This gist contains information about TOTP token storage in the myGov Code Generator app, along with instructions on how to extract tokens.
/data/user/0/au.gov.dhs.centrelink.mygovauthenticator:
├───files
│ myGov.ks
│ sharedSecret
│
└───shared_prefs
au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml
myGov.ks
: A BKS keystore containing a private RSA-256 key used to decrypt the contents ofsharedSecret
(after decoding the base64 data). The key is calledsharedSecret
, and uses the hard-coded password ofkm5QzJJ5NhfGymfp
.sharedSecret
: The encrypted TOTP token. The encrypted data is stored in base64 form, and decrypts to more base64.au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml
: An XML file containing the IV used to decryptsharedSecret
along with the key inmyGov.ks
, as well as themyGov.ks
keystore password.
The TOTP token must be used with the SHA512 algorithm, and the standard 6-digit length and 30 second period.
Example URI:
otpauth://totp/myGov?secret=<BASE32_ENCODED_SECRET>&algorithm=SHA512
Note that some apps like Google Authenticator and Authy do not handle SHA512 properly. BitWarden, for example, does.
- Gain access to the files shown above
- Use the
keyStorePwd
inau.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml
to openmyGov.ks
with a tool like KeyStore Explorer - Use the password
km5QzJJ5NhfGymfp
to access thesharedSecret
key
At this point, you can use this CyberChef recipe to generate a URI, or continue manually:
- Decode the base64 data in the
sharedSecret
file - Use the
sharedSecret
key, along with thesharedSecret_iv
inau.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml
, to decrypt the decodedsharedSecret
file contents with AES-256-CBC - Convert the decrypted
sharedSecret
file contents from base64 to base32, removing any=
padding from the end. - Generate a URI with the properties specified above
Attempted to do this from bluestacks and didn't have any success, couldn't get access to the app data at that path (I assume it's to do with that safetynet thing you talked about)