Help open the source of the myGov Code Generator app

Submitted ⁨⁨4⁩ ⁨days⁩ ago⁩ by ⁨brisk@aussie.zone⁩ to ⁨australia@aussie.zone⁩

https://www.pozible.com/project/mygov-app-source-code-foi-review-1/

We rely on myGov, but can we trust its code?

Millions of Australians use myGov to access essential services like Medicare, the ATO, and Centrelink. The myGov Code Generator app is one of the options for enhancing myGov login security.

But is it actually secure? Services Australia, the agency who publishes it, claims it is. But when I requested the app’s source code under Freedom of Information (FOI) laws, Services Australia refused, arguing that releasing the code would help “nefarious actors” and compromise security. In other words: “Security by Obscurity”.

True security requires transparency. Hiding the code prevents independent experts from auditing the system for flaws. It also denies secure access to government services for people who do not live in the Google or Apple “walled gardens”, or to people with disabilities and culturally and linguistically diverse cohorts who cannot use the app as designed, but who could use modified or translated versions.

source

Comments

Sort:hotnew top

No1@aussie.zone ⁨3⁩ ⁨days⁩ ago
Nothing pisses me off more than websites that require you to install their app for 2FA.

There is no reason for you to not be using standards based authenticator solutions.

source
- spartanatreyu@programming.dev ⁨3⁩ ⁨days⁩ ago
  Counterpoint: A government portal needs to be extremely backwards compatible to support as many people as possible. That includes supporting devices that don’t support the latest standards.
  
  source
  - Jumuta@sh.itjust.works ⁨3⁩ ⁨days⁩ ago
    software standards can be implemented on whatever hardware
    
    source
makingStuffForFun@lemmy.ml ⁨4⁩ ⁨days⁩ ago
100% behind this. Public code, should be public code.

I should be able to access services without an American corporation having my data (Google, apple).

source
fizzle@quokk.au ⁨4⁩ ⁨days⁩ ago
Tricky.

I absolutely believe that all software paid for by public funds should be open source.

That said, they’re not going to open source software which they commissioned without that requirement.

source
- spartanatreyu@programming.dev ⁨3⁩ ⁨days⁩ ago
  Counterpoint: Public funds pay for software used by military and intelligence services. Certain information becoming publicly available can lead to real harm. (e.g. A self-assessment on a country’s own weaknesses, methods that spies deployed abroad can deliver information back, etc…) How do you manage the infohazard risk?
  
  all software paid for by public funds should be open source.
  
  Should probably be changed to: all software paid for by public funds should be open source so long as their is no or low foreseeable infohazard risk.
  
  source
vividspecter@aussie.zone ⁨1⁩ ⁨day⁩ ago
I think a better approach would be:

Support conventional TOTP codes that any other 2FA app supports

Give passkeys first-class support (currently there is a bug where a passkey login is not counted as a real login, so you could lose your account due to inactivity if you don’t login with a password in a while)

Similarly, allow passkey only login so there isn’t the vulnerability from SMS 2FA (or make it 2 factor with passkeys + password and/or 2FA)

I know some are wary about passkeys because they are often tied to a device, but common password managers now have great support for it (such as bitwarden and keepassXC) and you could even use a physical key instead.
source
MisterFrog@aussie.zone ⁨2⁩ ⁨days⁩ ago
I hate the fact I can’t use my own 2FA app (Kepass)

I don’t like the idea of losing access to my myGov account just because I lost my phone…

source
CameronDev@programming.dev ⁨4⁩ ⁨days⁩ ago
One plausible reason for hiding the source code is that if Service Australia was forced to fully open source it, it would be trivial for bad actors to make knock-off clones that look and behave identically, while doing other bad things. We all know Google and Apple wouldnt do anything to prevent that happening…

Maybe a middle ground of releasing the code, but not the assets (images, style sheets, etc) could be reached?

Either way, I’ll still interested, and I might contribute after doing a bit more reading of his past case.

source
- fizzle@quokk.au ⁨4⁩ ⁨days⁩ ago
  I disagree.
  
  Its just a 2fa code generator? Or have I misunderstood.
  
  source
  - CameronDev@programming.dev ⁨4⁩ ⁨days⁩ ago
    “Just a 2fa code generator” is still a good phishing target. Stealing the 2fa seeds would be incredibly valuable for a bad actor. Which is exactly why it should be audited.
    
    It does look incredibly basic though, its basically a “my-first-android-app”. So extremely trivial to recreate, which does somewhat nullify my original point about app clones.
    
    I would be a bit more interested in the MyID app, which has a lot more risk involved (Uploading ID documents, facial data etc).
    
    source
    -> View More Comments
- eatham@aussie.zone ⁨4⁩ ⁨days⁩ ago
  They could modify the original apps apks already anyway
  
  source
  - CameronDev@programming.dev ⁨4⁩ ⁨days⁩ ago
    Sure, but having the full source makes that even easier.
    
    source
Strayce@lemmy.sdf.org ⁨4⁩ ⁨days⁩ ago
Man I hate it when my access is recubed.

source
No1@aussie.zone ⁨4⁩ ⁨days⁩ ago
Bro, I just made the private key a hash of your birthdate, because that’s gotta be unique, right?

source