Monday, 16 June 2014

Lenovo S650 with android 4.4.2 and google authenticator (Part 3)

The first part of the series documents the process of upgrading Lenovo S650 from the original 4.2.2 ROM to the new VibeUI ROM which is based on KitKat 4.4.2 and MyUI. The second one documents Google Authenticator issues and a viable alternative. This post lists a few other issues I ran into during the first days of using the new ROM.

Bluetooth file transfer facepalm

I wanted to transfer my updated KeePass database .passwords.kdb to my phone from my thinkpad, but received an error telling me the transfer has failed. After a few attempts I found my thinkpad shows the phone disconnected after the first attempt. Bluetooth file transfers were working fine with Lenovo S650 4.2.2 ROM. To eliminate the possibility that a software update broke bluetooth on the thinkpad, I quickly verified that file transfers are still working between my old Samsung Galaxy Y and my thinkpad.

Apparently, I went down into the garage to check that phone properly connects to my car radio - not being able to issue and receive calls from within my car would have been a major issue and a show stopper. As everything seemed to be just fine, way more stable compared to Samsung Galaxy Y, I returned upstairs to my thinkpad.

After further experiments I found that the thinkpad shows my phone disconnected after around 30 seconds, whether I attempt to initiate file transfers or not. This seems to be a feature and not a bug, a consequence of bluetooth low energy that was not present in the previous 4.2.2 ROM but is included in android 4.4 (4.3+ to be precise).

I have narrowed down the experiments and found the root cause: a stupid bug on the phone prevents me to transfer hidden files (file name starting with a period) to Lenovo 4.4.2 - I have simply renamed the file and successfully sent it to my phone. As I do not have other KitKat devices handy, I cannot test if this is local to Lenovo or a generic android "feature". This limitation is definitely not imposed by the OBEX protocol.

Google Maps 8.1.0 crashing

On the 7th of June, I updates Google Maps to 8.1.0 but later that day found navigation crashing after one or two minutes of operation. As I was on the road (driving) I did not have time to investigate the issue in depth. I have relaunched the application, after the next crash I forcefully stopped the application, later I even rebooted, and purged all application data, but none of these seemed to help in the long run. The issue seemed to be isolated and only affect navigation mode, so I was still able to use Maps, but with much degraded functionality - using directions without navigation and memorizing.

I had to take a pit stop, and purged the application completely, then reinstalled version 8.0.0 which I had backed up on my microSD card. This version is working without a glitch, I just have to ensure not to update to 8.1.0... First I thought there might be an issue with the stock Lenovo VibeUI / 4.4.2 ROM that only comes to surface with this new version of Maps. My recent experience with Google made me decide not to invest more time into tracking down the root cause. Version 8.0.0 serves me well, I decided to stay on this version for a while.

Later that day I have googled to check if others are having issues with 8.1.0, and found thread on xda-developers that perfectly describes my observations. The posts do not contain any solution or detailed investigation. The fact that this issue was observed on a Lenovo 850 ROM made me wonder again if this issue was Lenovo specific... I have also checked recent comments on Maps on Google Play and found many complaints about the recent update, but as the comments do not include the brand/model of the device, this did not help me further.

The bottom line is, going further into investigating the issue with 8.1.0 does not fit into my current schedule and I will stick to 8.0.0 until I find time and motivation to investigate.

Lenovo S650 with android 4.4.2 and google authenticator (Part 2)

The first part of the series documents the process of upgrading Lenovo S650 from the original 4.2.2 ROM to the new VibeUI ROM which is based on KitKat 4.4.2 and MyUI. This post lists a few issues I ran into during the first days of using the new ROM.

Google Authenticator issues

I have been using Google Authenticator's time based one-time passwords as a second authentication factor a few very critical applications for a rather long time. After my recent update, I noticed that I was unable to log in to a critical service as the verification code was rejected. First I thought there must be some sort of time synchronisation issue, so I synchronised the clock from within Google Authenticator application but my authentication attempts were being rejected. I deleted the configuration and re-imported the secret key, however, this did not help.

Needless to say, after a few attempts I was rather nervous as I was under time pressure and worried about my stash... The same version of the application, 2.49, was working flawlessly before the upgrade so I was initially rather sure the error is somewhere on my side. Rather than falling into panic, I quickly searched and found my old Samsung Galaxy Y (android 2.3.6), where the same version, 2.49 was already installed, deleted the old configuration and carefully typed in the base32 representation of my secret key, making sure I do not mix up 0 with O and 1 with I respectively. (At this point I would like to draw attention to Base58 encoding which has an alphabet built with humans in mind, and does not contain characters which are easy to mix up...)

To my surprise I could log in using Google Authenticator on the Samsung device. After taking care of my time sensitive task and calming down, I continued searching for the root cause. The RFC6238 TOTP security token calculation used in Google Authenticator is very simple and publicly available, it only depends on the following two inputs:

  • The shared secret. First I double and triple checked the shared secret was the same on both devices. I gathered definitive evidence by peeking into the SQLite database located at /data/data/com.google.android.apps.authenticator2/databases/databases first via a hex editor, then via sqliteman on my thinkpad. Here is the catch, one can only do that on a rooted device. And definitely, from time to time, one might find himself in a situation where root access is needed for a legitimate purpose...
  • The number of 30 second periods elapsed since the Unix epoch which is based on system time. Although I have synced both devices and the timezone was also the same, I kept getting different tokens on the two devices. I experimented with the timezone settings, changing locale settings and manually setting different timezones but it did not help.

I decided to study the source code - the algorithm is rather simple and both inputs were known to be the same, yet the result were different. The source did not contain any magic, but at the same time I noticed the latest tag in the source repository was 2.21 whereas on both of my devices I had 2.49 - that was at least a bit suspicious. On the project page I found the following disclaimer: "This open source project allows you to download the code that powered version 2.21 of the application. Subsequent versions contain Google-specific workflows that are not part of the project."

I went on and found FreeOTP, a real open source implementation forked from Google Authenticator 2.21, maintained by RedHat. After taking a look at the source, I have installed it onto my S650 and imported my shared secret. Success. Open source rules. I uninstalled Google Authenticator.

Having found a working, very nice, true open source alternative, I have lost motivation to investigate further by decompiling Google Authenticator - unfortunately, I am rather busy these days with my primary duties. My hypothesis, without any proof, is the following: Version 2.49 of Google Authenticator might include some JNI based crypto-acceleration, or something else outside of the Java/Dalvik core libraries, that is not part of any standard, is not documented, therefore not included or works a bit differently in Lenovo ROM. Please leave a comment if you can prove or confute it.

Read on for other issues I encountered in the first few days. Of course, resolution or at least a workaround is provided where applicable.