Google has released a new update for its Google Authenticator application. The changelog reveals that Google "added device encryption to storage of secret value". Users who have hoped that Google would integrate end-to-end encryption to the application will be disappointed, as this is still not the case. Google Authenticator was updated about a month ago. The main new feature that Google integrated into the application was two-factor authentication syncing. The applications syncs the stored data with a user's other devices, when turned on. While that sounds like a good usability improvement, as it means that users do not have to set up the functionality on all their devices manually, it turned out that
Google did not implement end-to-end encryption of the data.
In other words: attackers, for instance by using man-in-the-middle attacks, may read the secrets; this would give them access to the codes generated. A secret, or seed, is used to generate one-time codes for specific services or Apps. The latest changelog of Google's Authenticator app suggests that Google has integrated the feature into the app.
Tests, by the German Heise publisher, and confirmed by us, do not confirm the change. The changelog message, Added device encryption to storage of secret values, must mean something else then, but it is unclear what it does exactly.
Google Authenticator users should keep the cloud syncing functionality of the application turned off as a consequence.