Support Android without Root

[markuta]

This should work by patching the Authy app (.APK) and embedding a Frida library.

Potential methods:

• https://lief.re/doc/latest/tutorials/09_frida_lief.html
• https://koz.io/using-frida-on-android-without-root/

There are a few things to consider:

1. Authy app self protection i.e. does it check that the APK is modified?
2. Android OS improvements (note: I've only tested the current script on Android 10)
3. Anything else that is way too impractical (sorry, just use a rooted device...)

[markuta]

There seems to be two libraries inside the Resources/lib/arm64-v8a/ folder of the APK:

Unfortunately, after patching and resigning the APK using the first method the application crashes :(

(.venv)  naz@Nazs-Air $ ~/Mobile/Android/injection $ adb logcat -s "frida-lief:V"
--------- beginning of crash
--------- beginning of system
--------- beginning of main

Needs some more looking in to.

[markuta]

Patching manually the app works!

I was able to add the Frida gadget library by decompressing the APK with apktool and modifying the com.authy.authy.MainActivity file. And adding the following code:

const-string v0, "frida-gadget"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

And of course adding the libfrida-gadget.so into the lib/arm64-v8a/ folder.

When you install and run the Authy app it immediately pauses and waits for frida to connect. To continue with the execution you will need to run frida -U Gadget which will attach to the process, whilst being able to instrument the app.

Still need to do some testing though...

[markuta]

Request

If anyone has a spare unrooted Android device that uses a arm64 CPU.

Can you test the following patched version of Authy app?

Once installed, open it on the Phone (you should see the Authy logo and then black screen). This means the Frida library is waiting for a connection. Connect your USB cable and then type frida -U Gadget. The App should continue and you can now enter the phone number. I'm only interested if others are also getting the "The device does not meet the minimum integrity requirements" error during this step.

The sha256 checksum of the patched file is:

2e558a7de45ed15210a70219caf40c35e3fa3f08f905218a1f499ecba8559f4a  com.authy.authy_25.1.1_patch.apk

Grrrrr... can't upload the file on GitHub as it's too big.

Quick Guide

Download official Authy APK it should be around 30MB.

• Run apktool d com.authy.authy_25.1.1.apk -o extracted
• Patch the extracted/smali_classes2/com/authy/authy/MainActivity.smali file (use the above screenshot) and copy over the Frida gadget library
• Run apktool b -o manual_patch.apk extracted/

To resign (if required) the APK:

• Create a new keystore with: keytool -genkey -v -keystore keystore.jks -alias new_alias -keyalg RSA -keysize 2048 -validity 10000
• Sign the APK with jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore keystore.jks -storepass android com.authy.authy_25.1.1_patch.apk android

To install the app:

• adb install com.authy.authy_25.1.1_patch.apk

Note: You will need to enable adb debugging to install the APK and also a frida client to continue with execution. I don't recommend doing this on your personal day-to-day device.

[ThePooN]

I gave this a try using the latest version from the Play Store. While it seems I had everything patched and set-up, enrolling resulted in an error from Authy: "The device, app do not meet the minimum integrity requirements".

I tried simply re-signing the original APK, and that resulted in the same error.

[markuta]

I gave this a try using the latest version from the Play Store. While it seems I had everything patched and set-up, enrolling resulted in an error from Authy: "The device, app do not meet the minimum integrity requirements".

I tried simply re-signing the original APK, and that resulted in the same error.

Thanks for trying.

That's annoying, I think Authy's Google integrity checks are the cause of the issue, and we can't do much without a rooted device, even with Frida in this case. It was once possible with Google's SafetyNet checks but that's long gone.

I've heard users emailing Authy and asking for copy of their own encrypted secrets, which they can then decrypt.

[ThePooN]

I've heard users emailing Authy and asking for copy of their own encrypted secrets, which they can then decrypt.

I explored that route and using https://github.com/serbbil/Authy-GDPR-Export-Decryption I was able to recover my standard TOTP tokens. However that didn't recover the 'Twilio-managed' (aka. "apps"?) tokens.

In the end I used https://github.com/0xbinder/CVE-2024-0044 on an older device, which allowed me to recover both com.authy.storage.tokens.authenticator.xml and com.authy.storage.tokens.authy.xml. Importing these files into Aegis worked and I have finally migrated.

Note that the 'Twilio-managed' tokens contained in com.authy.storage.tokens.authy.xml are bound to the device, as far as I understand. I haven't tested this yet, but I suppose they will no longer work if I remove the vulnerable device I used from the Authy account, likewise if I were to delete it.
Make sure to migrate to regular TOTP tokens on these services before you terminate your Authy account.