[APP][4.1+][v0.91 - 20141220] Easy Token - OSS SecurID token with lock screen widgets

[cernekee]

Highlights

• Convenient lock screen and home screen widgets provide instant tokencodes without navigating to an app.
• Optionally save your PIN.
• Supports SDTID files, importing http://127.0.0.1/... tokens from email, and QR tokens.
• 100% open source (GPLv2+)

Requirements

• A token seed file from your system administrator
• JB 4.1+

Downloads

Binaries are attached to this post and available from Google Play.

Source code: https://github.com/cernekee/EasyToken

Changelog

v0.91 - 2014/12/20

 - Use more specific MIME type matches so that Easy Token associations don't
   show up in Contacts.

 - Update libstoken to v0.81 and switch from tomcrypt to nettle.  Most of
   the changes in v0.8/v0.81 won't matter on Android, but it is now possible
   to import hard token seed files if desired.

Older changelogs:

v0.90 - 2014/07/26

 - Rework handling of bound device IDs during token import.  Try to guess
   it based on the current (unique) device ID and all known class GUIDs.
   Allow the user to override it, in case of a collision.

 - Limit import string to 64kB to avoid OutOfMemoryError crashes on invalid
   tokens.

v0.81 - 2014/07/06

 - Fix bug in lock screen widget where it would "bounce" between the tokencode
   display and the clock display for no apparent reason

 - Show the "confirm import" screen unconditionally, so there is a clear
   indication that email import succeeded

v0.80 - 2014/07/05

 - Initial public release

XDA:DevDB Information
Easy Token, App for all devices (see above for details)

Contributors
cernekee
Source Code: https://github.com/cernekee/EasyToken


Version Information
Status: Beta

Created 2014-07-05
Last Updated 2014-12-21

 

[cernekee]

Attaching a couple of randomly generated tokens, in case it is necessary to test Easy Token without a real seed file. These were created with:

qrencode -l H `stoken export --random --android` -o v2.png
qrencode -l H `stoken export --file pinless.sdtid --v3` -o v3.png
stoken export --random --sdtid > token.sdtid

The rightmost (denser, v3) QR code is a 6-digit PINless token. You may need to zoom in to scan it.

 

[phigan]

Verrr niice..

Thanks for making this, it works great and looks much better than the official RSA one. One thing, though, what is the network access permission for?

 

[cernekee]

Thanks for making this, it works great and looks much better than the official RSA one. One thing, though, what is the network access permission for?

It isn't currently used, but future uses could include:

• Internet token provisioning via CTKIP
• NTP clock sync, so that if multiple devices use the same seed, they all read back the same tokencode at the same time
• Better problem reporting; currently ACRA is set up to use email but there are some limitations associated with that approach. All problem reporting in this app is user-initiated.

 

[gehrehmee]

Reported via email as well, but here's the problem I'm having:

Trying to import a token given via an http 127.0.0.1] url in an email:

USER_COMMENT=importing new key via (http link omitted, because xda forums don't like it) failed, with chrome saying "connection refused"
ANDROID_VERSION=4.4.4
APP_VERSION_NAME=0.90
BRAND=oneplus
PHONE_MODEL=A0001
CUSTOM_DATA=
STACK_TRACE=java.lang.Exception: Report requested by developer
at org.acra.ErrorReporter.handleException(ErrorReporter.java:626)
at org.acra.ErrorReporter.handleException(ErrorReporter.java:583)
at app.easytoken.MainActivity.sendProblemReport(MainActivity.java:121)
at app.easytoken.MainActivity.onOptionsItemSelected(MainActivity.java:139)
at android.app.Activity.onMenuItemSelected(Activity.java:2600)
at com.android.internal.policy.impl.PhoneWindow.onMenuItemSelected(PhoneWindow.java:1065)
at com.android.internal.view.menu.MenuBuilder.dispatchMenuItemSelected(MenuBuilder.java:741)
at com.android.internal.view.menu.MenuItemImpl.invoke(MenuItemImpl.java:152)
at com.android.internal.view.menu.MenuBuilder.performItemAction(MenuBuilder.java:884)
at com.android.internal.view.menu.MenuBuilder.performItemAction(MenuBuilder.java:874)
at com.android.internal.view.menu.MenuPopupHelper.onItemClick(MenuPopupHelper.java:177)
at android.widget.AdapterView.performItemClick(AdapterView.java:298)
at android.widget.AbsListView.performItemClick(AbsListView.java:1113)
at android.widget.AbsListView$PerformClick.run(AbsListView.java:2911)
at android.widget.AbsListView$3.run(AbsListView.java:3645)
at android.os.Handler.handleCallback(Handler.java:733)
at android.os.Handler.dispatchMessage(Handler.java:95)
at android.os.Looper.loop(Looper.java:136)
at android.app.ActivityThread.main(ActivityThread.java:5146)
at java.lang.reflect.Method.invokeNative(Native Method)
at java.lang.reflect.Method.invoke(Method.java:515)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:796)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:612)
at dalvik.system.NativeStart.main(Native Method)

Screenshot of Chrome attached.

 

[cernekee]

Trying to import a token given via an http 127.0.0.1] url in an email:

Screenshot of Chrome attached.

When you clicked on the email link, did it send you straight to Chrome? Android should notice that the URL matches a pattern that can be handled by two different apps, and let you choose whether to open the link with Chrome (incorrect) or Easy Token (correct).

If this doesn't happen, you may need to clear the default association for Chrome.

If you still can't convince it to pop up the app chooser, another option is to copy the URL to the clipboard (long-press may do it), navigate to Easy Token, then choose Manual Entry.

 

[gehrehmee]

When you clicked on the email link, did it send you straight to Chrome? Android should notice that the URL matches a pattern that can be handled by two different apps, and let you choose whether to open the link with Chrome (incorrect) or Easy Token (correct).

If this doesn't happen, you may need to clear the default association for Chrome.

If you still can't convince it to pop up the app chooser, another option is to copy the URL to the clipboard (long-press may do it), navigate to Easy Token, then choose Manual Entry.

Interesting:

• I installed the official app as well as EasyToken now, and I do get the "choose application" dialog -- but EasyToken isn't in the list.
• I copied the URL into the "manual" entry, and it didn't un-grey the "Next" button.

The URL is in the form:

http (noise added to stop xda forum from rejecting post) ://127.0.0.1/securid/ctkip?scheme=https&url=hostname.company.com:443/ctkip/services/CtkipService

 

[cernekee]

The URL is in the form:

http (noise added to stop xda forum from rejecting post) ://127.0.0.1/securid/ctkip?scheme=https&url=hostname.company.com:443/ctkip/services/CtkipService

Unfortunately CTKIP is not currently supported. CTKIP URLs do not actually contain the token seed. Instead, they direct the client to handshake with a remote server to securely exchange information. I have not figured out how to implement this scheme yet.

Easy Token normally expects a URL that uses the "compressed token format" (ctf), such as:

http://127.0.0.1/securid/ctf?ctfData=219561515777421437245254320241301611451327661056547012064173126400766246671676001

The ctf string is entirely self-contained (it doesn't need to talk to a remote server).

 

[pfcrow]

Change Device ID

Would it be possible to let users change the device ID? The default one is calculated differently from the official RSA app, so I can't install the same token on both or migrate from one to the other without having a new token issued to me.

 

[cernekee]

Would it be possible to let users change the device ID? The default one is calculated differently from the official RSA app, so I can't install the same token on both or migrate from one to the other without having a new token issued to me.

If the app is unable to successfully decrypt the token using the default device ID, it should prompt you to enter a different ID (see attached screenshot). You can copy the device ID from the official RSA app if your token is bound to that installation.

Are you getting an error instead?

 

[pfcrow]

If the app is unable to successfully decrypt the token using the default device ID, it should prompt you to enter a different ID (see attached screenshot). You can copy the device ID from the official RSA app if your token is bound to that installation.

Are you getting an error instead?

That's awesome! Thanks. I'm also stuck on the CTKIP issue that others discussed above. I suspect I'm not going to have any luck getting the other app to cough up the token once I download it, though.

 

[cernekee]

I'm also stuck on the CTKIP issue that others discussed above. I suspect I'm not going to have any luck getting the other app to cough up the token once I download it, though.

That's correct - it is stored in a different format, and obfuscated.

I wonder how much demand there would be for an Xposed Framework module that exports stored tokens from the official RSA app?

 

[Descore]

That's correct - it is stored in a different format, and obfuscated.

I wonder how much demand there would be for an Xposed Framework module that exports stored tokens from the official RSA app?

A lot - my employer will only issue tokens in CTKIP format, and if I can't copy the RSA app's token out I'm stuck with the default app. And what's worse, I'm stuck with using it on just that one phone - this is the whole reason I found your app in the first place, because I have 2 phones and want to clone the token onto both.
If you figure out a way to read the token from the RSA app, I'd happily PayPal you $20 for the effort
Edit: Even better would be an app to extract the RSA token from a Titanium backup.

 

[calisro]

I am using this on Android and it works great. Today I tried to install this to chrome using ARC. It worked. I was able to import tokens and all seemed well except the tokens are generating the wrong numbers. They should match the android device but they do not. I verified the serial# and dates are the same but the digits after the same PIN numbers are entered are different. I realize ARC is new but figured i'd give it a go.

 

[Beat_Slayer]

That's correct - it is stored in a different format, and obfuscated.

I wonder how much demand there would be for an Xposed Framework module that exports stored tokens from the official RSA app?

Was this solved?

I'd love to get more info and give it a go!

It seems a fun challenge. :cyclops:

 

[roopesh]

I gotta tell you - I love this app. I can easily move my token from phone to phone without getting a new token from my sysadmins. That is huge! I wish you a also had a Mac OS X app

 

[phedders]

Tasker/KLWP

This app is brilliant - so much better than RSA's!

But could you tell me is it possible to get a code from Easy Token into KLWP or Tasker? Using intents?

Cheers!

 

[gekkehenkie11]

Great work, loving it !

 

[pfcrow]

The token in the official Android app is stored in a sqlite database. If your phone is rooted, it's easy to copy it out and dump the database. You can probably dump it out of any backup program. The problem is that the critical fields are obfuscated. They appear to be 256-bit numbers in hex, and I don't know how they translate into the fields used by stoken (the token program that powers the app we're discussing here).

A dump of the table shows:

CREATE TABLE tokens (
   SERIALNUMBER text primary key not null,
   NICKNAME text not null,
   EXPIRATIONDATE text not null,
   PINTYPE integer not null,
   PRNPERIOD integer not null,
   PRNLENGTH integer not null,
   ROOTSEED blob not null,
   OTPMODE integer not null,
   DEVICEBINDINGDATA text not null,
   ALGORITHM integer not null,
   BIRTHDATE integer not null,
   MAXTXCOUNT integer not null,
   SIGNATURECOUNT integer not null,
   LASTTXTIME integer not null,
   TOKENHASH blob not null);

The ROOTSEED and TOKENHASH fields are both 64-character (256-bit) hex codes. I think everything else is either zero or reasonably obvious.

My two thoughts are to either make sense of all this data to create a converter, or to investigate the Windows token storage format (which might use the same fields) and see if the official token converter can extract it.

 

[quemu]

Is any results with CT-KIP? Or any workaround?