Tutanota Mail Bad Secret

[umitseyhan75]

Info

• Version: 2.0
• Source: Google Play
• Vault encrypted: No
• Device: Nokia 8 (TA-1012)
• Android version and ROM: Android 9 / 1 October 2020 Security Patch

Steps to reproduce

1. Click red plus button
2. Select QR Code option
3. Taking the image of produced QR Code

What do you expect to happen?

Getting the secret code.

What happens instead?

Bad Secret Error

Log

com.beemdevelopment.aegis.otp.GoogleAuthInfoException: Bad secret (java.lang.IllegalArgumentException: com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: 0x130)

[alexbakker]

I just created a Tutanota account to test this and Aegis is able to scan the QR code that is presented. Are you trying to scan a QR code generated by Tutanota, or did you generate one yourself?

[umitseyhan75]

I scan the Tutanota's QR code that generated at their web site. I mean, I used my phone to scan my laptops screen. Now I tried Android app of Tutanota and there was an option like "add to auth app". I am not using the English version of app so I do not know the excat same sentence there. And susccesfully added the secret code to Aegis this time.
Can you please try to add it from their web site as I did to be sure?

[alexbakker]

Can you please try to add it from their web site as I did to be sure?

That's exactly what I did.

[umitseyhan75]

Is there any other information that I can provide to you to adress this issue at your side?

[alexbakker]

If you could, provide us with an example Tutanota QR code that makes Aegis exhibit the issue when scanned. Make sure it's not valid anymore for any valuable accounts, though.

[umitseyhan75]

[alexbakker]

Aegis is able to scan that QR code on my device.

[umitseyhan75]

Is there any other thing I can do?

[alexbakker]

Can you install a debug APK (https://alexbakker.me/u/iy7igkgs4n.apk), capture a log with ADB (see: https://github.com/beemdevelopment/Aegis/blob/master/CONTRIBUTING.md#capturing-a-log-with-adb) while you try to scan the QR code and share the log here?

[umitseyhan75]

PC terminal gives me this pid $(adb out of range when I try to use adb logcat --pid=$(adb shell pidof -s com.beemdevelopment.aegis) > debug.log

[alexbakker]

Just try the following then:

adb logcat > debug.log

[umitseyhan75]

Here is the file.
debug.log

[alexbakker]

Thanks. Looks like the QR code decodes correctly on your device as well. So I really don't know what's going on here. When do you get the error dialog, exactly? Right after scanning the QR code, or when trying to save the new entry?

[umitseyhan75]

Right after scanning the QR code a message pops up like "an error has been occured".

[alexbakker]

I'm wondering if this has something to do with your locale. What happens if you set the language of your device (and Aegis) to English and try to scan the QR code again?

[umitseyhan75]

I changed the Aegis's (not the dev one) language to English and not the system language now and tried again to scan. And yeah, it works like a charm.
Edit: I do not know if this is kind of specific problem to Turkish or out of English in general. Tried some other languages too and they are also seems like working as well. Can you please approve that Turkish causes this error at your side too?

[alexbakker]

So this is a pretty bizarre bug. We're upper-casing the secret before passing it to the base 32 decoder. But because Java's toUpperCase() method acts differently depending on which locale is set, the secret will become invalid base32 if it contains an i and Turkish is set as the locale.

Aegis/app/src/main/java/com/beemdevelopment/aegis/encoding/Base32.java

Line 12 in c977b9a

return BaseEncoding.base32().decode(s.toUpperCase());

I've fixed this in 327b7cc. Could you double check that this fixes the issue for you as well? The following APK will install beside your regular Aegis installation, so that nothing gets overwritten while testing: https://alexbakker.me/u/d018oc7sri.apk.

[umitseyhan75]

Yes. Now it works. Waiting for the next update then.
Thank you for your effort, best wishes.

[alexbakker]

Thanks a lot for patiently helping us debug this.

We've tagged v2.0.1, which contains the fix for this issue. Should be live on Google Play shortly.