Information about TOTP token storage in the myGov Code Generator app, as well as token extraction instructions.

mygov_totp_storage.md

This gist contains information about TOTP token storage in the myGov Code Generator app, along with instructions on how to extract tokens.

App data

Structure

/data/user/0/au.gov.dhs.centrelink.mygovauthenticator:
├───files
│       myGov.ks
│       sharedSecret
│
└───shared_prefs
        au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml

Details

• myGov.ks: A BKS keystore containing a private RSA-256 key used to decrypt the contents of sharedSecret (after decoding the base64 data). The key is called sharedSecret, and uses the hard-coded password of km5QzJJ5NhfGymfp.
• sharedSecret: The encrypted TOTP token. The encrypted data is stored in base64 form, and decrypts to more base64.
• au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml: An XML file containing the IV used to decrypt sharedSecret along with the key in myGov.ks, as well as the myGov.ks keystore password.

TOTP format

The TOTP token must be used with the SHA512 algorithm, and the standard 6-digit length and 30 second period.

Example URI: otpauth://totp/myGov?secret=<BASE32_ENCODED_SECRET>&algorithm=SHA512

Note that some apps like Google Authenticator and Authy do not handle SHA512 properly. BitWarden, for example, does.

Manual instructions

1. Gain access to the files shown above
2. Use the keyStorePwd in au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml to open myGov.ks with a tool like KeyStore Explorer
3. Use the password km5QzJJ5NhfGymfp to access the sharedSecret key

At this point, you can use this CyberChef recipe to generate a URI, or continue manually:

5. Decode the base64 data in the sharedSecret file
6. Use the sharedSecret key, along with the sharedSecret_iv in au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml, to decrypt the decoded sharedSecret file contents with AES-256-CBC
7. Convert the decrypted sharedSecret file contents from base64 to base32, removing any = padding from the end.
8. Generate a URI with the properties specified above

Thank you SO MUCH for the instruction!! The instructions are very detailed and the recommended tools had been great as well. Specifically, you had created the CyberChef to help automate the process, which had worked faultlessly. Thanks heaps and it helps to consolidate all my TOTP :)

Thank you for this! The myGov Authenticator app is awful

Any advice on how to get the files in the first place? I've tried adb backup but it comes up empty

Any advice on how to get the files in the first place? I've tried adb backup but it comes up empty

@K1ngJony You'll need a rooted device (or one with file access from a recovery environment). Perhaps an Android emulator would work as well - I'm not sure if the app uses SafetyNet.

Attempted to do this from bluestacks and didn't have any success, couldn't get access to the app data at that path (I assume it's to do with that safetynet thing you talked about)

Sublime.

I only hit a couple of obstacles. Firstly, I found the files in /data/data/au.gov.dhs.centrelink.mygovauthenticator on my device. Secondly, I couldn't cut and paste the secret directly into my authenticator because the textbox truncated the data. I converted the URI to a QR code using https://qr-creator.com/url.php and it worked perfectly.

Thanks for this. Love your work!