Wristkey

Have an old smartwatch lying around that you'd like to use for 2FA? Or do you just need a minimal and open-source 2FA app you can trust? Wristkey is an open-source 2FA client for Wear OS watches, but it works on any Android-based smartwatch! Get the APK here.

You can now run Wristkey on your phone too! Just download the APK and install it on your phone.

FEATURES

• Use without pairing to a phone (standalone) or being connected to Wi-Fi.

• Import via Aegis Authenticator, andOTP, Bitwarden and Google Authenticator using ADB.

• Export to other devices using QR code or export file.

• Lock via PIN, pattern and password.

• Data stored using 256-bit AES-GCM.

• Time and counter mode OTPs, up to SHA512 and 4-8 digits.

• Supports round and square devices.

INSTALLATION

There are several guides available online on how to sideload apps via ADB. If you use a device that supports data transfer via USB, you can follow any ADB via USB debugging guide, such as this one. If you're using a watch that supports wireless ADB only, you can use this guide.

1. Connect your watch to your computer and enable Developer Options by on your watch by going to Settings → System → About and tapping 'Build Number' 7 times.

2. Download the latest Wristkey APK and install it on your watch by typing:

   adb install -r app-debug.apk
   

USAGE

Adding items

Wristkey supports importing data from multiple sources, though the procedures differ slightly for each of them. For example, for Bitwarden, a JSON file is parsed and the totp field is extracted from each account. For website QR codes, the QR Code is scanned and the resulting otpauth:// URL is parsed.

Transferring data

If your watch is paired to an Android phone, you can use a third-party Wear OS file manager like myWear File Explorer or Nav Explorer to transfer PNG / JSON files from your phone's storage to your watch.

If your device has a camera, you can just use that to scan for QR codes.

Via file picker

If you're using Wristkey on a non-Wear OS Android device (such as an Android phone or an unknown Android smartwatch), you can browse for files on your device locally using the file picker.

For Wear OS devices, there are two main ways of transferring files.

Via ADB

1. Enable ADB Debugging on your watch by going to Settings → System → About and tapping 'Build Number' 7 times.

2. Go back and tap on Developer Settings, then scroll down and enable "ADB Debugging".

3. Make sure Wristkey has storage permissions. On your watch, go to Settings → Apps & notifications → App info → Wristkey → Permissions and enable 'Storage'.

ADB over USB

1. Connect your watch to your computer via USB. When prompted on watch, tap 'Always allow from this computer'.

ADB over Bluetooth

1. Enable Bluetooth Debugging on your watch by going to Settings → System → About and tapping 'Build Number' 7 times.

2. Now on your Android phone / tablet, open the Wear OS app and tap the top right mennu button and tap on 'Settings'.

3. Enable 'Debugging over Bluetooth'. You’ll should see

   Host: disconnected
   Target: connected
   

4. Connect your Android phone / tablet to your computer via USB. Then open a new terminal and run the following commands

   adb forward tcp:4444 localabstract:/adb-hub
   adb connect localhost:4444
   

5. On your phone, the Wear OS app should display

   Host: connected
   Target: connected
   

Google Authenticator, QR codes, Aegis Authenticator, andOTP, Bitwarden and Wristkey

1. If using a QR Code from a website, save it as a screenshot and make sure it is clearly visible with no pixelation. If importing from Google Authenticator, tap the three dots on the top right corner, then tap on 'Export accounts'. Then select the accounts you'd like to export and tap the export button 'Export'. Take a picture or screenshot of the QR code that is displayed, make sure it is a PNG or JPG file and that it is clear with no blurring, glare or pixelation.

   If using a JSON file, make sure it was exported in an unencrypted JSON format. Make sure you don't rename the file.

2. Open a terminal on your computer and place this PNG or JPG file on the main directory of your watch (/sdcard/) via the following command

   adb push <file>.<extension> /data/local/tmp
   adb shell run-as app.wristkey cp /data/local/tmp/<file>.<extension> files/
   

   If you get an error such as the one below:

   cp: files/<file>.<extension>: No such file or directory
   

   or

   cp: files/: Is a directory
   

   simply create the directory by typing

   adb shell run-as app.wristkey mkdir files
   

3. On your watch, open Wristkey, scroll down and tap the add icon '+', then select your import option.

Manual entry

On your watch, open Wristkey, scroll down and tap the add icon '+', then tap Manual Entry. The default settings are for Google Authenticator codes (SHA1, 6 digits, time-based). Scroll down and tap the done button '✓' at the at the bottom when done.

Note: Steam codes aren't supported yet.

Editing and Deleting items

To edit or delete an item, tap and hold on its name. To delete an item, scroll all the way to the bottom of the edit screen and tap the trash icon.

Exporting

Since watches are tiny devices that can be misplaced, backing up and exporting your secrets and storing them in a safe place is always a safe bet.

Via QR code

To export a single account via a QR code, press and hold it, then scroll down and select the 'Show QR code' option.

To export all your accounts via QR codes, tap the settings icon '⚙️', then scroll down and select Export vault. Then select the QR code option. All your account QR codes will be displayed at 5 second intervals. You can scan these in your preferred Authenticator app.

Via file

1. Tap the settings icon '⚙️', then scroll down and select Export vault. Then select the file option. An export file will be generated on your device.

2. Find the name of the backup file by typing

   adb shell run-as app.wristkey ls files/
   

3. Extract this file via the following command, replacing <filename> with the name of the wfs file

   adb shell run-as "app.wristkey" cat "<filename>.wfs" > backup.wfs   
   

Note: Exported text files are unencrypted and must be handled with care. Delete them when not in use.

TROUBLESHOOTING

App displays wrong TOTP codes

Make sure you set your secret key, digit length and algorithm correctly. If the 2FA codes are still wrong, your watch may have the time set incorrectly. Please set the time by pairing it to a phone or connecting to Wi-Fi.

File import not working

Make sure that

1. Wristkey has storage permissions in your watch's Settings app.

2. That the filename format is appropriate:

   • When importing from JSON, make sure the file you export is an Unencrypted file in JSON format and that you don't rename it.
   • When importing from Google Authenticator or a QR code, make sure the screenshot or picture is in PNG or JPG format and is clear.
   • When using a Wristkey backup file, make sure it has the .wfs extension.

3. If you're using an image of a QR code, make sure it is in focus and clearly visible.

4. The files/ directory exists in the destination. If this doesn't exist, Wristkey might accidentally paste your code into a file called "files". This can be solved by typing:

   adb shell run-as app.wristkey mkdir files/
   

   then run the import commands.

File export not working

Make sure that Wristkey has storage permissions in your watch's Settings app. If already enabled, disable and enable storage permissions again.

SECURITY

Further reading: Security Policy

Importing files

To prevent data extraction, make sure you delete the JSON, PNG or JPG files from both your watch's storage and your computer once you're done importing them. Check for any lingering files via ADB by running the adb shell ls /sdcard/ command.

Storage

All sensitive data within Wristkey (including secrets to generate OTPs) is stored encrypted using 256-bit AES-GCM encryption, with the decryption key stored locally on your watch. No backdoor on my end. ;)

Privacy

Wristkey can be set to unlock after entering your watch's password / PIN / pattern. To enable screen locking for the app, go to your watch's Settings → Personalization → Screen Lock and set a PIN / pattern / password. To override this setting, open Wristkey, tap the settings icon '⚙️', then scroll down and disable Screen lock

CHANGELOG

A detailed changelog is available on the releases page. The latest release is .

CONTRIBUTION

Further reading: Contributing and Code of Conduct

Contributing

I made this app for myself because the ancient LG G Watch W100 I use barely works when paired with iOS. But you can contribute too if you want. Click here to read the rules before doing so.

Code of Conduct

Make sure to adhere to the code of conduct when interacting with others on this project.

ACKNOWLEDGEMENTS

Contributors

Trương Huỳnh Đức

Libraries, apps and projects

The Aegis Authenticator, andOTP, Google Authenticator and Bitwarden names, data export formats, logos and trademarks belong to their respective owners.

Please star and support these developers for their hard work. All libraries, dependencies and tools used belong to their respective owners.

Marcel Kliemannel - Kotlin Onetimepassword (to generate OTPs)

Androidmads - QR Generator library (to generate QR Codes)

Yuriy Budiyev - Code scanner

Zxing (to scan QR codes for Google Authenticator imports)

GSON (to parse data)

EncryptedSharedPreferences (to store data in an encrypted format securely)

Roland Kurmann - extract_otp_secret_keys (to extract Google Authenticator data)

Chaquo Ltd - Chaquopy (to run Python to decode protobuf3 data)

LICENSE

Multimedia licensed under

Copyright © 2022 Owais Shaikh

DONATE

If you'd like to donate to me, send me lots of Bitcoin here:

19xgj8XoDMcHSENUDrkW3GtjQjfnbnmWTS