They could modify the original apps apks already anyway
Comment on Help open the source of the myGov Code Generator app
CameronDev@programming.dev 4 days ago
One plausible reason for hiding the source code is that if Service Australia was forced to fully open source it, it would be trivial for bad actors to make knock-off clones that look and behave identically, while doing other bad things. We all know Google and Apple wouldnt do anything to prevent that happening…
Maybe a middle ground of releasing the code, but not the assets (images, style sheets, etc) could be reached?
Either way, I’ll still interested, and I might contribute after doing a bit more reading of his past case.
eatham@aussie.zone 4 days ago
CameronDev@programming.dev 4 days ago
Sure, but having the full source makes that even easier.
fizzle@quokk.au 4 days ago
I disagree.
Its just a 2fa code generator? Or have I misunderstood.
CameronDev@programming.dev 4 days ago
“Just a 2fa code generator” is still a good phishing target. Stealing the 2fa seeds would be incredibly valuable for a bad actor. Which is exactly why it should be audited.
It does look incredibly basic though, its basically a “my-first-android-app”. So extremely trivial to recreate, which does somewhat nullify my original point about app clones.
I would be a bit more interested in the MyID app, which has a lot more risk involved (Uploading ID documents, facial data etc).
fizzle@quokk.au 3 days ago
I guess you’re right about 2fa seeds, but I do wonder why the play store isn’t awash with dodgy 2fa seed generators. I’m not naive enough to believe that everything from the play store is “secure” but do they do some kind of rudimentary screening?
CameronDev@programming.dev 3 days ago
There are a lot of tfa apps in the store, and search does seem to surface the brand name ones first, but there are a few no-name ones as well:
play.google.com/store/apps/details?id=twofa.accou… play.google.com/store/apps/details?id=com.authent…
I don’t know that they are legit or not, but they exist.
I suspect if someone wanted to do this, they would use a fraudulent ad campaign to sent people directly to the store, rather than hope for the playstore search to find people.
And based on my experience with Google, they do fuck all screening, it’s mostly just checks to ensure you have a privacy policy, no checks that the policy is actually followed…