PDA

View Full Version : Google's Two-Factor Authentication App Pulled From App Store After Broken Update




MacRumors
Sep 5, 2013, 12:24 PM
http://images.macrumors.com/im/macrumorsthreadlogo.gif (http://www.macrumors.com/2013/09/05/googles-two-factor-authentication-app-pulled-from-app-store-after-broken-update/)


http://images.macrumors.com/article-new/2013/09/googleauthenticate.jpgGoogle has pulled its Google Authenticator app (http://appshopper.com/utilities/google-authenticator) from the App Store following an update that removes all stored accounts when installed.

The app is used with Google's two-factor authentication service (https://support.google.com/accounts/answer/180744?hl=en) to make logging in to Google accounts more secure.

TechCrunch reports (http://techcrunch.com/2013/09/04/dont-install-the-google-authenticator-for-ios-update-unless-you-want-your-stored-user-accounts-wiped/) that users who don't have a trusted computer will need to reset their all stored tokens on Google that allow other services like Dropbox or Evernote to connect to users' Google accounts.
Updating the app removes all your existing accounts, with users complaining in reviews for the update that they've lost their Dropbox, Google Apps, DreamHost, Twilio, Evernote and other tokens after updating and have been forced to sync each over again. It could leave you locked out of your accounts entirely and forced to contact support for a reset, as Dashlane's co-founder Alexis Fogel tells us is happening with his service, and it's something that will also result in an awful lot of unnecessary busy work to set up things that have already been set up before.The update points to a larger potential problem with iOS 7, where app updates will download automatically onto iOS devices. MacRumors has heard from several iOS 7 beta testers who lost their account info on Google Authenticator because the update was downloaded automatically when it was released.

iOS 7 users do have the option to revert to the manual update scheme used in prior versions of iOS.

There is no word from Google on when the app will be updated and returned to the App Store. The update also includes a new design with a flat icon to match Apple's iOS 7 look-and-feel.

Google Authenticator is normally available free (http://appshopper.com/utilities/google-authenticator) from the App Store. [Direct Link (https://itunes.apple.com/us/app/id388497605?mt=8)]

Article Link: Google's Two-Factor Authentication App Pulled From App Store After Broken Update (http://www.macrumors.com/2013/09/05/googles-two-factor-authentication-app-pulled-from-app-store-after-broken-update/)



HiRez
Sep 5, 2013, 12:27 PM
We've removed all your accounts to make your iPhone more open. You're welcome.

supmango
Sep 5, 2013, 12:30 PM
This isn't an OS problem. It's a problem with developers not properly testing apps before they are distributed.

LordEntropy
Sep 5, 2013, 12:31 PM
Slightly annoyed that as well as wiping all my accounts it also no longer shows with number it is generating is for which account!

SandboxGeneral
Sep 5, 2013, 12:40 PM
iOS 7 users do have the option to revert to the manual update scheme used in prior versions of iOS.

This will be one of the things I'll be doing when iOS 7 comes to my devices.

DavidLeblond
Sep 5, 2013, 12:44 PM
iOS 7 autoupdated the app for me. Whoops.

All I had to do was to go into Gmail and tell it to change to a different device for 2-factor and just reselected the device.

Rigby
Sep 5, 2013, 12:48 PM
The text of this article is inaccurate. The Authenticator app has nothing to do with allowing "other services like Dropbox or Evernote to connect to users' Google accounts", and it does not "store tokens on Google". It just needs to be re-synced with with any accounts that you use it for (e.g. Dropbox, Google etc.).

RoboCop001
Sep 5, 2013, 12:48 PM
Does it erase the data upon install or after you open it? I've updated but haven't opened it yet.

nutmac
Sep 5, 2013, 12:49 PM
More reason to use Authy (http://www.appshopper.com/utilities/authy) or Duo Mobile (http://www.appshopper.com/business/duo-mobile).

My wish is for 1Password to add TOTP generator, freeing me from entering pesky TOTP code altogether.

baryon
Sep 5, 2013, 12:50 PM
Software updates: Ruining everything, every time, for everyone since 2001.

If it ain't broke, don't fix it.

ziggie216
Sep 5, 2013, 12:51 PM
Not a problem for iOS7 users cause previous version of Authenticator already blew away all the entries :mad:

jlgolson
Sep 5, 2013, 12:51 PM
The text of this article is inaccurate. The Authenticator app has nothing to do with allowing "other services like Dropbox or Evernote to connect to users' Google accounts", and it does not "store tokens on Google". It just needs to be re-synced with with any accounts that you use it for (e.g. Dropbox, Google etc.).
Depending on how you have to resync the phone, you may have all services previously connected to Google disconnected.

MacBoy88
Sep 5, 2013, 12:54 PM
Use Authy (https://encrypted.google.com/url?sa=t&rct=j&q=authy&source=web&cd=4&cad=rja&ved=0CDwQFjAD&url=https%3A%2F%2Fitunes.apple.com%2Fus%2Fapp%2Fauthy%2Fid494168017%3Fmt%3D8&ei=LcUoUoDNKcbcqAH5-YH4Aw&usg=AFQjCNFdFyOm0NPKG89acMO7gU68Oj38hA&bvm=bv.51773540,d.aWM)...MUCH better :)

Rigby
Sep 5, 2013, 12:54 PM
Depending on how you have to resync the phone, you may have all services previously connected to Google disconnected.Again, it has nothing to do with services being "connected to Google". The app is an offline one-time-password generator (the codes are generated according to IETF standards). You don't even need a Google account to use it.

Eraserhead
Sep 5, 2013, 01:01 PM
Software updates: Ruining everything, every time, for everyone since 2001.

If it ain't broke, don't fix it.

Except for all the bugs and security issues that are fixed by updates...

Google should be reconsidering their delivery process here for this screwup.

blackcrayon
Sep 5, 2013, 01:02 PM
Not a problem for iOS7 users cause previous version of Authenticator already blew away all the entries :mad:

Not for me, it just wouldn't show which entry belonged to which number. Luckily I only have 3.

Small White Car
Sep 5, 2013, 01:09 PM
iOS 7 users do have the option to revert to the manual update scheme used in prior versions of iOS.


I'd just like it if all auto-updates kept the old app in my phone's memory for 48 hours. Anytime within that limit I can select a "revert to last version" option in the settings.

I feel like these kind of problems usually get fixed in a day or 2 by the developer. Having that option would make me feel safe enough to use the auto-update feature.

Dave-Z
Sep 5, 2013, 01:10 PM
Single, biggest reason I will not be enabling iOS 7 auto updates.

I really do wish 1Password would incorporate this though.

PBF
Sep 5, 2013, 01:13 PM
Big freakin' deal. :rolleyes:

All you, people, had to do was re-scan the barcode found in your account settings and you'd be good to go.

People love to dramatize, I tell ya.

:rolleyes::rolleyes:

rmwebs
Sep 5, 2013, 01:20 PM
Big freakin' deal. :rolleyes:

All you, people, had to do was re-scan the barcode found in your account settings and you'd be good to go.

People love to dramatize, I tell ya.

:rolleyes::rolleyes:

Glad I wasn't the only one thinking this.

curmudgeon32
Sep 5, 2013, 01:29 PM
The update points to a larger potential problem with iOS 7, where app updates will download automatically onto iOS devices.

iOS 7 users do have the option to revert to the manual update scheme used in prior versions of iOS.



Whoa, really? I've had plenty of times I've held off updating an app for one reason or another. This sucks.

----------

Big freakin' deal. :rolleyes:

All you, people, had to do was re-scan the barcode found in your account settings and you'd be good to go.

People love to dramatize, I tell ya.

:rolleyes::rolleyes:

Sure. For your GOOGLE account yes. But you're aware Authenticator works for other accounts too, right? And that resetting their tokens as well can be an annoying, time-consuming task?

fruitpunch.ben
Sep 5, 2013, 01:30 PM
Big freakin' deal. :rolleyes:

All you, people, had to do was re-scan the barcode found in your account settings and you'd be good to go.

People love to dramatize, I tell ya.

:rolleyes::rolleyes:

Yes, but if you don't have a trusted computer, you'll need the code from the (now broken) authenticator app, meaning that you can't get into your account to re-scan the barcode! Of course if you also have a phone number listed on your account (in addition to authenticator), then Google can text or call you with your code.

sulpfiction
Sep 5, 2013, 01:39 PM
This isn't an OS problem. It's a problem with developers not properly testing apps before they are distributed.

Or Apple's app review team approved something they shouldn't have.

Rigby
Sep 5, 2013, 01:42 PM
Of course if you also have a phone number listed on your account (in addition to authenticator), then Google can text or call you with your code.Google also gives you a set of backup codes that you should store somewhere safe in case you lose your ability to get new one-time passwords. Same for Dropbox and some other services.

iMerik
Sep 5, 2013, 01:46 PM
More reason to use Authy (http://www.appshopper.com/utilities/authy) or Duo Mobile (http://www.appshopper.com/business/duo-mobile).

My wish is for 1Password to add TOTP generator, freeing me from entering pesky TOTP code altogether.
So either of those can just straight up replace Google Authenticator and getting the Facebook code through the Facebook app? If anything, it'd be worth having your sites set up in both apps for occasions like the one in this article.

mitup
Sep 5, 2013, 01:48 PM
Software updates: Ruining everything, every time, for everyone since 2001.

If it ain't broke, don't fix it.

It was broken on iOS 7.

MacBoy88
Sep 5, 2013, 02:01 PM
How do you get into your account without your generated passcode? I think that is what people are freaking out about.

Big freakin' deal. :rolleyes:

All you, people, had to do was re-scan the barcode found in your account settings and you'd be good to go.

People love to dramatize, I tell ya.

:rolleyes::rolleyes:

QuarterSwede
Sep 5, 2013, 02:16 PM
Yes, but if you don't have a trusted computer, you'll need the code from the (now broken) authenticator app, meaning that you can't get into your account to re-scan the barcode! Of course if you also have a phone number listed on your account (in addition to authenticator), then Google can text or call you with your code.
This is why I don't use 2 factor authentication on sites that don't have an alternate backup (email, text, etc.). This was bound to happen eventually.
How do you get into your account without your generated passcode? I think that is what people are freaking out about.
For me the authentication # was texted to me because it was a backup.

Watabou
Sep 5, 2013, 02:27 PM
I use HDE-OTP. Much better looking and works great for me for my google, dropbox, and github accouts.

moralneeeick
Sep 5, 2013, 02:55 PM
This article says you cannot disable auto updates in iOS 7. You can - see screenshot...

WordMasterRice
Sep 5, 2013, 02:57 PM
This article says you cannot disable auto updates in iOS 7. You can - see screenshot...
Are you sure?
Image (http://www.macrumors.com/2013/09/05/googles-two-factor-authentication-app-pulled-from-app-store-after-broken-update/)


Image (http://cdn.macrumors.com/article-new/2013/09/googleauthenticate.jpg)Google has pulled its Google Authenticator app (http://appshopper.com/utilities/google-authenticator) from the App Store following an update that removes all stored accounts when installed.

The app is used with Google's two-factor authentication service (https://support.google.com/accounts/answer/180744?hl=en) to make logging in to Google accounts more secure.

TechCrunch reports (http://techcrunch.com/2013/09/04/dont-install-the-google-authenticator-for-ios-update-unless-you-want-your-stored-user-accounts-wiped/) that users who don't have a trusted computer will need to reset their all stored tokens on Google that allow other services like Dropbox or Evernote to connect to users' Google accounts.
The update points to a larger potential problem with iOS 7, where app updates will download automatically onto iOS devices. MacRumors has heard from several iOS 7 beta testers who lost their account info on Google Authenticator because the update was downloaded automatically when it was released.

iOS 7 users do have the option to revert to the manual update scheme used in prior versions of iOS.

There is no word from Google on when the app will be updated and returned to the App Store. The update also includes a new design with a flat icon to match Apple's iOS 7 look-and-feel.

Google Authenticator is normally available free (http://appshopper.com/utilities/google-authenticator) from the App Store. [Direct Link (https://itunes.apple.com/us/app/id388497605?mt=8)]

Article Link: Google's Two-Factor Authentication App Pulled From App Store After Broken Update (http://www.macrumors.com/2013/09/05/googles-two-factor-authentication-app-pulled-from-app-store-after-broken-update/)

nagromme
Sep 5, 2013, 03:10 PM
Remember, kids: Google Always Does Cloud Stuff Right, Apple Always Does Cloud Stuff Wrong :p

(Just use Google Reader to keep up with the latest!)

nutmac
Sep 5, 2013, 03:37 PM
So either of those can just straight up replace Google Authenticator and getting the Facebook code through the Facebook app? If anything, it'd be worth having your sites set up in both apps for occasions like the one in this article.

Yup, but you will need to set them up again as Google Authenticator does not let you export/migrate accounts (nor any other apps as far as I am aware of).

Between Authy and Duo Mobile, I strongly prefer Authy as (1) it looks nicer, (2) cloud-based backup, (3) PIN protection, (4) OS X companion app that enters code directly from iOS app via Bluetooth 4.0.

mxt920
Sep 5, 2013, 03:40 PM
Slightly annoyed that as well as wiping all my accounts it also no longer shows with number it is generating is for which account!

I thought so too, but if you click the edit icon (the little pencil in the upper right corner), then you can edit the name of each number and give it a more descriptive title.

NightFox
Sep 5, 2013, 03:53 PM
Google Authenticator is normally available free (http://appshopper.com/utilities/google-authenticator) from the App Store. [Direct Link (https://itunes.apple.com/us/app/id388497605?mt=8)

Cool, a direct link to something that doesn't exist.... That's, like, far out man :cool:

----------

This article says you cannot disable auto updates in iOS 7. You can - see screenshot...

The article says you can disable them in iOS7 :confused:

Huracan
Sep 5, 2013, 05:04 PM
I think this is probably a feature, not a bug. However, a feature that is pretty inconvenient for users. I have some other token generator applications and I also need to register again after an app update. I guess it is trying to prevent that malicious code could supplant the token generator and start sending your tokens to the "bad guys". If the app changes then the best thing is to disable all tokens. Inconvenient, but more secure, although it seems to be causing significant problems to people. I was lucky that I had trusted computers for the affected tokens and I could reinstall them.

macintoshmac
Sep 5, 2013, 08:23 PM
This isn't an OS problem. It's a problem with developers not properly testing apps before they are distributed.

Second this. It's surprisingly fickle and narrow-minded to point it to a feature in the OS as cover for lack of developer testing on part of Google for this.

That said, I believe it wasn't meant to be used on iOS 7 anyway right now.. Funny how a front page news poster is ignorant of this fact. Unexpected app behavior is highly possible since (I don't know for sure, taking a guess) no app on the App Store is currently expected or supposed to be compatible with iOS 7.

Automatic updates is a good feature. It should only help push developers further to test before releasing an update and overall help the quality of updates.

dumastudetto
Sep 6, 2013, 02:17 AM
Typical of Google really. This is why I don't use their products or services.

iMerik
Sep 6, 2013, 08:33 AM
Yup, but you will need to set them up again as Google Authenticator does not let you export/migrate accounts (nor any other apps as far as I am aware of).

Between Authy and Duo Mobile, I strongly prefer Authy as (1) it looks nicer, (2) cloud-based backup, (3) PIN protection, (4) OS X companion app that enters code directly from iOS app via Bluetooth 4.0.
Sold!

Pheo
Sep 6, 2013, 09:21 AM
The wordpress plugin I use doesn't have an email/alternative recovery option.

I'm thinking I might turn this off, given the update...

northernmunky
Sep 7, 2013, 02:26 PM
Typical of Google really. This is why I don't use their products or services.
you're telling me you've never done a google search and you've changed youre iPhone default search engine to Yahoo!?

Rigby
Sep 7, 2013, 05:23 PM
A fixed version of the app is now available (2.0.1) and works fine here.