This gist contains information about TOTP token storage in the myGov Code Generator app, along with instructions on how to extract tokens.
/data/user/0/au.gov.dhs.centrelink.mygovauthenticator:
├───files
│ myGov.ks
│ sharedSecret
│
└───shared_prefs
au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml
myGov.ks
: A BKS keystore containing a private RSA-256 key used to decrypt the contents ofsharedSecret
(after decoding the base64 data). The key is calledsharedSecret
, and uses the hard-coded password ofkm5QzJJ5NhfGymfp
.sharedSecret
: The encrypted TOTP token. The encrypted data is stored in base64 form, and decrypts to more base64.au.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml
: An XML file containing the IV used to decryptsharedSecret
along with the key inmyGov.ks
, as well as themyGov.ks
keystore password.
The TOTP token must be used with the SHA512 algorithm, and the standard 6-digit length and 30 second period.
Example URI:
otpauth://totp/myGov?secret=<BASE32_ENCODED_SECRET>&algorithm=SHA512
Note that some apps like Google Authenticator and Authy do not handle SHA512 properly. BitWarden, for example, does.
- Gain access to the files shown above
- Use the
keyStorePwd
inau.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml
to openmyGov.ks
with a tool like KeyStore Explorer - Use the password
km5QzJJ5NhfGymfp
to access thesharedSecret
key
At this point, you can use this CyberChef recipe to generate a URI, or continue manually:
- Decode the base64 data in the
sharedSecret
file - Use the
sharedSecret
key, along with thesharedSecret_iv
inau.gov.dhs.centrelink.mygovauthenticator.prefs_file.xml
, to decrypt the decodedsharedSecret
file contents with AES-256-CBC - Convert the decrypted
sharedSecret
file contents from base64 to base32, removing any=
padding from the end. - Generate a URI with the properties specified above
Sublime.
I only hit a couple of obstacles. Firstly, I found the files in
/data/data/au.gov.dhs.centrelink.mygovauthenticator
on my device. Secondly, I couldn't cut and paste the secret directly into my authenticator because the textbox truncated the data. I converted the URI to a QR code using https://qr-creator.com/url.php and it worked perfectly.Thanks for this. Love your work!