Raivo OTP downgrade

[redecs]

First of all, thank you @qnblackcat for this guide!!! I owe you a few 🍺 for this one.

In the past few days the Raivo OTP fiasco happened. The TL;DR: original dev sold the app last year, new owner decide to move to subscription based pricing but also broke the app in the process (partial restore from iCloud storage, payments not working and other issues).

I'm posting this here because using this guide I managed to downgrade to latest version of the app built by the pervious owner: Raivo 1.4.21. The build number for it is: 858175785.

The only caveat to mention: my version of iTunes for Windows (12.6.5.3) didn't have the downloads button in the UI so I had to find the file in my iTunes Library (/Users/_YOUR_ACCOUNT_/Music/iTunes/iTunes Media/Mobile Applications). Just deleting the IPA from there didn't allowed me to redownload the app so I just deleted the whole iTunes library (need to close iTunes before doing that, of course).

Also I used iMazing 3 to load the IPA and worked like a charm.

I'm leaving this here for the other that might want to try this approach.

Many many thanks for this guide @qnblackcat!

[redecs]

It seems I was right to post this here, since issues were disabled on the Raivo iOS application Github repo.

[no-nice-username]

It seems I was right to post this here, since issues were disabled on the Raivo iOS application Github repo.

Those assholes deleted all tickets regarding the issue.
Thx for the guide, my data was not completely erased, but I lost all recently added records. At least I was able to export everything I still have without paying them a penny.

[tailscale1]

I didn't use iCloud sync, only used the app locally.
The app was included in my device iCloud backup though.
Will this method help me? What other options do I have?

[mzielinski0]

I didn't use iCloud sync, only used the app locally. The app was included in my device iCloud backup though. Will this method help me? What other options do I have?

I've just used that method for offline storage, it worked. Thank you OP for that, you're my hero :-)

[mjakeman]

If you used iCloud backup, the latest macOS version of the app has seemingly re-enabled import/export.

You can:

1. Install the macOS app (regardless of whether it was installed before)
2. Choose iCloud and enter your master password when prompted
3. Export OTPs to a password protected zip
4. Open the included HTML file and scan the QR codes (if you have trouble scanning them, you can also copy the "SEED" code, may need to remove special characters from the end)
5. Uninstall Raivo and use something sensible like Google Authenticator or Bitwarden's new one (what I've gone for)

[mkab]

Note: For those trying to recover their OTPs, DO NOT update your iOS to the latest version (17.5.1).
The old versions of Ravio are incompatible with the latest iOS update.

@redecs thanks a lot for this guide. Unfortunately, I updated my iOS version to 17.5.1 and Raivo 1.4.21 is incompatible with it.
Do you have any suggestions as to how to fix it?

[jmetrikat]

@mkab Are you sure v.1.4.21 is incompatible with iOS 17.5.1?

I haven't tried the downgrade method yet. However, I recall that iOS 17.5.1 was released on May 20th, which was before the malicious Raivo update to version 1.5 on May 29th. I am fairly certain the Raivo app was running during those nine days. Could you check again please?

[mkab]

@jmetrikat I get this error when installing it using iMazing 3

[Poloolpp]

Thank you so much man, saved my life

[zeroaddresss]

@redecs @mzielinski0 We're on the same boat, I've followed all the steps but I am having issues injecting the IPA file into my iPhone using iMazing (see screenshot below).
Got a few questions:

1. Should you uninstall the current raivo app in your phone before installing the older version with IPA file?
2. If anybody managed to install it succesfully, what build did you install and what installation software did you use?

I understand this situation is tough for everyone involved, appreciate anyone helping out.
Thanks in advance

Also, I've tried with the following 3 IPAs in the screenshot below, and got the same error for each of those.

[zeroaddresss]

@jmetrikat I get this error when installing it using iMazing 3

Same here, with iOS16. Read my comment above

[redecs]

I used iOS 17.4.1 when I managed to do downgrade to Raivo 1.4.21 (the last version from the old developer). I don’t know why the procedure wouldn't work with iOS 16, because it should. With the latest version of iOS, 17.5.1 is more plausible that Apple made some changes that might have broke this. Did you used the latest version of iMazing?

One thing to note here is that the IPAs you are downloading are tied to the Apple ID used in iTunes when you downloaded them (encryption keys) so if got the IPA from a different Apple account that might be why it’s not working.

@zeroaddresss the time I did this the latest version of Raivo was 101, that was broken. I belive all the versions you tried - 1.5, 101, 110 - are from the new developer.
As for the steps I took, I didn’t uninstall the broke version before the downgrade, iMazing 3 was able to overwrite it for me.

[mkab]

@redecs I reinstalled iMazing 3 (to make sure I had the latest version), tried installing Raivo 1.4.21 and it worked! Very weird, perhaps I didn't install the latest version but I could've sworn I did.
At last I'm able to retrieve my OTPs. Thanks a lot!

[zeroaddresss]

@redecs Thank you for the heads up, looks like my issue was related to the version I was trying to install.
Tried with version 1.4.21 and it worked like a charm, managed to recover my otp codes thankfully.

[qnblackcat]

Wow. I don't know what this Ravio app is, but I'm so happy that I was able to help everyone!

@mkab next time just Airdrop the ipa from your mac to your phone. No need iMazing

[jmetrikat]

this works great, more people who are affected should try it. thanks a lot @redecs @qnblackcat !

[lodak80]

After this fiasco, would you consider a smaller player like BItwarden vs just going with an established player such as google authenticator so that when they phase apps out, they at least advertise a process and timelines and notifications

[mkab]

@qnblackcat I first did that but my phone could not execute it. Either way, thanks a lot for your guide! Saved me from doing an MFA affidavit to recover one of my accounts. Stored it offline incase something happens to Github lol

@lodak80 depends on your privacy/security/threat model. Some people use apps like Raivo because they do not like the privacy practices of big players like Google. For example, its impossible to back up your OTPs if you're using Google Authenticator without jumping through hoops. This means you're pretty much tied up with Google - which a lot of people, including me, don't like.
Regardless of which app you end up choosing, you should always back up your keys. If there's one thing I've learnt from this Raivo mess, it's that. Go for an app that lets you do offline backups, encrypted or not. I use Bitwarden for my password manager and have everything backed up now. For OTPs I've heard good things about Ente (which I've switched to, and ) of course backed up my OTPs) and 2FAS (yes, that's really the app's name)

[redecs]

@lodak80 I did exactly what @mkab described. I move away from Google Authenticator years away because I lost my TOTP tokens after I changed my phone (had issues with their "cloud" backup many years ago). For a few years I used FreeOTP and then to Raivo for the nicer UI and creature comforts it offered (like displaying the previous code after it expired so you can type that last digit in even if you are second too late). My mistake was that I was complacent and didn't leverage the great backup/export function the app had and stored that somewhere safe, but I've now learned my lesson.

Going forward I'm looking at several options:

1. Putting (some?) TOTP tokens in the password manager (Bitwarden or 1Password)
2. Start using Yubikeys (for FIDO/U2F where supported and for TOTP with Yubico Authenticator where not - limited to 32 tokens)
3. Using another 3rd party TOTP app that has the ability to do a full export of the data. This backup should be easy to read/parse (Raivo had a nice HTML file + JSON and it was great). Do a backup each time you add a new token to the app and store that somewhere safe (and encrypted, of course).

Another important lesson here is even if the app provides some sort of backup to iCloud/Google you can't easily access that data if the app is botched (like it was with Raivo). Always make your own backups!

As alternatives, 2Fas and Ente were the options that came up most often everywhere I read, currently trying to 2Fas but I'm not to worried, since I now have backups. 😃

[ALMerrill]

@redecs thank you so much for that added info on this guide, I was able to successfully recover my local only codes. On to changing them all and trying out 2Fas with better backup practices!

[mrakko]

Thanks guys, you've saved me!!
I have not uninstalled the app after all this misery just because I saw from storage settings that my offline/local TOTP data is still there. Learned the lesson about making backups regularly!

[mastablasha]

Saved my ass, thanks!

[tailscale1]

I managed to download the IPA and airdropped it to my iPhone but I don't see the file.
Or maybe I don't understand what's suppose to happen.
Are there any extra steps after transferring the file to the iPhone?

EDIT: I used iMazing. Everything worked!
Was able to recover the codes, so that I could delete them and create new keys for the other Authenticator app.

[qnblackcat]

I managed to download the IPA and airdropped it to my iPhone but I don't see the file. Or maybe I don't understand what's suppose to happen. Are there any extra steps after transferring the file to the iPhone?

EDIT: I used iMazing. Everything worked! Was able to recover the codes, so that I could delete them and create new keys for the other Authenticator app.

this is strange. the IPA should be installed automatically. Glad you got it working anyway!

[IrishMarty10]

For some reason every time I open the downgraded app I just get a prompt to create a new master password. I've followed everything and got the app downloaded on the iPhone via AppManager, but it just won't let me log in. I've tried about 5 or 6 different builds as well.

[redecs]

@IrishMarty10 make sure you try the right build, since the new developer pushed a lot of versions (by your description to create a master password I suspect you are using a build from the new dev). As I mentioned before I have identified the build number for Raivo 1.4.21 to be 858175785. That build was confirmed to work by multiple people.

[IrishMarty10]

@IrishMarty10 make sure you try the right build, since the new developer pushed a lot of versions (by your description to create a master password I suspect you are using a build from the new dev). As I mentioned before I have identified the build number for Raivo 1.4.21 to be 858175785. That build was confirmed to work by multiple people.

Yep that was the first build I tried it with, I even checked the app in my phone settings and it was the correct version. I've managed to disable 2FA on the last two accounts I couldn't access, and have switched everything over to 2FAS now, so it doesn't matter. You don't realise how dependent you are on these apps until one of them goes rogue.

The method was good, but something just went wrong in my case. I've got an offline backup saved for the new one.

[seqb]

Hi all,
one question: I have a local iPhone Backup from end of May (definitely before I updated the Raivo App). Can I downgrade the Raivo App on my iPhone with iMazing and get my OTPs back?

Thanks a lot for any help!

[seqb]

To answer my own question: No it is not possible. The secret data that Raivo saves on the iPhone are not restored from a local iPhone Backup (I mean a normal backup of the whole iPhone). I have a local Raivo Backup, but it is two months old, so two OTPs are missing now. Can't believe that the new owner of the app are so incompetent and halfhearted.

[iskrenpp]

This is a great guide. I got the older version installed. But I am not clear in what circumstances I should be able to see my offline tokens with the older version of Raivo? After I saw Raivo Debug and could not use it, I removed it. Did this removal effectively also removed any local Raivo token secret data? So my hopes of finding this offline Raivo data are in vain?

[mailinglists35]

This is a great guide. I got the older version installed. But I am not clear in what circumstances I should be able to see my offline tokens with the older version of Raivo? After I saw Raivo Debug and could not use it, I removed it. Did this removal effectively also removed any local Raivo token secret data? So my hopes of finding this offline Raivo data are in vain?

yes. when you delete an app, you also delete it's data, regardless if the updated app made use of it or not. see if you have any backups prior to upgrade. I did an iCloud backup restore from a backup before the change but the raivo app data seems to not be included in icloud backup.

[mailinglists35]

@redecs after downgrade did you get your keys back? do you mean they are still in app data?
I tried backing up the data with trollstore appsmanager, i decrypted the ipa using trolldecryptor/appsdump2, then tried on a test second phone and it complained that the app cannot use downgraded data :(((

i still have the original one untouched, upgraded, without keys :(

[redecs]

@redecs after downgrade did you get your keys back? do you mean they are still in app data? I tried backing up the data with trollstore appsmanager, i decrypted the ipa using trolldecryptor/appsdump2, then tried on a test second phone and it complained that the app cannot use downgraded data :(((

i still have the original one untouched, upgraded, without keys :(

For me it worked at the time, but maybe the new developer made some changes that made the downgrade impossible. They were releasing a lot of new versions trying to contain the damage while asking people for money. Unfortunately I don’t have any piece of advice for you in this situation but maybe someone else has.

[mailinglists35]

I'm seeing these files in the Documents folder:

1661952815.realm
1661952815.realm.backup-log
1661952815.realm.lock
1661952815.realm.management
1723819029.realm
1723819029.realm.lock
1723819029.realm.management

the duplicate has the timestamp of the time when I updated the app, while the original has the timestamp of last time I added a code. I hope and presume my data is still not lost. I've contacted the a**holes to see it they can give instructions to recover the codes, since the files seem to be encrypted

[mailinglists35]

the files also seem to not get backed up to icloud backups (not to be confused with native in app icloud sync), I've restored a backup made before the change, the app version is good 1.4.21 but the app starts as new.

EDIT: they do get backed up.

[mailinglists35]

there is hope.
I restored my phone's icloud backup onto my ipad.
then I jailbroken and got the Documents/10-digits-filename.realm file, this TIFU is a type of database storage file called "realm".

- jailbreaking is not necessary, check your iphone backups, you can extract the file from there directly. in my case since the backup was only in icloud, I only got one chance to read it, since apple does not allow getting a copy of your own backup unless you erase one of your devices and select restore from icloud... and that icloud only has 2-3 backups of your device, so in my case I already had the latest backup with bad changes, but I was able to select the previous backup yey!

then using Realm Studio I opened it, it asked for the encryption key.

I used openai's chatgpt to feed it "CryptographyHelper.swift" file from github source code along with explanation in Security.md ("A PIN code must be used to unlock the Service Raivo OTP for Apple iOS on your Apple device (the "Device"). After entering a PIN code, a key will be derived using PBKDF2 based on a combination of your encryption key (that is stored in Secure Enclave) and the given PIN code. Using this derived key, the Service Raivo OTP for Apple iOS tries to decrypt the local database.")

gpt generated this python code which produced an output that was accepted by Realm Studio (correct decryption)

python3 -c 'import hashlib, binascii; print(binascii.hexlify(hashlib.pbkdf2_hmac("sha512", b"YOUR RAIVO PIN", b"YOUR RAIVO PASSWORD", 50000, 64)).decode())'

then it complained that the realm database is in a legacy format and offered to backup and upgrade it

THEN FINALLY I CAN SEE MY ENTRIES !!!

PS: after iphone finished restore, I disconnected it from the internet, so to make sure when opening raivo, maybe I don't get the old file deleted by getting it from icloud synced by the affected phone.

[mailinglists35]

alright, turns out it could be even simpler. when you open the updated app, the app generates a new realm file in it's Documents folder. for non-jailbroken users: backup the device, edit the backup and replace the contents of the new realm with the contents of the old realm file, then restore to phone. the old codes will appear. not tested, but IIRC there is an app that allows to restore only some files instead of full restore.

in my case jailbroken, in the end all I did was

(first, find the directory of raivo app data, find /private/var -iname '*.realm*')
# cd /private/var/mobile/Containers/Data/Application/EC3B3382-B648-4BDA-AB96-8015F8DE5262/Documents
# cat 1661952815.realm > 1723991492.realm         

this enabled the old codes in the new updated app

[mailinglists35]

yey, and from the new app - export to zip, it works

[mailinglists35]

aaand finally after I took all these extra safety steps to ensure my codes are recovered, I followed the downgrade procedure, and it worked! thank you!

[redecs]

@mailinglists35 congrats figuring all this out and thanks for sharing! I though I had to jump through hoops to get my codes back but it looks you had even more "fun" than me. Happy that you got your 2FA codes back. Remember to do regular backups!
After all of this I learned the lesson of exporting a backup of from the app each time I add something new and keeping somewhere safe.