A while ago, I wrote a blog post mentioning that Authy discontinued their desktop app. What I forgot about at that moment was that the Authy Desktop app was one of the easiest ways to export your TOTP Secrets and move to another app. Now easiest ≠ easy. You had to launch the executable from the command line with a debug port as a CLI flag, and then run a script in a separate window. Extraordinarily difficult for normal users, but not that hard for me. They blocked that on a later version of the app, though you could still do it on the previous version.
All that collapsed when Authy blocked logins on their desktop app. Many users had success dumping their tokens using a rooted Android device. I tried that, but Authy detected the custom ROM and refused to sign me in, despite my attempts to work around it. Anyway, even though I didn't even want to leave Authy, they gave me a reason to try to spite the vendor lock-in.
Anyway, I had a thought. What if I attacked the iOS version on my Mac? Well it looks like someone made a program for it! While the command given in the README didn't work for me, it only took 5 lines of python for me to find it myself.
import os
for root, dirs, files in os.walk("/Users/MYUSERNAME/Library/Containers"):
for d in dirs:
if "fsCachedData" in os.path.join(root, d) and "com.authy" in os.path.join(root, d):
print(os.path.join(root, d))Well I checked, and while there were JSON-formatted files, none of them had the authenticator_tokens key. But wait... If this is the iOS version on a Mac... why don't I just go to that same file on my jailbroken iPhone?
Well would you look at that... 7 files instead of the 4 I found on my Mac. I sent them to my Mac, and searched through them all. Naturally, the authenticator_tokens were in the very last file, just to kill me with suspense. I threw it into the decoder script from the program, and it worked!
I then modified the program a bit to output a Bitwarden-formatted JSON file, and created a pull request with my changes.
In other news, I installed KeePassXC as my new password manager. The desktop app is... kinda shitty... but the 3rd-party iOS app KeePassium is really nice. I am using Syncthing to keep everything up to date between all my devices, which is a bit finicky on iOS, but I got the hang of it with Möbius Sync. Regardless, the best part about it is this button right here.
If I end up hating KeePassXC, I can easily move to some other solution. I also took the opportunity to import my Apple Keychain and Firefox Keychain into KeePassXC, just because a unified solution is better, especially if I selfhost it. Fuck you Authy, I wouldn't have moved if you gave me an easy Export button.