Android malware can steal Google Authenticator 2FA codes dlvr.it/RQr43X pic.x.com/8fdqpwsdic
Google's Abandoned Android Authenticator App
android Apps developer · 12 comments · 800 words · Viewed ~19,131 times.
The news has just broken that Google's Authenticator App can have its codes stolen by malware. I doubt Google will ever release a fix for this issue - their 2FA app hasn't been updated since September 2017.
Update! 3 months after I published this post, Google updated their app
For two-and-a-half years, Google hasn't touched their 2FA app's code. Perhaps it is perfect? Perhaps there are no more UI improvements or security enhancements that can be done? Or, more likely, it joins a long graveyard of Android apps - launched optimistically and then abandoned.
I get it, not every product you release is a winner. And some have to be shuttered gracefully. But Google Authenticator is special. It is trusted to protect users' accounts. Not just Google accounts - thousands of providers specifically recommend it.
Sure, you and I know that any OTP app will work. But Google spend a lot of money on branding - and organisations use that to signal trust to their users.
Frankly, Android Authenticator is too important to be neglected like this.
Open Source
The Authenticator app is open source. But comes with this delightful disclaimer:
While this fork is open source, the official version of the app still remains proprietary. There is no guarantee that the open source repository will receive any changes made upstream (or vice versa).
Despite multiple bugs being filed, no one is fixing them. Occasionally users are told that an internal Google ticket has been raised - and then silence.
As I mentioned last year, I've switched to andOTP. It's open source, and actively being developed and improved.
Final thoughts
It's OK to stop developing software. It's OK to decide that your limited resources are best spent elsewhere.
It's not OK to heavily promote an open security standard, convince people to rely on your proprietary app, and then abandon it.
Bonus Content For Patreon Subscribers!!!!!
Here's a quick look through all of Google LLC's currently published Android Apps. I've highlighted any which haven't been updated in over 12 months. That seems like an appropriate cut off for abandonment.
| App | Last Update |
|---|---|
| Cardboard Design Lab | 2015-05-29 |
| Hangouts Dialer | 2015-09-02 |
| Authenticator | 2017-09-27 |
| Toontastic 3D | 2017-11-02 |
| Google AdSense | 2017-12-13 |
| Wallpapers | 2018-01-24 |
| Indic Keyboard | 2018-04-19 |
| Wear OS Phone | 2018-05-14 |
| Cloud Print | 2018-05-23 |
| Gmail Go! | 2018-06-06 |
| Google Korean Input | 2018-06-25 |
| Google Spotlight Stories | 2018-11-13 |
| Pinyin (Chinese) Keyboard | 2018-12-12 |
| Japanese Keyboard | 2019-02-25 |
I'm sure there are some I've missed - and there are loads more which are coming up for their one-year anniversary.
Best of: What I blogged about in 2020
drew says:
Jason says:
Dznsm says:
Thankfully there's another nice OTP app that among others, imports andOTP backups https://github.com/beemdevelopment/Aegis