Google Authenticator's security update does not enable encryption

vtqhtr413

Level 27
Thread author
Well-known
Aug 17, 2017
1,609
Google has released a new update for its Google Authenticator application. The changelog reveals that Google "added device encryption to storage of secret value". Users who have hoped that Google would integrate end-to-end encryption to the application will be disappointed, as this is still not the case. Google Authenticator was updated about a month ago. The main new feature that Google integrated into the application was two-factor authentication syncing. The applications syncs the stored data with a user's other devices, when turned on. While that sounds like a good usability improvement, as it means that users do not have to set up the functionality on all their devices manually, it turned out that Google did not implement end-to-end encryption of the data.

In other words: attackers, for instance by using man-in-the-middle attacks, may read the secrets; this would give them access to the codes generated. A secret, or seed, is used to generate one-time codes for specific services or Apps. The latest changelog of Google's Authenticator app suggests that Google has integrated the feature into the app. Tests, by the German Heise publisher, and confirmed by us, do not confirm the change. The changelog message, Added device encryption to storage of secret values, must mean something else then, but it is unclear what it does exactly.

Google Authenticator users should keep the cloud syncing functionality of the application turned off as a consequence.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
849
Aren't Google the ultimate 'man in the middle' already?

Thing is you could actually tolerate Google if all they did was use your data to sell you ads and advertising. I wouldn't care if my data was used to sell me blenders from Amazon or Taylor Swift albums or Marvel movies from Disney. The problem lies in how much data they collect and the high level 'admin' access they have to your email, phone, and search habits.
 

Digmor Crusher

Level 24
Verified
Top Poster
Well-known
Jan 27, 2018
1,396
But some of us don't care what Google does with our data, we just want something that works. For me Chrome just works ,Gmail works. It would be a cold day in hell before I ever used a Apple product.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
849
But some of us don't care what Google does with our data, we just want something that works. For me Chrome just works ,Gmail works. It would be a cold day in hell before I ever used a Apple product.
You have a point and I agree it works 99.9% of the time, but you don't know who has access to their data and what or if ever use it will be in the future. I could care less for targeted advertising or ads in Google Android or their software. It's who else has access or can gain access and what intentions they have with my data.

As I've said before 'do I trust Google for security'? Yes! 'For privacy'? No!
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,866
You have a point and I agree it works 99.9% of the time, but you don't know who has access to their data and what or if ever use it will be in the future. I could care less for targeted advertising or ads in Google Android or their software. It's who else has access or can gain access and what intentions they have with my data.

As I've said before 'do I trust Google for security'? Yes! 'For privacy'? No!
Individuals’ data is largely worthless unless you are implying google employees going rogue and acting in malice. In which case sue them and retire happy.

Also, unless you own the servers and the entire chain there are no guarantees to your privacy. A lot of the ‘privacy’ focused companies have just as big of a risk with less accountability. You have no guarantee they are actually doing what they say.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top