Raivo OTP just deleted all tokens after update and is now asking for money (opens in new tab)

Glad I switched to Ente with (local no cloud)months ago AND that I have a backup of all my codes as well.

This seems like a case where Tim Apple needs to step in. 'Mobime' should be banned from the app store and Raivo reverted to a known good version. They have literally shipped ransomware

Otherwise what point is there in the apple walled garden and trying so hard to avoid sideloading (aka installing)?

Wow, there are a lot of unhappy (now ex-)users filing issues in that repo. :( :( :(

Updated URL, after Mobime disabled issues entirely on the repo: https://web.archive.org/web/20240531085449/https://github.co...

See also this conversation, where Mobime request respect and to "acknowledge the efforts being made to resolve the situation" while blurting out things like "We could have easily suspended the entire repository, but we have chosen to keep it open to reassure you that we are taking all necessary steps to resolve this". Classy.

https://github.com/raivo-otp/ios-application/discussions/369

I was able to restore my entries after clicking the “Restore” button, and choosing iCloud. However, the export feature is now paywalled.

This is hostageware, plain and simple.

I even had a todo to move away from it after I heard it had been acquired… guess it’s my fault for getting busy and not getting around to it.

One of my rules is to only use software where you can export your data easily. I guess I need to add another rule where I only use software where I control when it updates. That might be impossible with Apple devices though…

I was one of the users who also participated in the discussions, while also participating in inquiries to discover who MobiMe actually is. I think we affected users figured it out, and the person behind MobiMe is the same person listed as the Key Principal for MobiMe's profile on Dun&Bradstreet [3]. There's also other corroborating evidence, while circumstantial and coincidental, that was noteworthy and generated a further sense of suspicion. He would delete every post containing BENABID's full name, and then lock the discussion or delete the discussion entirely. (Don't worry, his name is in public records for the company, it was never private information)

Throughout the entire ordeal, from the beginning of responding to users, to the very end, he continued to lie, attempted to deceive, and assumed that we, the damaged users, were fools. I really don't know what he was thinking. Or if he was partially using an LLM to generate responses. If you look at the series of events, from the App Store log of Raivo, to his enumeration of the problematic events in question & their causes, which changed multiple times throughout the timeframe of his responses, you would come to the conclusion that he was not acting in good faith at all (which I presumed was happening from the beginning). Any reasonable and impartial observer would come to the same conclusion. Some users lost their 2fa codes, and were locked out of accessing some of their most sensitive and valuable data. Yes, there is an element of personal responsibility (having backups codes, etc), but the actions committed by MobiMe were and are against not only the App Store TOS, but are also morally wrong (as if he cares about that), and perhaps legally wrong (civilly wrong or even maybe criminally wrong if there is more we don't know). IANAL -- we all know that practically no legal action, civil or especially criminal will ever come of this. I'm almost certain he is living in an unfriendly jurisdiction that does not enforce cybercrime laws.

Ultimately in the end, like I mentioned above, he eventually deleted all discussions (after previously deleting all issues), then closed all PRs, blocked many users from interacting with the repository, and prohibited anyone from forking the repository and creating a PR. He also reseted/removed all poor reviews of Raivo on the App Store. Basically he did everything he said he wouldn't do. Then again, I'd be surprised if he actually kept his word.

Hopefully if enough people report Raivo OTP to Apple, the new/current dev in control of the project (MobiMe aka Soufiane BENABID), he won't be able to intentionally lock out users from their 2fa tokens, because he wouldn't have an Apple Developer account. He currently operates 2: the first is MobiMe, which operates Raivo and some other apps, and the second is Soufiane Benabid, which operates some apps that are very similar to the apps under MobiMe. Basically the theme with him is that he tries to squeeze as much money out of the user as possible. He controls a few domains under his belt too (literally just ~4 IIRC).

In sum, he sucks & the (impulsive?) decision to sell Raivo (which was never open source to begin with, despite marketed that way) to a super shady company without a proper transition, coupled with said shady company proceeding to turn the app into ransomware-lite is just an unfortunate and regrettable series of events.

If you want to read the lore regarding this entire incident (you've already read enough of this comment), here you go [0][1][2][3].

[0]: https://archive.ph/fGnO3

[1]: https://archive.ph/m8xk6

[2]: https://archive.ph/X8shn

[3]: https://archive.ph/094wM

I think this was little fucked up of Tijme Gommers at Northwave Cyber Security https://northwave-cybersecurity.com/ original author of this app i assume.

Things I get and appreciate:

- Before selling, great software, nicely working UI etc.

- Taking the risk to create this software.

- Wanted get some money out of the project.

Things that I don't get:

- Working for a Cyber security company and selling your "open source" project to some fishy company without really informing the users with big banners (or changing name of the app. e.g. Raivo OTP Mobime)

- Knowing fully the risks and importance of this kind of app.

- Not speaking out when shit hit the fan. (or helping)

There is no accountability here, only the social goodwill has been broken.

Lessons:

- Don't use automatic updates.

- All software is shit.

- Backup before updates.

- Trust nothing and assume it's going to break at some point.

- Go to the forest and never come back.

Repeat after me: I will never, ever, use proprietary software for important data again.

I recently got an apple phone never before having owned one. I was dismayed about the options for 2fa apps, that there seemed to not be any foss ones. I installed Raivo since it was at least source-available and had export features. But you just can't trust anything from the app store since anything can be uploaded there and you can't roll back. Luckily, I had put off migrating the tokens and looks like I will be carrying two phones for a while more.

It was a disaster waiting to happen. I had entirely disabled automatic updates for my iphone apps specifically this kind of risk with this specific app. An OTP app is sold to some totally shady guy, what can go wrong. Though tbh I must say I did not expect extortion but rather I was more afraid of malware that would just steal the TOTPs and sell them in the dark web.

but their site says "This website is a labor of love by Raivo's community on Github."

certainly repeating "love" and "community" while getting donated graphic design is all the proof anyone needs </s>

How much more insanity can we manage to wrap around hash(key + timestamp)?

https://news.ycombinator.com/item?id=33245042

Related discussion: https://news.ycombinator.com/item?id=40521655

The App Store should pitch in and do something for this.

Whenever an app like this is sold to some unknown company there's people who say to give the new owners a chance. This is proof of why that's inherently the wrong approach. Migrate the second you can.

I am one of the victims. Only noticed something is wrong today, Raivo on my iPhone got renamed to Raivo Debug and repeatedly crashed on start.

I've updated the app - what could go wrong - and it seems like I am one of the unlucky ones that got their 2FA codes wiped forever.

There was no option shown for recovery that others mentioned here, and they did not ask for money either.

Now I am going through the pain of recovering each one of my dozens of accounts one-by one and moving 2FA codes to 1Password (and 1Passwords own 2FA to Google Authenticator on my iPhone). Quite ironically, I've switched to Raivo in an attempt to use fewer Google products.

I would like to report this to Apple (although they did review and approve all revisions - sounds like very little fu*ks they give), but not sure how. The report categories are "Request a refund, Report a quality issue, Report a scam or fraud, Report offensive abusive content, Report illegal content". I've tried "Report a quality issue" (closest to my situation) but then I get "Reporting not available".

Wow, that's horrible. I hope it's something reversible involving the ownership change (the app seems to have been acquired – maybe a new team identifier is preventing access to old keychain groups or something).

So it's "open source" but that doesn't really help people because Apple's policies don't let you sideload a new version yourself, is that right?

Raivo is the Finnish word for “rage”. Seems fitting.

I went on today to realize that the app is acting like this is my first time setting it up and started asking me to pay a subscription. Thank god I exported my data weeks before...I don't even want to imagine what other people are going through right now. I'm so angry and betrayed.

This is oddly similar to the insomnia http client moving to a paid model only. Always turn off auto updates!

I reported it to the App Store and all users should. This was a train wreck random attempt

get filtered by trusting a third party with your passwords

This is ridiculous. I'm just thankful for the fact that I added all the OTP secrets in BitWarden if I ever where to upgrade to Premium. Today I did that...