I received my Librem 5 this past Spring. Also, I am required by IT staff where I work to use Microsoft Authenticator on a personal device to log in, and they do not provide me a device for this purpose.
At the time, I discovered that in the fine print below the Microsoft menu to add an “Authenticator App” for Android or iOS, there is a “Use a different Authenticator App” option. Microsoft’s description that follows after clicking that button seriously feels intentionally unhelpful, but among other things they provide the “secret” used by their OTP generator. At the time, I discovered through trial and error that I could save this “secret” to a file on my Librem 5 and then run it through one of the available algorithms on “oathtool” command line utility from the Byzantium repo, as a means to generate my OTP keys to log in to work.
I saved which oathtool algorithm it was into a simple shell script and I used that for about the past five months. But recently I was informed of an “upgrade” at work such that the OTP keys are no longer allowed. They’re telling me the only “secure” way to log in is “from a push notification on my phone.” At the same time that I was informed of this, I was also slated to receive my Librem 5 USA which I ordered at the time of the stupid Rossman YouTube drama (to make sure we keep Purism alive, and for fun).
So now this last weekend I had this weird moment of having my expensive Librem 5 USA that should have been my new fun and exciting phone… but instead it was sitting in a box while I had that pit in my stomach, trying to plot how I could win the information war against these tech companies and defeat their security theater and avoid using Android.
This led me down a rabbit hole of unzipping the MicrosoftAuthenticator.apk and poking through it to see if I could find the web endpoint they are using, with the hope of perhaps constructing a GTK app to do the same, so that I would not be stupidly forced away from the freedom to choose Librem 5 as my phone if I want.
But of course, these systems are built with a one-way build pipeline designed to never be looked at down the line. As well as all the Java code in the app for doing the Experimentation on Users in multiple packages (if you want to look it up, Microsoft publicly describes the experimentation packages under the name “ECS”), and the code for how the experiments connect to a domain name registered as Skype in the hope that users don’t figure out what it is… On top of that Java code, thee is also a ton of aarch64-specific binaries like “libfb.so” (stands for “libfacebook”) because the app contains a deployment of React Native and all the “dependency hell” comedy that comes with including that. Of course this even included the “react-native-telemetry” from Facebook’s React Native, so Facebook can also monitor when we log into work. And, on top of that, there appeared to be some or all of Chromium in there although I didn’t check that part too closely. Somehow I personally wouldn’t be surprised if some Google telemetry was included as part of that.
As I looked through this comedic dung-heap that is “only secure way to log in” to my work, despite stressing myself out over these components it is at least conceivable to me that this technology may have been the result of people who believed in what they were doing and did not self-acknowledge themselves as being evil. For example, the Microsoft Authenticator also included a binary .so file for the Azure AI Vision system, which I have not looked up online but absent any research it sounds like something I don’t want in my pocket every single day simply as a requirement for logging in for my job. And yet, someone from my work said they like and use the “Face ID” unlock because they feel it is secure. People could convince themselves it’s a good thing; even the Microsoft devs. But for my own part, I want to be able to exercise my personal right to independent thinking and be able to log in to work without all of that. Or at least without being forced to have an Android or iOS device running in my pocket 24/7 in a world where my Librem 5 exists.
Maybe some of the people here can appreciate my sentiment how finding Azure AI Vision in there, or seeing how the authenticator includes the Samsung Knox Device Administrator Permission in its list of used Android permissions, combinedly all raises my blood pressure to see. Even if we can figure the folks making it believed in what they were doing, when we put it all together having a work-mandated AI-Vision-based “Device Admin Permission”-using app built using Facebook libs mandated on my life feels like something dystopian. Sure, they say we should never attribute to malice that which can be attribute to apathy – maybe these components do not actually do anything malicious together, and are all just there in case. It’s possible.
But I wanted to be able to use my Librem 5. Along with the new work requirement, I was also told to no longer log into work from whatever device I want and instead use a new work-provided MacBook. So after I was frustrated by attempts to find a web endpoint (Microsoft was receiving an “mfaServiceUrl” inside a POJO wrapper called PendingAuthentication that got the url either from an android.os.Bundle key named “key_pad_host” or from other POJO instances named CheckForAuthenticationRequest or CheckForAuthenticationResponse or something like that.) after that frustration of not simply finding a web address where I could wait for notification and then reply with a secure OTP key, I started to think… Maybe I could settle for some other attempt to virtualize this authenticator in some kind of container that I could use on my terms that didn’t force me into a particular device. That MacBook from work that I’m already required to use has the Apple Silicon, so shouldn’t it be able to run iOS apps now? But no, apparently the Microsoft Authenticator for iOS is specifically tagged to not be allowed on MacBooks. So, the MacBook cannot be the secure unlock device for itself.
So then I thought, what about my Microsoft Surface tablet? I still had one of those around. Upgrading it to Windows 11 was a 0 gain thing for the end user as far as I could tell. The upgrade simply made it run more slowly in games and graphical apps. But wasn’t the reason Windows 11 was invented simply to force users to have a secure TPM2 onboard so that Surface could join the Google Android ecosystem and run Android apps directly on Windows while still being able to prove the device was from a preset global list of devices and not an emulator or whatever?
So I went to look at what it would take to get Microsoft Authenticator to run on the Surface – a Microsoft security app on a Microsoft piece of hardware – but unfortunately, the supported way to get Android apps on Windows 11 is only from Amazon Appstore and not from Google Play, because Amazon made a deal with Microsoft for that, and as a result because Microsoft Authenticator isn’t on Amazon Appstore we cannot use a Microsoft device as our secure unlock. I considered calling Microsoft customer service and asking them whether I can use my Surface as my authenticator or if Microsoft intentionally doesn’t support Windows for their security app (as if Microsoft is themself telling users not to trust Windows 11 even with TPM2 nonsense which is to me very funny) and so amidst all this frustration I decided to see how far I could get with VMs. I have an ancient ThinkPad with PureOS installed and so I tried using qemu run PureOS. Initially I tried the Librem 5 img but I wasn’t sure how to get that to work so I switched to PureOS x86_64 inside qemu, but then followed the Waydroid tutorials from PureOS on there and decided to install Microsoft Authenticator app on their. It turns out, the install command would instantly return and do nothing. But that was when I remembered that all those .so files for the binary libs like Azure AI Vision and the facebook libraries and React telemetry are only compiled for aarch64.
So, I did it. I decided that with the unopened Librem 5 USA sitting in front of me in a box, I may as well corrupt and taint the ethics of my older Librem 5 by dual booting to a second image of Librem 5 PureOS Byzantium, and then inside the dual boot install Waydroid and run Microsoft Authenticator in there. The first time through I tried the VANILLA system type on Waydroid, which worked well enough to open the Microsoft Authenticator but there was a Microsoft warning that “without Google Play services, some features may not work.” I looked a little at microG but became convinced that to run it, I would need a modified LineageOS ROM and I didn’t feel like bothering to study that in only a weekend.
So, I nuked Waydroid and reinstalled with the GAPPS system type. Compared to the Vanilla android, this variant seemed sickly and made alert sounds with constant notifications quite literally making a “wee woo wee woo” sound to tell me that Google does not approve of Librem 5. I would not have wanted to do that, but as I said, I had a new Librem 5 waiting for me after I burned up this one.
So, while my device heated up like a fireball processing all the Google nonsense, I realized that it was possible to install Microsoft Authenticator APK from an unofficial source anyway and then observed that the presence of the aberrant Google Play services was enough to satisfy Microsoft and at this point I was able to log in to work using my Librem 5. Comically, for me this concerned that it was all security theater because obvious being able to run this thing in Waydroid and have it work shows that their app is not dependent on any Android equivalent of TPM or at least not as far as I can tell, given that the Librem 5 has no TPM.
But later that evening, I realized that rather than squelch notifications from Google’s nonsense there was also a way to upload some metadata from the Waydroid install into a Google site to “register” it and this made Google stop whining and even allow the use of Google Play there on Waydroid, which meant I could nuke and reinstall Waydroid and then run a copy of Microsoft Authenticator app from the Play Store itself which I’m sure some Google fan somewhere would tell me was more secure than running a copy of the app from a third party. I also liked to hope that by “registering” with Google maybe they would spend less energy trying to burn my battery on superfluous notifications (that I had turned off).
So, I posted this on the security chat because I wanted to ask if dual booting the Librem 5 into a GAPPS instance of Waydroid, from a security standpoint, would be likely to compromise the hardware of the Librem 5 itself. It turns out, doing this is a fairly effective way to achieve the crap required for my work. I prefer a corrupted Librem 5 to having an Android as a second corrupted device for work, if I am required to have one or the other.
But what if the compromise between “ease” and ideology begins to make me want to put the SD card in the Librem 5 USA and boot the new pure device using the knowingly-compromised work partition. At that point, would Waydroid be likely to embed itself into the firmware? It did look like there was traffic to Google on boot when I used Waydroid LineageOS x86_64 inside a VM, when I did a packet capture. Even on “VANILLA” Waydroid. But I think that makes sense; Google made Android and so it would make sense that they would want their systems to report back to their big AI brain(s) in order to keep tabs on the humans.
But how could I actually be confident that when I take that SD card out of a Librem 5, for example, that this taint would be gone? It even says on the Waydroid Librem 5 guide, as I recall, that Waydroid is not a security boundary. So if some of that stuff in the apps, like “libfacebook” included a low level hardware escape to embed itself, wouldn’t embed into the Librem 5 itself?
My degree was in software-related stuff primarily so I know this may all sound paranoid. But I think in a world where I can buy a Librem 5 USA and then be told by my employer to not use it, society really is that bad. And maybe here on a forum like this, we are the lucky ones who stopped to try to think about it and try to escape even if we may all inevitably fail because evil is too powerful. But, what do we think, does removing that SD card when I want to be alone (or on my own time) really remove the evil?
Thank you all for your time.