Showing results for: android

David Maples

YubiKey NEO OATH Applet

Yubico is proud to announce the release of our Free YubiKey NEO applet to help with storing OATH secrets and generating OATH one time pass codes.

With the increasing deployment of two step verification (e.g. GitHub this week, DropBox, Google, Microsoft, Evernote) relying on the OATH protocol, many users are concerned about using their mobile phones to store the secrets used to generate the 6 or 8 digit numbers, and the difficulty of changing devices. The applet we’re releasing today allows you to store those secrets in the secure element on your YubiKey NEO – and simply tapping your NEO against any NFC enabled Android device with the YubiOATH app running shows you your current codes. See the video below to see it in operation.

Existing YubiKey NEO owners comfortable with using command line tools can add the new applet to their NEO – see our forum post here. The source codes of both the YubiKey NEO OATH applet and the Android YubiOATH applet are available here.

Stina Ehrensvard

Best Vaccine for Mobile Viruses

A security research team at Bluebox have unveiled a vulnerability in Android, claiming that malware can get full access to the mobile operating system and applications. The complete details are not yet public, so the Yubico security team does not know how such an attack would work. But we know for sure that we will see more sophisticated mobile malware attacks in the near future.

For many years Apple claimed that their computers were more secure than PCs, being immune to PC viruses. This was a correct statement until Max OS X and IOS won enough market share to become increasingly popular for malware creators.

As the security of static passwords and software authentication installed on computers was exposed, and more and more users adopted smart phones and tablets, SMS and authentication apps were presented as the more secure way to login.  But malware creators always follow the crowd. Long before the Bluebox vulnerability discovery, software authentication applications, running on mobile devices, have been copied and misused.

At Yubico we had these threats in mind when we developed the YubiKey NEO, enabling true second factor authentication across computers and NFC mobile devices. For users and devices that do not have NFC, the Yubikey NEO can also hold an authentication app on the YubiKey itself, offering higher security than loaded on a device exposed to the Internet.

Just as biological viruses have spread, infected and killed humans in the physical world, another type of virus is infiltrating the veins of the Internet. Cloud companies, that have been part of the YubiKey NEO development and success, have seen these viruses attacking their systems. And we know that authentication hardware is the most powerful vaccine.

Yubico Team

Securing OATH Secrets on Android

Some people are concerned about the risk of storing cryptographic secrets on Android devices – for example, those used to generate One Time Passcodes (OTP) from Google Authenticator.  The production YubiKey NEO is the perfect companion to Android devices with NFC support.  By bringing your YubiKey NEO close to the back of the Android device (such as the Nexus 4 from Google), Android Apps can use the YubiKey NEO’s challenge response capability to generate an Open AuTHentication (OATH) time based OTP – such as those used by Google Apps and Dropbox.  And we have created a sample Android App to show this.  [Update] Take a look at the video here.

YubiTOTP Android Widget from Yubico on Vimeo.

 

When you first enable 2-step verification on Google Apps or on DropBox, you are presented with a 2D matrix code which contains the cryptographic secret used to create the OTPs.  Our YubiTOTP Android App reads this (using Google’s open source scanner app); however, instead of storing the secret on the Android file system, it programs one of the YubiKey NEO’s slots with the secret as part of an HMAC-SHA1 challenge/response configuration.  The secret can not be recovered from the YubiKey NEO, however, UNIX time can be sent to the YubiKey NEO (over NFC or via the USB connector) and the result truncated by the App to produce the OTP – which is displayed on the screen or can be put on the clipboard.

If you lose your Android Phone – or it dies, you just get a new one and reload the App – the secret stays in the YubiKey NEO!

[Update] We have enhanced the app to include a re-sizable home screen widget – just tap on the YubiKey icon and prompts you swipe your YubiKey NEO and displays the 6-digit OATH code on the icon.

Download the app here.  Let us know what you think…

Want to install it directly to your Android Device? Download the .apk file here.