Issues w/ adding Steam profile

[Chaprnks]

Info

• Version: 1.1.4
• Source: Google Play
• Vault encrypted: No
• Device: Nexus 6P
• Android version and ROM: 9 (pie) & AICP (Android Ice Cold Project)
• Rooted: Yes

Steps to reproduce

Hi, I am trying to add Steam 2FA onto this Android App Aegis. I noticed Steam in the dropdown menu of the app; & proceeded with submitting a Google Play review, to confirm that its referring to Steam. I followed instructions on how to obtain a "shared_secret". After doing some research, I came to the conclusion that "shared_secret" is the secret needed for the new profile.

I selected the Steam dropdown from the list of types (Right after TOTP & HOTP, the third being Steam). I successfully obtained my shared_secret, & attempted to add the profile. Lastly, I select "save" to finish the profile. From there, I get the error: "Add new profile" it returns: "Secret is not valid base32". I consulted the creator of the github repo that I used to obtain the "shared_secret" from (this case being "Steam Desktop Authenticator"). His response was that shared_secret isn't the field I should be looking for, and that the app needs to add specific support for using one of those. I concluded that the best course of action was to make a GitHub Issue thread, as this seems to be more of an issue with Aegis app itself, rather than Steam.

What do you expect to happen?

I expected the app to successfully add the profile to my Aegis list of 2FA services.

What happens instead?

Returned "Error saving profile": "Secret is not valid base32".

Log

Error saving profile:
Secret is not valid base32.

I would add a screenshot, but the app has a secure flag, that prohibits taking screenshots while this app is in the foreground.

[Committing]

I believe Steam shared_secret is base64 encoded (I use it for stidler.com). If that helps.

Adding support for Steam would be difficult as the user would have to manually extract their code each time but could be possible

[Chaprnks]

I recently tried the other method, importing from app (sorry, didn't notice it before!). This returned the error:

One or more errors occurred during the import
org.json.JSONException: No value for shared_secret

---

UPDATE:

Yay! I got it working. I copied the "Steamguard-XXXX" file from the steam android app data directory. Moved it onto the root of the sdcard. Then did "Import from file", selected the file I just moved. To my surprise, this actually successfully worked! The import was successful and the Steam account is now on the list of Aegis!

[alexbakker]

As @Committing noted, Steam encodes the secret in base64, while Aegis expects it to be encoded in base32. And as you discovered, Aegis handles this automatically when using the import functionality.

The org.json.JSONException: No value for shared_secret error you got when importing should not happen though. Did you have multiple Steamguard-XXXX files in that directory by any chance?

[Chaprnks]

No, I only had one in the /data/data/Aegis directly. This was before I even copied the file onto the sdcard.

[alexbakker]

Do you mean the /data/data/com.valvesoftware.android.steam.community/files directory? That's where Aegis gets the Steamguard-XXXX files from. It would be strange if Aegis was unable to read the file directly, but worked fine after you copied it and used the "Import from file" option. Unless there are multiple files in that directory, as Aegis grabs the first one that it finds.

[michaelschattgen]

Closing this issue as this does not seem to be reproducible.

[4rg0n]

I used this to translate the key into the format required for Aegis and chose "Steam" as type.

echo "<shared_secret>" | base64 -d | base32

So basically you have to base64 decode your <shared_secret> and base32 encode it again =)

[piec]

This how did it today.

• It should normally be possible to use the steam python library to login and a an authenticator, but the login in the library has currently a bug: [BUG] MobileWebAuth login doesn't work ValvePython/steam#442
• The python library also has a method to extract the secrets from a rooted phone. Also outdated because these files don't exist on my phone.

What I did was:

1. Extract steam_id / access_token from my logged in app. It might possible to extract these from a web session as well but I didn't try, I was initially looking for the secrets in the android app data.
2. Use these with the python library to login and add a new authenticator
3. Add it to aegis

1. Extract tokens from phone

Requires root (or root in a recovery)

$ adb pull /data/data/com.valvesoftware.android.steam.community

$ echo .dump | sqlite3 com.valvesoftware.android.steam.community/databases/RKStorage | grep Auth
…
 INSERT INTO catalystLocalStorage VALUES('AuthContext_1','{
…
	"activeSteamID":"xxx"
	"accessToken":"yyy"
…

2. Add authenticator using python library

In an interactive python session:

import steam.webauth as wa
import steam.guard as guard

wa = wa.MobileWebAuth("username", "password") # needed?

steam_id = "xxx"
tok = "yyy" # starts with "ey..."

session = wa.oauth_login(tok, steam_id=steam_id)
print("session", session)

sa = guard.SteamAuthenticator(backend=wa)
# sa.remove() # remove currently authenticator if needed
sa.add()
sa.finalize("code from sms") # had to retry this a few times

print(sa.secrets) # backup this securely, contains recovery code and other important things
print(sa.uri.replace("otpauth://totp/", "otpauth://steam/"))

# keep this shell opened to that you can sa.remove() in case things fail

3. Add to aegis

In another shell

qrencode -t ansiutf8 <<< 'otpauth://steam/...'

Scan the QR code in aegis
Check than you can login from a private tab.

Cheers,
Pierre

---

Based on:

• https://programsareproofs.com/articles/steam_2fa.html
• https://steam.readthedocs.io/en/stable/api/steam.webauth.html