Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation of the storage on Android? #20

Open
yoshimo opened this issue Nov 8, 2022 · 5 comments
Open

Documentation of the storage on Android? #20

yoshimo opened this issue Nov 8, 2022 · 5 comments

Comments

@yoshimo
Copy link

yoshimo commented Nov 8, 2022

The Safenet MobilePass app stores the tokens and various other data in /data/data/securecomputing.devices.android.controller/app_SAFENET_TOKEN_MP3 , is it known how to parse this data and get the necessary parameters out to create valid otp strings?

The file has a a seemingly random hex string as name and the file contains the creation date and some strings escaped with \=
Can we make that readable somehow?
@m4tthumphrey
Copy link

m4tthumphrey commented Jul 5, 2023
edited
Loading

@yoshimo did you get anywhere with this? I'm trying to generate the OTP codes myself from within the company wide application but cannot figure out what the MobilePass+ apps do to generate the secret/QR code. Based on the base64 payload (below) it has to use the sc(shortcode) somehow.

EnrollmentURL=https://se.safenet-inc.com/selfenrollment/dskpp.aspx?sc=[sc]
UserID=[userid]
Passphrase=[passcode]

I've scoured the API docs here (https://thalesdocs.com/sta/api/bsidca/index.html) but I don't think these are what the MobilePass+ clients use.

@yoshimo
Copy link
Author

yoshimo commented Jul 5, 2023

No I did not find any thing yet.

@m4tthumphrey
Copy link

Are you still actively pursuing? I progressed slightly today and managed to workout the API requests made from the macOS client. Unfortunately I still can't workout how the secret is used/generated as one of the requests is completely encrypted.

@g-h-97
Copy link

g-h-97 commented May 29, 2024

Hi @yoshimo and @m4tthumphrey

Did you guys manage to come up with anything here, it seems that there is no replacement for MobilePass+ for now and no way to automate OTP generation which is an absolute bummer if you ask me :(

I just got an enrollment email with what seems to be a base64 string which is not compatible with any other OTP generation app,

@m4tthumphrey
Copy link

m4tthumphrey commented May 29, 2024
edited
Loading

Hey @g-h-97

No I didn't get anywhere at all after my last post, the MobilePass+ app is completely proprietary. I am pretty sure that the MP app speaks to a MobilePass server which is where the code is generated, using several factors. The server then gives the sc code back to the app which then generates the secret.

I do see why companies would want to not be able to automate the OTP code, as after all it is designed to improve security and automating it, instantly makes it less secure. That being said, it is incredibly annoying as a dev trying to automate things.

Let me know if you get anywhere!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yoshimo @m4tthumphrey @g-h-97