Hi Nathaniel - have not gotten a response to this message I posted last week, but based on your response to another post this week it sounds like you are concerned about adding import/export due to the security risk of someone getting your phone and exporting your tokens without you knowing. It also sounds like you are working on adding fingerprint support (great idea). If you will now be authenticating users via fingerprint I assume this also means you will be storing tokens encrypted on the device? If so do you plan to have a single encrypted file or continue to use a per token preference? If you do use the single file approach that could also serve as your export/backup/import file (assuming you did not encrypt it with anything device specific). Seems like this could be a good route to go as it would solve both your concern and the issue raised by many FreeOTP users to allow for secure backup and transfer of tokens to a new device.

Regards,

Todd

On Tue, Nov 3, 2015 at 8:36 AM, toddfas <toddfas@gmail.com> wrote:

Sent this email yesterday but it never got posted. Trying again without the attachment to see if that is blocking it.

You can also view the changes here (ignore the *.iml and .idea/* changes):
https://github.com/tfasz/otp/compare/8fdaf72159abe0984531e0639678a61f4dbdf235...master

On Mon, Nov 2, 2015 at 9:09 AM, toddfas <toddfas@gmail.com> wrote:
I transferred to a new phone a few weeks back and was reminded once again about how much of a pain it is to setup all of my OTP tokens again (9 accounts in total). I was previously using Google Authenticator but found FreeOTP recently and decided to switch to it since I was starting from scratch. Nice app and thanks for all of the work putting it together. I liked the fact it is entirely offline and does not try to do too much (ala Authy).

Export and import was the one feature I found to be missing (and based on the Google Play store comments a number of other people agree). While I am not an Android developer, I had some time this weekend and decided to take a shot at implementing it. The primary target use case is backing up tokens on one phone to external storage so they can be stored somewhere safe and eventually imported onto a new phone.

Changes consist of:
- a new export and import menu option created by the About menu
- when you pick export you are prompted to enter an encryption passphrase
- a JSON array of the tokens are generated
- the JSON array is encrypted with the passphrase provided
- uses encryption library described at http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/
- library provides AES 128 encryption with salt and HMAC authentication
- the encrypted contents are Base64 encoded and written to a specific file on external storage (ctx.getExternalFilesDir(), "tokenBackup.txt")

Import process is the reverse:
- choose import menu option
- enter decryption passphrase
- decrypt contents from same file location (assuming file exists or has been restored to same location)
- call TokenPersistence.add() for each token - will skip any existing matching tokens

Would be interested in getting feedback on this and see if it is something that the team would consider incorporating. I've attached a patch file.

Thanks,
Todd