Here's an example of a provisioning request made by the application that would If the program was calling out to some server to activate, so I fired up Indicates that the program is "Activating VIP Access". I started by opening the VIP Access application. The Process Analysis of the Client-Server Communications Recently-purchased disassembler ( Hopper), I downloaded the VIP AccessĪpplication and got to work. Windows users would be unable to extract their keys. Plus, this script only works on OS X, so Linux and While this token extractor would have almost fit my needs, I reallyĭidn't want to have to rely on Symantec's proprietary client in order to Learned that Symantec had released VIP Access applications for OS X and I still thought that VIP Access used a proprietary algorithm to generate oneĮarlier this month, I found this script, in which I learned that VIPĪccess didn't use a proprietary algorithm to generate the tokens. Despite this newfound knowledge, I was still unable toĭeobfuscate many of the important portions of the application. That application was strikingly similar to the kind I found the VIP AccessĪndroid app using. Interestingly enough, the obfuscation used in Someone reversed their bank's obfuscated Android 2FA application in order toĬreate a hardware token for it. That "rainy day" came earlier this year when I saw this post, in which I eventually got tired of that project and set Was partially due to the fact I was attempting to de-obfuscate a heavily Worked on it on and off for a few months, but I never made much progress. I originally started working on this project around this time last year. Since it appeared as though no one else had done so, I decided to reverseĮngineer Symantec's VIP client myself. I would prefer to have all of my tokens generated with one.The VIP Access app for iOS is pretty ugly (in my opinion).Having multiple apps that do essentially the same thing seemed inefficient.Other accounts, I need to use the VIP Access app for PayPal only. My problem with this is that, while I can use Authy for all of my Of managing a database of user tokens, so they went with Symantec's managed Symantec Validation and ID Protection Service (formerly Verisign Identity Scan with any one of a number of applications ( Authy, Duo Mobile,įreeOTP, Google Authenticator, etc.). When you use 2FA, the service provider presents a barcode to you that you can To protect the security of my account, I use 2FA. Why did I do this? Well, like many people in the world, I use PayPal to sendĪnd receive money. Proprietary 2FA token solution with the goal of creating a free software This weekend, I reverse engineered Symantec's Popular 2FA algorithms are available in both free software and proprietary Significantly increasing the hassle of logging in. It can significantly increase the security of your online accounts without Two factor authentication (2FA) is an amazing invention.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |