[ufmace]

Thanks for the clarification. This reveals a couple of other points.

This flaw is that the fingerprint/PIN auth for their TOTP authenticator app can be bypassed by manually launching one of the app's activities. This is a separate auth layer over the phone's screen lock. The first exploit path here is thus that if a malicious user gets access to your unlocked phone, they could install one of these activity opener utilities and access this app's TOTP code screen. That gets them the current TOTP codes, but not the secret for generating them. Note that this is currently the security level that Google's Authenticator app already has.

The other, which I'm a little less clear on, is that a malicious app gets installed somehow, it launches the activity, and manipulates the UI to hit the buttons and read the screen to get your current TOTP codes. I think Android apps' abilities along these lines have changed around several times between Android versions, and I'm not sure which version does what, but I think the current version requires the user to set a special checkbox in settings for an app to be able to do these things. If you can get a user to do that for your malicious app, it can do all sorts of bad things.

In both cases, the attacker would be getting current codes, not the secret, which would still be locked away safely in the app's storage. So while this flaw is kind of bad and should be fixed, it doesn't have me running for the hills, esp. since I don't even use this app.