22
Mar
image

Google Authenticator, an important security tool that enables 2-step verification for your Google account, has racked up over 250,000 downloads over its lifetime, which is no small feat for any app in the Play Store. However, a few days ago, that version (previously available here) all of a sudden became obsolete and was consequently silently deleted.

Its replacement, which can be found here, bears version 2 (2.15 to be exact) and offers the following changelog:

  1. New entry for Google Play, same great app
  2. Updated look and feel
  3. "Scan barcode" and "Manually add account" options moved to Menu > Add account.

The problem, however, is this app is completely disconnected from its predecessor, which means you'll need to proactively install it and then remove the previous version. If you really want to get technical, the new app's pname (program name) is com.google.android.apps.authenticator2, while the old one was com.google.android.apps.authenticator.

If you install v2 before uninstalling v1 and then run it, you'll be prompted with a dialog to migrate the tokens and then offered to uninstall the now outdated version. That's all fine, but why was a separate app needed in the first place? The differences are minor, and the resulting confusion definitely doesn't justify creating a whole separate Play Store entry. I wasn't the only one confused about it either.

The only explanation I can offer is someone at Google messed up and misplaced the password to the signing key, which forced them to generate a new key and made updates impossible. Or the password got compromised. Either way, someone done goofed, and the fact that the new app indeed uses a different key supports this conjecture (thanks for double checking that, Justin).

This concludes the PSA. You will find the link to the new app below - remember, if you don't install it, you will not get future updates.

image image image

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • http://iamandroid.com Eric Richardson

    Rule #1 of Android fight club: Stay out of the UI thread.
    Rule #2 of Android fight club: STAY OUT OF THE UI THREAD.

    Rule #3 of Android fight club: Protect your keystore with your life.

    Me thinks Google failed on #3.

    • http://www.AndroidPolice.com Artem Russakovskii

      I should frame this.

  • Justin

    future updates of what?

    • http://www.AndroidPolice.com Artem Russakovskii

      ... of the Google Authenticator app.

    • Mario

      The Google Authenticator app itself

    • Tee

      Give a noobie a chance. What is this app for? Does everyone have it/need it? What? How? Why?

      Another, added, chapter in the article would serve us all.

  • hyperbolic

    Obey my barcode!

  • Ed

    I just updated mine, no such issues as described above. It just told me that my details had been transferred to the new app and I should uninstall the old one, then presented me with the option to uninstall and I did.

    When subsequently logging in on the web it worked with no issues... so what exactly is the problem here Android Police?

    • http://www.AndroidPolice.com Artem Russakovskii

      How did you update if the app was deleted? You mean you installed the new app v2 and ran it, which then transferred your keys and offered to uninstall?

  • Adam

    We will prob never know why they didn't upgrade the existing app, like you pointed out, but at least they made the new version pretty flawless for the upgrade(in terms of migrating data, uninstalling, etc).

  • Christopher

    Stupid question: can I sign up for two-step authentication without giving them a phone number?

    The video shows a drop-down where you can choose SMS or a smartphone app.

    But when I try it, SMS is my only choice (I'm in Germany)...

    • Shank

      If I recall correctly, there should be an option to use the app on some screen after that.

      • Ed

        The SMS is to verify you're in possession of the phone and you the code is to pair the app with your online login.

  • David, Chandler, AZ

    Quick and painless. Install the new and it uninstalls the old.

  • ansong

    Am I "special"? The new app just opened and gave me the option to scan a barcode or enter an account manually. It did not import the data from the old version and offer to then uninstall it. Now I have two authenticators.

    • ed

      I have the same issue, and I can't figure out how to get the barcode or key to add my existing account.

      Any clues?

    • ADWolf

      Same Issue Here -- Never prompted to import the existing settings / key

    • j3m

      I am also having this problem. The only thing I can I think of is that I didn't update the old app when they added the export code (mine is showing version 0.73). Unfortunately, the old app can't update anymore since it has been removed.

      So it seems that I have no way of importing the accounts into the new app.

  • Jake

    It's crap like this that causes me to lose confidence in Google and Android and to consider switching to another mobile OS. Plus, if Google can't even update all of its own apps to the new ICS development standards and make them all tablet-optimized, why are they surprised when other devs don't?

  • http://jon.oberheide.org Jon Oberheide

    Folks, this looks like a planned migration and not a loss of signing keys.

    Normally, apps can share data via the "shared uid" support in Android. However, this is only available to apps signed with the same signature.

    I took a quick look at both apps and turns out they're not using shared uids (which obviously wouldn't work anyway since they're different app signatures).

    However, I did notice that the old app recently added some export support. So the new app can query the exporter service of the old app to extract the TOTP secrets. This sure sounded dangerous, so I dug into the app a bit. Turns out, the exporter authorizes based on the package name (spoofable), but also the expected signature of the new app, so no go on unprivileged malicious apps snarfing your TOTP creds. That is, unless you also have a Binder bug that allows you to spoof your apps uid some way in it's request. ;-)

    Again, the migration from the old app to the new one appears to have been planned and not a matter of lost/compromised signing keys.

    Let's try less panic, more actual looking at the code. :-P

    • http://www.pretentiousname.com Leo Davidson

      If they planned it, they didn't plan it very well.

      Why do we have to manually look for and install a new app to update the old one?

      If I didn't read this website, I wouldn't even know there was an update.

      For a managed/packaged app platform, Android and Google still really need to get their s**t together.

      • Jake

        I agree 100%. The description of neither versions in the Play Store gives instruction or explanation of this migration. Plus, when I did a search in the Play Store for "Google Authenticator", it was the third item in the list of results! The other items didn't even have Google in the title! I'm losing confidence in Android if the search giant can't even get its own app to show up when I use the exact title.

        • Rivas

          I didn't knew about the app either, but when I had to use the app again because the website requested me to update my code, the old app told me to update. just following the link I installed the new one, which detected the old one, migrated my data and offered me to uninstall the previous one.

          I don't understand why they did this, but it looked well planed and well executed in my case.

  • Haha

    Not working on my SGSIII. Thats why we test them

    • http://www.AndroidPolice.com Artem Russakovskii

      Care to back this statement up? :P

  • Esteban

    I turned on 2-step sign in and installed the app and my EVO 3D started acting stupid and everytime i went to use my Gmail app my account scrolling over and over non stop. Also on my transformer now it freezes the Gmail app every time i go in it. anybody else experiencing something similar?

    And yes i did follow the instructions for using the app specific password.

  • Shai

    This appears to only be true for Android. I have this app in iPhone but only version 1.x.x.x from July 19, 2011 is available. If a key issue, then I have great concern iPhone users do not have an update.