-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restore from backup made on old phone to new phone asks for password but doesn't import keys #283
Comments
Hello, Is your old phone also upgraded to FreeOTP 2.0 ? Backup and Restore only works if both phones are using FreeOTP 2.0. Some documentation is available here: https://github.com/freeotp/freeotp-android/blob/master/BACKUP.md You can back up manually within the App, or relying on the Android device backup to Google Drive. |
Both are running version 2.0. AFAIK you need version 2.0 to create a backup anyway. OK, so it is designed to export to another phone, so at least there's that. Thanks, will have another look. |
If you are using the Android native backup and restore via Google Drive, you may sign in to Google Drive or Google One to ensure that FreeOTP data exists in your backup before attempting to login to FreeOTP on the the new phone. If you continue having issues please document the exact steps taken so I can investigate further. |
I can reproduce the bug. Here are the steps I took:
The result is that nothing is restored. The backup file is 4.9 KB and should contain 8 keys, so from an outsider's perspective it looks like there is at least something in the file. The old phone runs Android 8.1, while the new one runs Android 13. I'll be happy to provide further information if needed. |
Thanks for the steps, I tested these steps without issues using an Android 8.1 emulator. Could you please provide logcat logs from the new phone covering the time of the restore attempt? |
I am having the same problem. relevant logcat section: 03-08 13:20:38.014 766 766 W keymaster_tee: [WRN]start nwd_import_key The problem seams to be a BadTagException which is caused by BadPaddingException inside OpenSSL |
Hello, I'm currently facing the same problem, My old phone is on Android 9, I was running freeOTP 1.X and has been running freeOTP 2.X since the update I'm pretty sure I haven't added a new token since the new update, but if I create a new token on my old phone, export the backup and import it in my android 13 emulator, every token except the new one fail to import with the execption bellow I've added a try/catch/continue in TokenPersistence.java#L209 so it can skip errors SecretKey skKey;
try {
// Decrypt the token
skKey = ekKey.decrypt(sk);
} catch (Exception e) {
// Invalid JSON backup data
Log.e(LOGTAG, "Exception", e);
continue;
} I still don't know where the issue is but it's probably related to the export or persistence of old tokens maybe? old Android 9.1 phone logcat
Android 13 emulator logcat
|
Thank you for the logcat logs. This keystore error is expected because we first check if this key already exists in the app so it is expected to fail.
The error I am interested to know if all users affected here are only seeing this issue with previously migrated tokens, and not tokens newly added in FreeOTP 2.X. On upgrade from FreeOTP 1.X to 2.X, tokens are all added into the Android keystore, and also added into the backup file, the token secret is encrypted with the master backup password key. I speculate that there may have been an issue saving the token data into the backup file during this migration. This upgrade path happens in the The decrypt line that fails here is attempting to decrypt the encrypted key data from the backup file (representing the token secret) with the master password key. We know the master password is correct because otherwise this line would trigger an exception. Unfortunately I still have been unable to reproduce this issue with installing FreeOTP 1.5 from F-droid, upgrading to 2.0.1 then adding fake tokens with https://freeotp.github.io/qrcode.html backing them up and restoring to another device or emulator. If I add code to print the keys and values of the backup shared preferences file from my working test device, the contents are:
Here you can see the token metadata is stored in the key I don't have much idea yet but I am writing comments here to track this initial investigation. Also, the FreeOTP upgrade path 1.X to 2.X is a one-time operation, troubleshooting this requires essentially rolling back to this 1.X version which is not something that can be done safely. |
Thank you for your time ! I've been trying to debug this issue almost every evening for the last 2 weeks KeyProtection kp = new KeyProtection.Builder(KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.setBlockModes(KeyProperties.BLOCK_MODE_GCM)
.build();
mKeyStore.setEntry(MASTER, new KeyStore.SecretKeyEntry(sk), kp);
sk = (SecretKey) mKeyStore.getKey(MASTER, null); and got this exception :
Even try other purposes like I found this article from another OTP app https://alexbakker.me/post/mysterious-google-titan-m-bug-cve-2019-9465.html But it might be related to my old phone ? it was a Huawei Honor 9 STF-L09 BTW, all my token are SHA1 also, might be related or might not The screen broke on my old phone and I've got a new phone, so I don't realy care if I brick it, I've tried to root it, unfortunatly it's not as easy as I was hopping for, I'm pretty sure I'm almost there but I don't know what I'm doing If you think you can help me, I'll take it, |
My case is also of an upgraded software, where tokens were created on 1.x and then upgraded to 2.0 |
I'm still trying to figure out what may cause this. If someone has a throwaway phone and they can reproduce this problem with these steps below, then I could create a test build which adds additional logging and sanity checks in the upgrade path code.
This same process could be repeated with tokens from https://freeotp.github.io/qrcode.html to determine if the token data is related or unrelated to the issue. |
Could someone provide some examples of 2FA providers for tokens which are not being backed up properly? (i.e, Github, Slack, Paypal, etc). |
In my case there's no provider which works. Amazon, Facebook, Nextcloud, WordPress... Nothing actually works. I've tried creating new tokens after the update to version 2.0, but those aren't restored either on the new device. |
Could you please provide your backup file, you can email to jstephen@redhat.com (your token secrets are encrypted with your backup password so I, or others, cannot decrypt them) |
I have the same issue here. Upgraded my phone to a newer LineageOS and I am not able to manually restore my externalBackup using the "Restore" button.
I really want my keys back. |
It would be great if someone having this issue would be able to run the FreeOTP Unit tests in Android Studio to see if any backup related encryption/decryption operations fail. I still have not been able to reproduce this issue therefore I don't have a reliable way to troubleshoot exactly what is failing. |
Would you be able to explain what exactly I have to do to help out? |
Connect your phone to your laptop/desktop over USB/Bluetooth. Install Android Studio, clone this repo and open it as a Project. Select your phone as the device in Android Studio, right-click org.fedorahosted.freeotp (androidTest) and Run tests. |
Alright, I did run the tests. Out of 214 tests on my phone (OnePlus One) 209 were successful, 1 failed and I don't know about the rest, because it just stopped after the fail. Here is the log:
|
Sorry for the lack of response from me, I didn't had time anymore. I had to change the applicationId otherwise I couldn't run the tests.
I have a secure lockscreen setup on my old phone, so all 210 tests ran successfully |
The same issue for me (described in #352). Eventually some tokens (just a few of them) cannot be restored even using the same password. |
Version 2.0.2 has fixed this issue for me. I was able to import all of the tokens on the new phone without any problem. It should be noted that the files were the same ones I created back in January. |
I believe I have the same issue: I got a new phone a couple of months ago, installed version 2.0.2 (43) on Android 13, and added a whole bunch of OTPs. While the password is accepted, the restored database is empty. Moreover, as I'm restoring to an older version of Android, I cannot make use of restoring the database through Google. Instead, I have to manually restore. |
That's nice to hear. But I still have the same issue. Version 2.0.2 (43) is still not able to import my old backup of keys. It just tries to import and then finishes without throwing an error and without having the keys back. How come none of the developers can fix this serious issue here? |
I have the very same problem. One Lenovo tablet and one Fairphone, both using version 2.0.2. Both installed from play-store, however, the previously install version from F-Droid (app-version 2.0.2) also is not able to restore the backup. I was also brave enough to try the restore on the tablet -- but well, it is hard to tell whether just nothing happen or if all keys are restored ;) Sad story. Luckily the tablet has all data still available. I think I will gradually migrate to another app. |
Same kind of problem for me : impossible to transfer the database from one phone to another. |
I have the same problem.
Phone specification:
What really interesting is that even thought the filename has xml extension (externalBackup.xml) in fact is standard java serialized object, which I can read without any problem with a following code:
Excerpt from the output of the code:
Note that I removed the content of the mCipherText, mParameters and mSalt arrays, and I changed the mIterations of the masterKey For everyone else: You can confirm that you also have a java serialized export by opening the exported file in google drive. If you see some garbage characters, and a beginning java.util.HashMap string, then it's a serialized export. |
No keys were restored and no error returned. After reading the above, I looked in the file and it is a Java Serialised Hashmap that I can read using the code posted above, although typing these entries in manually gives the "not valid base32" error in the new Authenticator (Aegis) |
All what we exported from our phones (I and my friend) in version 2.0.3 (44) can't import back or to other phones. Tested on 4 different devices. I have backup from my old phone and its working but I don't now what version was here bcs I have wiped it. |
Exactly the same issue here. Version 2.0.3 (44). Before I wiped my phone I tried the backup/restore and it seemed to work (tokens were all there). On the clean install the password question comes up, I enter it, it gets accepted and then the token list remains empty. As you can imagine this was very disappointing.. Lucky I had my OTP restore keys in order. Will be looking into a replacement for this app. |
look at aegis - https://github.com/beemdevelopment/Aegis |
I seem to have started using FreeOTP when it was in version 2.0.2. I backed it up from time to time, and old backups created on version 2.0.2 could be restored on both version 2.0.2 and 2.0.3. But new backups created on version 2.0.3 could not be restored on all versions of the application. |
Is there a guides on how to import working backups into Aegis? |
Sorry, from version >= 2.0 no, it's in keystorage and you don't have access to secrets, just the freeotp app. |
I took a look at this while giving beemdevelopment/Aegis#1084 another shot. There appear to be multiple issues here:
Aegis will support importing FreeOTP 2 backups soon: beemdevelopment/Aegis#1506. I've implemented workarounds for 2, 3 and 4. But 1 is usually not (fully) recoverable. We try to salvage as many entries as possible, but if an entry was encrypted with a different master key than the one present in the file, it cannot be recovered. |
Hi,
FreeOTP updated to 2.0 today. Was using previous version on Android. Backup feature looks good, thanks.
I'm trying to transfer my keys from old phone to new phone without having to type them all in again.
I've made a backup from old phone to Google Drive. Then I restore this backup from Drive to FreeOTP 2.0 running on new phone. It sees the backup, and asks me for password. But then returns to an empty screen.
How do you transfer keys to a new phone if this is not the method? The set-up process when installing FreeOTP does not say "would you like to import from backup?"
Thanks,
Sean
The text was updated successfully, but these errors were encountered: