Comment on Help open the source of the myGov Code Generator app
CameronDev@programming.dev 4 days ago“Just a 2fa code generator” is still a good phishing target. Stealing the 2fa seeds would be incredibly valuable for a bad actor. Which is exactly why it should be audited.
It does look incredibly basic though, its basically a “my-first-android-app”. So extremely trivial to recreate, which does somewhat nullify my original point about app clones.
I would be a bit more interested in the MyID app, which has a lot more risk involved (Uploading ID documents, facial data etc).
fizzle@quokk.au 3 days ago
I guess you’re right about 2fa seeds, but I do wonder why the play store isn’t awash with dodgy 2fa seed generators. I’m not naive enough to believe that everything from the play store is “secure” but do they do some kind of rudimentary screening?
CameronDev@programming.dev 3 days ago
There are a lot of tfa apps in the store, and search does seem to surface the brand name ones first, but there are a few no-name ones as well:
play.google.com/store/apps/details?id=twofa.accou… play.google.com/store/apps/details?id=com.authent…
I don’t know that they are legit or not, but they exist.
I suspect if someone wanted to do this, they would use a fraudulent ad campaign to sent people directly to the store, rather than hope for the playstore search to find people.
And based on my experience with Google, they do fuck all screening, it’s mostly just checks to ensure you have a privacy policy, no checks that the policy is actually followed…