Android application that prepares an hardware device via USB serial port with a specific password generated deterministically based on three (3) inputs: the
App we want to
User ID used for login (typically an email address) and the
PIN (6 numeric digits) we want to associate with previous inputs.
The hardware being used, during development, is a RPi Pico flashed with a custom firmware. It implements a key derivation function (KDF) that derives deterministic passwords from the given elements and a unique key stored in the ROM.
This app loads the 'hardware key' with the user inputs, and the KDF will derive a password for it. The password is not transmitted back via USB to eliminate a possible attack vector, instead is typed by emulating an external keyboard when the user clicks the physical button on the device.
How to use during Dev
- Install & launch the AryKey app
- Plug in hardware device into the USB port of the phone (OR) Skip the connect screen if you don't have the hardware device yet
- Click on the SnackBar action to jump to the Accessibility settings and enable it if you want the app to auto detect the current/last app in foreground
- Type the
Appname if you haven't enabled Accessibility for this app yet
- Type the respective
User ID(typically an email address) (OR) If you click the dropdown icon it will ask permission to access Contacts so it can suggest your existing email accounts to autocomplete
- Type a 6 digits
PIN(a different PIN will derive a different password)
- Wait for a success or error response* from the communication with the hardware device
At this point, by pressing the hardware button of the device it starts typing the password in the current input field with focus.
*As long the device receives the data in the correct format, it will always return a success code. That means any entered PIN will work, so that we can eliminate another possible vector of attack.
How to use everyday
- Assuming you are in the login screen of a random app, Linkedin app for example, just plug in the device into the USB port and the AryKey app will open automatically with the Linkedin app auto-filled.
- If the first time choosing this app, type your
User IDwhich in this case will be an email address. Following times will be auto-populated, with your last input for this app.
- Type your 6 digits
- Done! (preparing the device)
- UX concept solely with bottom sheets
- Auto launch the app when the hardware device (Raspberry Pi Pico) is plugged in
- Auto detect current/last app in foreground with
- Obtain the list of installed apps in the phone, for user manual selection
- Retrieve device email accounts given permission from user during runtime
- Auto load image associated to given email address, either from Android Contacts or Gravatar API
- Certificate pinning of host
gravatar.comto prevent connections through man-in-the-middle certificate authorities
- Simple hostname check to help preventing man-in-the-middle attacks
- Request PIN input with 6 digits from the user
- Communication with hardware device (Raspberry Pi Pico) via Serial USB
- When app is 'minimised' show notification with status and an action to help jumping back in
- Lottie Animations
- Snackbars with enabled swipe to dismiss
- Dark-Theme support
- Navigate to right fragment when hardware device is plugged in
- Replace hardcoded success event
- Persist encrypted in SharedPref a map of
- Hash PIN+App+Email before sending it over USB serial
- Auto-detect current URL when used with a known browser app
- Parse app domain from package name and use that instead to ensure cross-compatibility
- Migrating LiveData to StateFlow
- Increase test code coverage
- Migrate to Compose UI
- Navigating in Compose
- Add LICENSE
- More TBD
- Dropdown popup background of the
Appinput is broken. Style with rounded corners not being applied and some overlay is occurring.
- Dropdown popup of the
User IDinput have the wrong anchor the first time and its conflicting with the keyboard events.
Padding bottom of the Snackbar is incorrect
Note: Some view & layouts are not fully optimised because they will be discarded soon when migrating to compose UI