Me and my friend Philippe spent some time looking at Android authenticator apps to see how they protect their secrets for our thesis work. One of the apps we looked at was privacyIDEA Authenticator 4.3.0, and we found that it was possible to hook into one of its functions to observe the app’s crypto routines and read decrypted OTP seeds directly from memory.

What is hooking?
Hooking is a technique that lets you observe or intercept what an app does while it’s running.
It’s often used for debugging or performance testing, but it can also be misused by attackers with local access to extract sensitive data or modify behavior. On Android, this typically means using runtime instrumentation or libraries that can attach to the app’s process and monitor specific function calls.

How I checked this
On a rooted test device, I used a runtime instrumentation tool to monitor how the app handled its cryptographic functions. While doing so, I could confirm that decrypted OTP seeds were present in memory at specific points. I didn’t modify or leak anything further

This behavior means that anyone who already controls the device at the root level could hook those same functions, extract the OTP seeds, and generate valid codes for enrolled accounts. So already enrolled OTPs are at risk. It breaks the trust in the 2FA process if the device itself is compromised.

Impact
Local privilege → OTP seed disclosure → valid codes → 2FA bypass.

CWE ID	Name	Explanation
CWE-922	Insecure Storage of Sensitive Information	The OTP seeds are stored or handled in memory in a way that allows exposure.
CWE-522	Insufficiently Protected Credentials	The decrypted OTP seeds are credentials used for authentication and are not adequately protected.
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	The decrypted secrets can be accessed by a local attacker once they gain elevated access.

Affected versions
privacyIDEA Authenticator 4.3.0 (tested on Android 11).
At the time of writing, no fixed version was available.

Mitigation
Assume 2FA is compromised if device is compromised on root level.
If possible, enforce device-integrity checks in your environment (MDM, Play Integrity API, etc.).
For stronger protection, use hardware-backed keys or external tokens instead.

Discovered by Oliver Bölin and Philippe Van Daele
CVE: CVE-2025-61482

// Oliver