this post was submitted on 30 Jul 2024
45 points (100.0% liked)

Android

407 readers
2 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

πŸ”—Universal Link: !android@lemdro.id

πŸ’‘Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.

Support, technical, or app related questions belong in: !askandroid@lemdro.id

For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id

πŸ’¬Matrix Chat

πŸ’¬Telegram channels / chats

πŸ“°Our communities below

Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

Chat and More

founded 1 year ago
MODERATORS
ijeff@lemdro.id
ladfrombrad@lemdro.id
Paradox@lemdro.id
multimoon@lemdro.id
mikestevens@lemdro.id
limerod@reddthat.com
Netrunner@lemdro.id
45
Loss of popular 2FA tool puts security-minded GrapheneOS in a paradox (arstechnica.com)
submitted 3 months ago by downpunxx@fedia.io to c/android@lemdro.id
17 comments fedilink hide all child comments
 

Losing access to Authy leads to another reckoning with Google's security model.

top 17 comments
sorted by: hot top controversial new old
[–] ptz@dubvee.org 34 points 3 months ago* (last edited 3 months ago) (1 children)

Wilden offered some hope for a future in which ROMs could vouch for their non-criminal nature to Google

Oh, that rubs me the wrong way! It's my godd***ed device, I paid for it with my money, and I'll run whatever I damn well want on it (which is never vanilla Android because I refuse to allow my devices to be ad platforms).

I shouldn't have to prove anything to anyone let alone have it treated as a "criminal OS" by default.

Google needs to be broken up and both Chrome and Android divested to 3rd party, non-profit companies (as well as being demoted to a minority on both steering committees).

load more comments (1 replies)
[–] ililiililiililiilili@lemm.ee 32 points 3 months ago (3 children)

This is a non-issue. Why not use Aegis and backup your own credentials? I wouldn't trust Authy (or any 2FA app that includes cloud backup).

[–] mp3@lemmy.ca 10 points 3 months ago

Other decent options:

TOTP is an open standard, no need to stick to Authy.

[–] 01189998819991197253@infosec.pub 9 points 3 months ago (1 children)

Aegis all the way. Looked at authy and hardpassed after reading the permissions it requires. Your job is to calculate the OTP. You don't need wifi access if you're an offline OTP calculator.

[–] Chozo@fedia.io 3 points 3 months ago (1 children)

Authy is not an offline OTP. It syncs your tokens across devices.

[–] 01189998819991197253@infosec.pub 4 points 3 months ago* (last edited 3 months ago)

It can, but it doesn't have to (or at least it didn't used to). But if you ever choose to leave, you can't export anything (or, at least you couldn't). My statement is using old information, at least a year old, since that's about when I hardpassed on them.

Edit: correct autocorrect

[–] Penguincoder 8 points 3 months ago

I recommend Aegis as well. Does what it needs without shadiness going on.

[–] shortwavesurfer@lemmy.zip 24 points 3 months ago (1 children)

There are tons of other two factor authentication apps that can be used that are totally open source and available on the fdroid application store. The first 2 that come to mind are KeepassDX and FreeOTP

[–] jlh@lemmy.jlh.name 8 points 3 months ago

FreeOTP+ is amazing, originally developed by Red Hat before it was forked.

[–] limerod@reddthat.com 22 points 3 months ago

Authy is the last thing a security minded person should ever have been using. Counting the not so recent security breach and all.

[–] AmbiguousProps@lemmy.today 14 points 3 months ago (1 children)

The author is implying that Authy is the only option for some reason. It's not, this is a non-issue.

[–] Cube6392 4 points 3 months ago

Conspiracy theory: got paid to write a smear piece about a piece of technology the spies of capitalism doesn't like

[–] smeeps@lemmy.mtate.me.uk 11 points 3 months ago

Authy is trash anyway.

[–] possiblylinux127@lemmy.zip 9 points 3 months ago

Isn't Authy proprietary?

[–] Cube6392 8 points 3 months ago

Um... What fucking paradox? Authy is a know security vulnerability. If you're installing GrapheneOS before switching away from Authy, you're putting the condom on after getting fucked

[–] smeg@feddit.uk 5 points 3 months ago (1 children)

"We don't want to punish users of alternative OSes, but there's really no other option at the moment," Wilden added before his blunt conclusion. "Play Integrity has absolutely no way to guess whether a given custom OS completely subverts the Android security model."

Bollocks. GrapheneOS even provides instructions on how to use Android's hardware attestation API which is supported by every Android device on version 8 or newer.