MobilePASSER icon indicating copy to clipboard operation
MobilePASSER copied to clipboard
verified publisher icon datr

Documentation of the storage on Android?

Open yoshimo opened this issue 3 years ago • 5 comments

The Safenet MobilePass app stores the tokens and various other data in /data/data/securecomputing.devices.android.controller/app_SAFENET_TOKEN_MP3 , is it known how to parse this data and get the necessary parameters out to create valid otp strings?

The file has a a seemingly random hex string as name and the file contains the creation date and some strings escaped with \= Can we make that readable somehow?

yoshimo avatar Nov 08 '22 20:11 yoshimo

@yoshimo did you get anywhere with this? I'm trying to generate the OTP codes myself from within the company wide application but cannot figure out what the MobilePass+ apps do to generate the secret/QR code. Based on the base64 payload (below) it has to use the sc(shortcode) somehow.

EnrollmentURL=https://se.safenet-inc.com/selfenrollment/dskpp.aspx?sc=[sc]
UserID=[userid]
Passphrase=[passcode]

I've scoured the API docs here (https://thalesdocs.com/sta/api/bsidca/index.html) but I don't think these are what the MobilePass+ clients use.

m4tthumphrey avatar Jul 05 '23 10:07 m4tthumphrey

No I did not find any thing yet.

yoshimo avatar Jul 05 '23 18:07 yoshimo

Are you still actively pursuing? I progressed slightly today and managed to workout the API requests made from the macOS client. Unfortunately I still can't workout how the secret is used/generated as one of the requests is completely encrypted.

m4tthumphrey avatar Jul 05 '23 18:07 m4tthumphrey

Hi @yoshimo and @m4tthumphrey

Did you guys manage to come up with anything here, it seems that there is no replacement for MobilePass+ for now and no way to automate OTP generation which is an absolute bummer if you ask me :(

I just got an enrollment email with what seems to be a base64 string which is not compatible with any other OTP generation app,

g-h-97 avatar May 29 '24 13:05 g-h-97

Hey @g-h-97

No I didn't get anywhere at all after my last post, the MobilePass+ app is completely proprietary. I am pretty sure that the MP app speaks to a MobilePass server which is where the code is generated, using several factors. The server then gives the sc code back to the app which then generates the secret.

I do see why companies would want to not be able to automate the OTP code, as after all it is designed to improve security and automating it, instantly makes it less secure. That being said, it is incredibly annoying as a dev trying to automate things.

Let me know if you get anywhere!

m4tthumphrey avatar May 29 '24 13:05 m4tthumphrey