed files if desired.

Older changelogs:


Code:
v0.90 - 2014/07/26

 - Rework handling of bound device IDs during token import.  Try to guess
   it based on the current (unique) device ID and all known class GUIDs.
   Allow the user to override it, in case of a collision.

 - Limit import string to 64kB to avoid OutOfMemoryError crashes on invalid
   tokens.

v0.81 - 2014/07/06

 - Fix bug in lock screen widget where it would "bounce" between the tokencode
   display and the clock display for no apparent reason

 - Show the "confirm import" screen unconditionally, so there is a clear
   indication that email import succeeded

v0.80 - 2014/07/05

 - Initial public release

XDA:DevDB Information
Easy Token, App for all devices (see above for details)

Contributors
cernekee
Source Code: https://github.com/cernekee/EasyToken


Version Information
Status: Beta

Created 2014-07-05
Last Updated 2014-12-21
 

Attachments

  • screenshot-0.jpg
    screenshot-0.jpg
    236 KB · Views: 1,680
  • screenshot-1.jpg
    screenshot-1.jpg
    235.5 KB · Views: 1,535
  • screenshot-2.jpg
    screenshot-2.jpg
    144.1 KB · Views: 1,532
  • screenshot-3.png
    screenshot-3.png
    146.1 KB · Views: 1,556
  • screenshot-4.jpg
    screenshot-4.jpg
    97.2 KB · Views: 1,498

cernekee

Senior Member
Jun 2, 2013
186
427
Attaching a couple of randomly generated tokens, in case it is necessary to test Easy Token without a real seed file. These were created with:

Code:
qrencode -l H `stoken export --random --android` -o v2.png
qrencode -l H `stoken export --file pinless.sdtid --v3` -o v3.png
stoken export --random --sdtid > token.sdtid

The rightmost (denser, v3) QR code is a 6-digit PINless token. You may need to zoom in to scan it.
 

Attachments

  • v2.png
    v2.png
    748 bytes · Views: 335
  • v3.png
    v3.png
    3.1 KB · Views: 362
  • sdtid-files.zip
    1.5 KB · Views: 196
Last edited:
  • Like
Reactions: hexxellor

phigan

Senior Member
Sep 11, 2007
75
8
Verrr niice..

Thanks for making this, it works great and looks much better than the official RSA one. One thing, though, what is the network access permission for?
 

cernekee

Senior Member
Jun 2, 2013
186
427
Thanks for making this, it works great and looks much better than the official RSA one. One thing, though, what is the network access permission for?

It isn't currently used, but future uses could include:

  • Internet token provisioning via CTKIP
  • NTP clock sync, so that if multiple devices use the same seed, they all read back the same tokencode at the same time
  • Better problem reporting; currently ACRA is set up to use email but there are some limitations associated with that approach. All problem reporting in this app is user-initiated.
 

gehrehmee

Member
Mar 8, 2010
13
2
Reported via email as well, but here's the problem I'm having:

Trying to import a token given via an http 127.0.0.1] url in an email:

USER_COMMENT=importing new key via (http link omitted, because xda forums don't like it) failed, with chrome saying "connection refused"
ANDROID_VERSION=4.4.4
APP_VERSION_NAME=0.90
BRAND=oneplus
PHONE_MODEL=A0001
CUSTOM_DATA=
STACK_TRACE=java.lang.Exception: Report requested by developer
at org.acra.ErrorReporter.handleException(ErrorReporter.java:626)
at org.acra.ErrorReporter.handleException(ErrorReporter.java:583)
at app.easytoken.MainActivity.sendProblemReport(MainActivity.java:121)
at app.easytoken.MainActivity.onOptionsItemSelected(MainActivity.java:139)
at android.app.Activity.onMenuItemSelected(Activity.java:2600)
at com.android.internal.policy.impl.PhoneWindow.onMenuItemSelected(PhoneWindow.java:1065)
at com.android.internal.view.menu.MenuBuilder.dispatchMenuItemSelected(MenuBuilder.java:741)
at com.android.internal.view.menu.MenuItemImpl.invoke(MenuItemImpl.java:152)
at com.android.internal.view.menu.MenuBuilder.performItemAction(MenuBuilder.java:884)
at com.android.internal.view.menu.MenuBuilder.performItemAction(MenuBuilder.java:874)
at com.android.internal.view.menu.MenuPopupHelper.onItemClick(MenuPopupHelper.java:177)
at android.widget.AdapterView.performItemClick(AdapterView.java:298)
at android.widget.AbsListView.performItemClick(AbsListView.java:1113)
at android.widget.AbsListView$PerformClick.run(AbsListView.java:2911)
at android.widget.AbsListView$3.run(AbsListView.java:3645)
at android.os.Handler.handleCallback(Handler.java:733)
at android.os.Handler.dispatchMessage(Handler.java:95)
at android.os.Looper.loop(Looper.java:136)
at android.app.ActivityThread.main(ActivityThread.java:5146)
at java.lang.reflect.Method.invokeNative(Native Method)
at java.lang.reflect.Method.invoke(Method.java:515)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:796)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:612)
at dalvik.system.NativeStart.main(Native Method)

Screenshot of Chrome attached.
 

Attachments

  • Screenshot_2014-10-14-13-14-29.png
    Screenshot_2014-10-14-13-14-29.png
    238.3 KB · Views: 264

cernekee

Senior Member
Jun 2, 2013
186
427
Trying to import a token given via an http 127.0.0.1] url in an email:

Screenshot of Chrome attached.

When you clicked on the email link, did it send you straight to Chrome? Android should notice that the URL matches a pattern that can be handled by two different apps, and let you choose whether to open the link with Chrome (incorrect) or Easy Token (correct).

If this doesn't happen, you may need to clear the default association for Chrome.

If you still can't convince it to pop up the app chooser, another option is to copy the URL to the clipboard (long-press may do it), navigate to Easy Token, then choose Manual Entry.
 

gehrehmee

Member
Mar 8, 2010
13
2
When you clicked on the email link, did it send you straight to Chrome? Android should notice that the URL matches a pattern that can be handled by two different apps, and let you choose whether to open the link with Chrome (incorrect) or Easy Token (correct).

If this doesn't happen, you may need to clear the default association for Chrome.

If you still can't convince it to pop up the app chooser, another option is to copy the URL to the clipboard (long-press may do it), navigate to Easy Token, then choose Manual Entry.

Interesting:

  • I installed the official app as well as EasyToken now, and I do get the "choose application" dialog -- but EasyToken isn't in the list.
  • I copied the URL into the "manual" entry, and it didn't un-grey the "Next" button.
The URL is in the form:

http (noise added to stop xda forum from rejecting post) ://127.0.0.1/securid/ctkip?scheme=https&url=hostname.company.com:443/ctkip/services/CtkipService
 

cernekee

Senior Member
Jun 2, 2013
186
427
The URL is in the form:

http (noise added to stop xda forum from rejecting post) ://127.0.0.1/securid/ctkip?scheme=https&url=hostname.company.com:443/ctkip/services/CtkipService

Unfortunately CTKIP is not currently supported. CTKIP URLs do not actually contain the token seed. Instead, they direct the client to handshake with a remote server to securely exchange information. I have not figured out how to implement this scheme yet.

Easy Token normally expects a URL that uses the "compressed token format" (ctf), such as:

Code:
http://127.0.0.1/securid/ctf?ctfData=219561515777421437245254320241301611451327661056547012064173126400766246671676001

The ctf string is entirely self-contained (it doesn't need to talk to a remote server).
 

pfcrow

Member
Feb 26, 2011
11
0
Change Device ID

Would it be possible to let users change the device ID? The default one is calculated differently from the official RSA app, so I can't install the same token on both or migrate from one to the other without having a new token issued to me.
 

cernekee

Senior Member
Jun 2, 2013
186
427
Would it be possible to let users change the device ID? The default one is calculated differently from the official RSA app, so I can't install the same token on both or migrate from one to the other without having a new token issued to me.

If the app is unable to successfully decrypt the token using the default device ID, it should prompt you to enter a different ID (see attached screenshot). You can copy the device ID from the official RSA app if your token is bound to that installation.

Are you getting an error instead?
 

Attachments

  • s-0.png
    s-0.png
    24.8 KB · Views: 265

pfcrow

Member
Feb 26, 2011
11
0
If the app is unable to successfully decrypt the token using the default device ID, it should prompt you to enter a different ID (see attached screenshot). You can copy the device ID from the official RSA app if your token is bound to that installation.

Are you getting an error instead?

That's awesome! Thanks. I'm also stuck on the CTKIP issue that others discussed above. I suspect I'm not going to have any luck getting the other app to cough up the token once I download it, though.
 

cernekee

Senior Member
Jun 2, 2013
186
427
I'm also stuck on the CTKIP issue that others discussed above. I suspect I'm not going to have any luck getting the other app to cough up the token once I download it, though.

That's correct - it is stored in a different format, and obfuscated.

I wonder how much demand there would be for an Xposed Framework module that exports stored tokens from the official RSA app?
 
  • Like
Reactions: x86Daddy

Descore

Senior Member
Apr 13, 2012
94
41
Copenhagen
That's correct - it is stored in a different format, and obfuscated.

I wonder how much demand there would be for an Xposed Framework module that exports stored tokens from the official RSA app?

A lot - my employer will only issue tokens in CTKIP format, and if I can't copy the RSA app's token out I'm stuck with the default app. And what's worse, I'm stuck with using it on just that one phone - this is the whole reason I found your app in the first place, because I have 2 phones and want to clone the token onto both.
If you figure out a way to read the token from the RSA app, I'd happily PayPal you $20 for the effort :)
Edit: Even better would be an app to extract the RSA token from a Titanium backup.
 

calisro

Senior Member
Sep 9, 2008
1,871
754
noneya
I am using this on Android and it works great. Today I tried to install this to chrome using ARC. It worked. I was able to import tokens and all seemed well except the tokens are generating the wrong numbers. They should match the android device but they do not. I verified the serial# and dates are the same but the digits after the same PIN numbers are entered are different. I realize ARC is new but figured i'd give it a go. :)
 

roopesh

Member
May 30, 2006
40
4
I gotta tell you - I love this app. I can easily move my token from phone to phone without getting a new token from my sysadmins. That is huge! I wish you a also had a Mac OS X app :)
 

phedders

Senior Member
Apr 1, 2012
103
48
Tasker/KLWP

This app is brilliant - so much better than RSA's!

But could you tell me is it possible to get a code from Easy Token into KLWP or Tasker? Using intents?

Cheers!
 

pfcrow

Member
Feb 26, 2011
11
0
The token in the official Android app is stored in a sqlite database. If your phone is rooted, it's easy to copy it out and dump the database. You can probably dump it out of any backup program. The problem is that the critical fields are obfuscated. They appear to be 256-bit numbers in hex, and I don't know how they translate into the fields used by stoken (the token program that powers the app we're discussing here).

A dump of the table shows:
Code:
CREATE TABLE tokens (
   SERIALNUMBER text primary key not null,
   NICKNAME text not null,
   EXPIRATIONDATE text not null,
   PINTYPE integer not null,
   PRNPERIOD integer not null,
   PRNLENGTH integer not null,
   ROOTSEED blob not null,
   OTPMODE integer not null,
   DEVICEBINDINGDATA text not null,
   ALGORITHM integer not null,
   BIRTHDATE integer not null,
   MAXTXCOUNT integer not null,
   SIGNATURECOUNT integer not null,
   LASTTXTIME integer not null,
   TOKENHASH blob not null);

The ROOTSEED and TOKENHASH fields are both 64-character (256-bit) hex codes. I think everything else is either zero or reasonably obvious.

My two thoughts are to either make sense of all this data to create a converter, or to investigate the Windows token storage format (which might use the same fields) and see if the official token converter can extract it.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    Highlights

    • Convenient lock screen and home screen widgets provide instant tokencodes without navigating to an app.
    • Optionally save your PIN.
    • Supports SDTID files, importing http://127.0.0.1/... tokens from email, and QR tokens.
    • 100% open source (GPLv2+)

    Requirements

    • A token seed file from your system administrator
    • JB 4.1+

    Downloads

    Binaries are attached to this post and available from Google Play.

    Source code: https://github.com/cernekee/EasyToken

    Changelog

    Code:
    v0.91 - 2014/12/20
    
     - Use more specific MIME type matches so that Easy Token associations don't
       show up in Contacts.
    
     - Update libstoken to v0.81 and switch from tomcrypt to nettle.  Most of
       the changes in v0.8/v0.81 won't matter on Android, but it is now possible
       to import hard token seed files if desired.

    Older changelogs:


    Code:
    v0.90 - 2014/07/26
    
     - Rework handling of bound device IDs during token import.  Try to guess
       it based on the current (unique) device ID and all known class GUIDs.
       Allow the user to override it, in case of a collision.
    
     - Limit import string to 64kB to avoid OutOfMemoryError crashes on invalid
       tokens.
    
    v0.81 - 2014/07/06
    
     - Fix bug in lock screen widget where it would "bounce" between the tokencode
       display and the clock display for no apparent reason
    
     - Show the "confirm import" screen unconditionally, so there is a clear
       indication that email import succeeded
    
    v0.80 - 2014/07/05
    
     - Initial public release

    XDA:DevDB Information
    Easy Token, App for all devices (see above for details)

    Contributors
    cernekee
    Source Code: https://github.com/cernekee/EasyToken


    Version Information
    Status: Beta

    Created 2014-07-05
    Last Updated 2014-12-21
    1
    Attaching a couple of randomly generated tokens, in case it is necessary to test Easy Token without a real seed file. These were created with:

    Code:
    qrencode -l H `stoken export --random --android` -o v2.png
    qrencode -l H `stoken export --file pinless.sdtid --v3` -o v3.png
    stoken export --random --sdtid > token.sdtid

    The rightmost (denser, v3) QR code is a 6-digit PINless token. You may need to zoom in to scan it.
    1
    I'm also stuck on the CTKIP issue that others discussed above. I suspect I'm not going to have any luck getting the other app to cough up the token once I download it, though.

    That's correct - it is stored in a different format, and obfuscated.

    I wonder how much demand there would be for an Xposed Framework module that exports stored tokens from the official RSA app?