[Linux-aus] ART FOI review - myGov Code Generator app source code
Adam Nielsen
a.nielsen at shikadi.net
Sat Dec 6 20:52:14 AEDT 2025
> My case is primarily about cybersecurity and "security by
> obscurity".
Bit of a weird claim they make about security by obscurity. The
algorithm they use to generate the codes is RFC 6238 so the open source
oathtool utility can be used to generate them. The hard part is
extracting the secrets from the Android app because they are
obfuscated, but not long after I was forced to set it up I found
instructions online how to do it[1], for which I am very grateful to
the individual who took the time to post them.
Since then I haven't opened the Android app, I just use a shortcut to
oathtool that generates the myGov MFA code along with all my other MFA
codes, which I can copy and paste into the login page.
It's WAY nicer than using the app, but just a shame it was so much
effort to get the secret out of the app in the first place. I trust my
Linux server way more than I trust my phone as far as security is
concerned, and I *really* don't want to get locked out when (not if) my
phone breaks.
You say one of the risks is that the tribunal could agree with the
security by obscurity arguments, but this would be surprising given
that there has been no obscurity since at least 2021 when those
instructions were posted. Like all security by obscurity, it has a
100% failure rate, as someone always figures it out in the end. This
is just more evidence that security by obscurity never works for long.
The secret I extracted from my phone years ago still works today to log
me in, so since 2021 they've made no effort to change the algorithm,
which tells me the release of this information hasn't affected their
security one bit. Their concern that the release of this information
would lead to "myGov account compromise" has turned out to be factually
untrue, as it is not a hypothetical situation, it has been the case for
a few years now - and nobody has hacked my myGov account yet.
Cheers,
Adam.
[1]: https://gist.github.com/hacker1024/5d0845863e2dced27fd5eebc4ac95a39
More information about the linux-aus
mailing list