this post was submitted on 29 Jan 2026

34 points (97.2% liked)

Australia

4778 readers

191 users here now

A place to discuss Australia and important Australian issues.

Before you post:

If you're posting anything related to:

The Environment, post it to Aussie Environment
Politics, post it to Australian Politics
World News/Events, post it to World News
A question to Australians (from outside) post it to Ask an Australian

If you're posting Australian News (not opinion or discussion pieces) post it to Australian News

Rules

This community is run under the rules of aussie.zone. In addition to those rules:

When posting news articles use the source headline and place your commentary in a separate comment

Banner Photo

Congratulations to @Tau@aussie.zone who had the most upvoted submission to our banner photo competition

Recommended and Related Communities

Be sure to check out and subscribe to our related communities on aussie.zone:

Plus other communities for sport and major cities.

https://aussie.zone/communities

Moderation

Since Kbin doesn't show Lemmy Moderators, I'll list them here. Also note that Kbin does not distinguish moderator comments.

Additionally, we have our instance admins: @lodion@aussie.zone and @Nath@aussie.zone

founded 2 years ago

MODERATORS

lodion@aussie.zone

bestusername@aussie.zone

eatham@aussie.zone

Nath@aussie.zone

Help open the source of the myGov Code Generator app (www.pozible.com)

submitted 3 days ago* (last edited 3 days ago) by brisk@aussie.zone to c/australia@aussie.zone

17 comments fedilink hide all child comments

We rely on myGov, but can we trust its code?

Millions of Australians use myGov to access essential services like Medicare, the ATO, and Centrelink. The myGov Code Generator app is one of the options for enhancing myGov login security.

But is it actually secure? Services Australia, the agency who publishes it, claims it is. But when I requested the app's source code under Freedom of Information (FOI) laws, Services Australia refused, arguing that releasing the code would help "nefarious actors" and compromise security. In other words: "Security by Obscurity".

True security requires transparency. Hiding the code prevents independent experts from auditing the system for flaws. It also denies secure access to government services for people who do not live in the Google or Apple "walled gardens", or to people with disabilities and culturally and linguistically diverse cohorts who cannot use the app as designed, but who could use modified or translated versions.

A merits review at the Administrative Review Tribunal (ART)

After years of waiting for the OAIC's review of Services Australia's access refusal decision - which they punted on due to the technical nature of the matter - I applied to the Administrative Review Tribunal (ART) for review. In this proceeding I will challenge the government's claim that hiding public, publicly-funded software is necessary and in the public interest.

This is not just a fight about source code—it is a fight for the right to know how our government's essential digital infrastructure works, and for the right to make it better for everyone.

The government will use taxpayers' money (probably lots of it!) to employ top legal counsel to defend their position of secrecy and control. I need your help to level the playing field in this fight for transparency, security, and freedom.

top 17 comments

sorted by: hot top controversial new old

[–] vividspecter@aussie.zone 1 points 19 hours ago* (last edited 19 hours ago)

I think a better approach would be:

Support conventional TOTP codes that any other 2FA app supports
Give passkeys first-class support (currently there is a bug where a passkey login is not counted as a real login, so you could lose your account due to inactivity if you don't login with a password in a while)
Support disabling SMS 2FA due to its security issues, although maybe don't remove it yet globally due to the need to support older devices and less technical users.

I know some are wary about passkeys because they are often tied to a device, but common password managers now have great support for it (such as bitwarden and keepassXC) and you could even use a physical key instead.

[–] MisterFrog@aussie.zone 1 points 1 day ago

I hate the fact I can't use my own 2FA app (Kepass)

I don't like the idea of losing access to my myGov account just because I lost my phone...

[–] No1@aussie.zone 14 points 3 days ago* (last edited 3 days ago) (1 children)

Nothing pisses me off more than websites that require you to install their app for 2FA.

There is no reason for you to not be using standards based authenticator solutions. You don't code as well as the rest of the world, so don't get me started.

[–] spartanatreyu@programming.dev 1 points 2 days ago (1 children)

Counterpoint: A government portal needs to be extremely backwards compatible to support as many people as possible. That includes supporting devices that don't support the latest standards.

[–] Jumuta@sh.itjust.works 4 points 2 days ago

software standards can be implemented on whatever hardware

[–] makingStuffForFun@lemmy.ml 17 points 3 days ago

100% behind this. Public code, should be public code.

I should be able to access services without an American corporation having my data (Google, apple).

[–] fizzle@quokk.au 6 points 3 days ago (1 children)

Tricky.

I absolutely believe that all software paid for by public funds should be open source.

That said, they're not going to open source software which they commissioned without that requirement.

[–] spartanatreyu@programming.dev 2 points 2 days ago

Counterpoint: Public funds pay for software used by military and intelligence services. Certain information becoming publicly available can lead to real harm. (e.g. A self-assessment on a country's own weaknesses, methods that spies deployed abroad can deliver information back, etc...) How do you manage the infohazard risk?

all software paid for by public funds should be open source.

Should probably be changed to: all software paid for by public funds should be open source so long as their is no or low foreseeable infohazard risk.

[–] Strayce 1 points 3 days ago

Man I hate it when my access is recubed.

[–] No1@aussie.zone 1 points 3 days ago* (last edited 3 days ago)

aaaaaaaa

[–] CameronDev@programming.dev -1 points 3 days ago (2 children)

One plausible reason for hiding the source code is that if Service Australia was forced to fully open source it, it would be trivial for bad actors to make knock-off clones that look and behave identically, while doing other bad things. We all know Google and Apple wouldnt do anything to prevent that happening...

Maybe a middle ground of releasing the code, but not the assets (images, style sheets, etc) could be reached?

Either way, I'll still interested, and I might contribute after doing a bit more reading of his past case.

[–] fizzle@quokk.au 5 points 3 days ago (1 children)

I disagree.

Its just a 2fa code generator? Or have I misunderstood.

[–] CameronDev@programming.dev 4 points 3 days ago* (last edited 3 days ago) (1 children)

"Just a 2fa code generator" is still a good phishing target. Stealing the 2fa seeds would be incredibly valuable for a bad actor. Which is exactly why it should be audited.

It does look incredibly basic though, its basically a "my-first-android-app". So extremely trivial to recreate, which does somewhat nullify my original point about app clones.

I would be a bit more interested in the MyID app (Made by the ATO, but used more boardly), which has a lot more risk involved (Uploading ID documents, facial data etc).

[–] fizzle@quokk.au 2 points 2 days ago (1 children)

I guess you're right about 2fa seeds, but I do wonder why the play store isn't awash with dodgy 2fa seed generators. I'm not naive enough to believe that everything from the play store is "secure" but do they do some kind of rudimentary screening?

[–] CameronDev@programming.dev 1 points 2 days ago* (last edited 2 days ago)

There are a lot of tfa apps in the store, and search does seem to surface the brand name ones first, but there are a few no-name ones as well:

https://play.google.com/store/apps/details?id=twofa.account.authenticator https://play.google.com/store/apps/details?id=com.authenticator.twofa.otp.password.authentication

I don't know that they are legit or not, but they exist.

I suspect if someone wanted to do this, they would use a fraudulent ad campaign to sent people directly to the store listing, rather than hope for the playstore search to find people.

And based on my experience with Google, they do fuck all screening, it's mostly just checks to ensure you have a privacy policy, no checks that the policy is actually followed...

[–] eatham@aussie.zone 3 points 3 days ago (1 children)

They could modify the original apps apks already anyway

[–] CameronDev@programming.dev 1 points 3 days ago

Sure, but having the full source makes that even easier.