Export from Twilio Authy using Android & root!
In 2020, I was introduced to Authy when I faced repeated blocked login attempts from somewhere in Russia on my Facebook account. Desperate to secure my account, I enabled two-factor authentication (2FA) and needed a way to store my TOTP (Time-based One-Time Password) codes. Authy caught my eye with its user-friendly interface and reliable backup and sync capabilities. Plus, it was backed by Twilio, a reputable company, so it seemed like a solid choice.
Fast forward to March 2024, and the unexpected happened: Twilio deprecated the Authy desktop app & old API endpoints. This move broke scripts that allowed users to export TOTP secrets from Authy using the desktop app or using the deprecated APIs, leaving us without an easy way to retrieve our codes or migrate to another authenticator.
Determined to find a solution, I turned to the Android app for answers. Here's a step-by-step guide on how I managed to extract my TOTP codes from the Authy Android app.
Exploring the Android App
Knowing that the TOTP codes had to be stored somewhere within the /data directory, I realized that accessing this data would require root privileges on my Android device.
I had a spare phone that I had been using for testing custom ROMs, so I decided to log into the Authy app on that device and root the phone using Magisk. A quick disclaimer: rooting your device will void its warranty, and the steps to do so can vary depending on the device. Proceed at your own risk—I'm not responsible for any potential losses.
After successfully rooting the device, I navigated to the preferences directory of the Authy app located at:
/data/user/0/com.authy.authy/shared_prefs/
This directory is only accessible with superuser permissions. Using adb (Android Debug Bridge) from my laptop, I opened a superuser shell and navigated to the directory.
Exploring the Directory
Once inside the adb shell, I listed the files in the directory:
ls -1
FirebasePerfSharedPrefs.xml
SignUpRegistrationPreferences.xml
...
com.authy.storage.tokens.authenticator.xml
com.authy.storage.tokens.authy.xml
com.authy.storage.tokens_config_v2.xml
com.authy.storage.tokens_config_version.xml
com.authy.storage.tokens_grid_comparator.xml
...
Among the files, com.authy.storage.tokens.authenticator.xml caught my attention. Upon examining its contents, I found a JSON string encapsulated within the XML structure:
Extracting the TOTP Codes
The JSON data contained within the XML file had all the necessary TOTP information arranged in a array of objects:
To transfer this file to my system, I had to copy it to the SD card directory since adb pull won't work directly in a privileged directory. Here's how I did it:
Then, from my laptop:
Parsing the Data
With the file on my laptop, I wrote a Python script to parse the XML, extract the JSON data, and convert it into a format that can be imported into other authenticators. This one produces a new-line seperated list of TOTP URIs, which is supported in ente.io's authenticator. Here's the script (extract.py):
Wrapping Up
Finally, I ran the script, and it successfully generated a text file containing all my TOTP URIs:
Now, I can easily import these URIs into my password manager of choice.
Here is an alternative script which prints the QR codes for the TOTP URIs in the console, which can be scanned by almost every 2FA app. This library is required:
Happy migrating!
If you find this helpful and interesting,
