Develop Reference

Method to discover encryption pattern using a small piece of the decrypted text?

I've been trying to decompile and extract useful data from an APK for some time now. This data is stored in CSV files inside an "assets" folder. Unfortunately, the developers got smart, and have begun encrypting these CSVs starting in July. I've exhausted every way I know of to try and turn these files into readable versions of themselves without any success. But then, I realized, there are a few files in the assets folder that haven't changed since well before July—thus, I have both the decrypted and encrypted versions of these files. Using this knowledge, is it possible to predict the encryption pattern that all other files in the directory went through?
I'm fairly sure that it was encrypted bit-level, not byte-level since there are a lot of unknown characters (represented as special question marks) while trying to read these CSVs using Notepad/TextEdit/Atom in UTF-8 mode (or any other mode except UTF-16, really).

You're talking about a "known plain text" attack. No modern, widely used
method is vulnerable to this kind of attack, but many home grown encryption
methods are. Even with known text, you need to know or guess a lot about
the details of the encryption algorithm.
A better plan might be to hack the software that you know is doing the
decrypting, which must contain both the algorithm and the key.

You'd have better luck simply guessing based on the encrypted output. You'll need to familiarize yourself with characteristics of the output of algorithms and compare against what you see. This is probably a lot easier for hashes but you're talking about encryption. To answer your question though, it's unlikely that you're going to be able to use an unencrypted version of a file to break the encrypted one. You might try encrypting that file using different algorithms and comparing the results. That might give you the algo but could take longer.
Alternatively, here are some tools I found that might be able to automate the process for you...
https://code.google.com/archive/p/aligot/
https://bitbucket.org/daniel_plohmann/simplifire.idascope
https://www.aldeid.com/wiki/IDA-Pro/plugins/FindCrypt2
To crack it, you're also going to need to find the key that was used to encrypt it. Since it's a program that obvious must be decrypted to use, that key shouldn't be impossible to find. It's either in the apk or on a server somewhere in which case use wireshark but I'm guessing it's embedded.
They might be usig DexGuard or ProGuard. Here's a related post What methods are being used to protect this Android APK: Reflection? Encryption? How do I reverse engineer it and analyze it?
If it's ProGuard you might start with something like this: http://proguard.sourceforge.net/manual/retrace/examples.html
Here's some info on that: How to decode ProGuard's obfuscated code precisely?

Lightweight cipher type for CipherInputStream and CipherOutputStream

I am using a 128-bit AES cipher algorithm. But the program takes a long time, since the files to encrypt are big.
I was wondering if there is a more light cipher algorithm to use in Android. I can't find a list of supported ciphers in Android.

Have you tried to use shorter keys with AES instead? You can try OpenSSL build as native code, but I guess dalvik already uses optimized libraries, I don't think it will help. There are good reasons AES takes some time, by choosing something faster, you will have to lower real security.
I suggest you should not encrypt whole file if you need speed. Instead, encrypt only header or parts of file, without which rest of file is not useful. However it depends on what data you are encrypting and will not work for generic data files.

Encryption system in android

I'd like to leave the user the possibility to choice the encryption method, but for now I implemented just AES with SHA1PRNG. With AES/CBC/PKCS5Padding it doesn't work.
What does other encryption method work with android?
I have to encrypt data to store them in a db and then decrypt for show them.
The error returned:
java.security.NoSuchAlgorithmException: SecureRandom AES/CBC/PKCS5Padding implementation not found
here:
SecureRandom.getInstance( "AES/CBC/PKCS5Padding" );

Do you want to use a random number generator (which is what SecureRandom is for), or do you want to use an encryption algorithm (which is what AES is for)?
If you want an encryption algorithm (and its implementation), use the javax.crypto.Cipher class, which should support your AES/CBC/PKCS5Padding algorithm.
In principle you can use AES to build an RNG, too, but then you would not use CBC/PKCS5Padding, but something like ANSI X9.31. I don't think this is implemented in any Java and/or Android API for SecureRandom.

According to the reference it only supports SHA1PRNG, unless you install other providers.
See: http://developer.android.com/reference/java/security/SecureRandom.html

Android external storage encryption

I want to know how to encrypt the external storage data (.asec).
Which algorithm is used, AES or another method?
And then what is the encryption key?
If a method to generate encryption key is open source, I think that it is going to cause a problem.
I would be grateful for any information about this.

The Android Open Source Project provides a document describing their crypto implementation.
Basically, they use AES in the Linux DM-CRYPT layer. See the document for full details, including how it interacts with vold.

encrypt data in SharedPreferences

Im currently developing a framework for oAuth 1 and 2 access to webservices and my question is, how do i store sensitive data like an oAuth access key in a secure way?
the problem with this keys is that some platforms like twitter use a permanent key and if someone would get access to this key he could do whatever he wants with the users twitter account..
so is it possible to automatically encrypt the data before it is stored in the shared preferences? Or is there a better way/place to store very important data?
UPDATE - ALSO READ: What is the most appropriate way to store user settings in Android application

You can also have a look at this class I made for doing exactly this: https://github.com/sveinungkb/encrypted-userprefs
It uses AES instead of the deprecated and weak DES used in the other suggestion.

1). How to encrypt?
On Android the encryption is done via Java Cryptography Architecture (JCA). Mainly it is the javax.crypto.* package.
JCA Reference Guide
Here is an example of JCA API usage (AES alrorithm in particular).
2). Where to store?
Encryption API manipulates with byte arrays (not strings). This means you can use SharedPreferences, but you'll need to apply Base-64 encoding on the encrypted byte array before putting it into SharedPreferences (otherwise XML parser will fail to read the shared preferences file). Then to read you will need to use Base-64 decoding. Note that by default most Android OS versions do not have a built in Base-64 API (see UPDATE section). So to remove this Base-64 overhead I would recommend just to store your bytes in a private file.
UPDATE: Since API Level 8, the API has android.util.Base64.

I would recommend using Facebook Conceal for encryption on Android almost every time - it's a fast Android library that makes some really sane decisions and leaves you with a few, simple interfaces for actually doing the work.
Bonus! I have recently pieced together the puzzle of how you can use it from Xamarin - see my article on securing your C# app's data using conceal for more information.

You should take a look at Slink.
I came to realize that most of the SharedPreferences encryption tools use encryption for each action you make, meaning that each key-value pair is saved only after both key and value been encrypted, separately. This creates a big performance overhead.
So I searched for a library that will give me a more efficient encryption process and I found Slink. Slink uses Facbook's Conceal library to save the entire map of objects as a whole, making it the most efficient and fast SharedPreferences encryption solution. It also uses common Android's SharedPreferences interfaces, which makes the usage extremely easy and almost seamless.
Disclaimer: I'm part of the development team developing this library.

See duplicate: Obfuscate/Encrypt SharedPreferences file possible?
Hi, I've created a SharedPreferences implementation using AES
encryiption. The project is a maven module. If you need one, take a
look. https://github.com/kovmarci86/android-secure-preferences

Try using our https://github.com/BottleRocketStudios/Android-Vault Vault component. It will use Android's Keystore (on supported devices) or an Obfuscation technique to encrypt values in a SharedPreference file and implements the SharedPreference interface, so it is largely a drop-in replacement.

new encryption introduce by facebook - conceal Encryption.. easy to use
https://github.com/afiqiqmal/ConcealSharedPreference-Android

This article on codeproject contains a nice wrapper for the shared prefs. However the class name SecurePreferences is misleading something like ObfuscatedPreferences would be more appropriate.

There is an Android Library that uses Facebook Conceal to encrypt data.
https://github.com/rtoshiro/SecureSharedPreferences
Maven Central:
compile 'com.github.rtoshiro.securesharedpreferences:securesharedpreferences:1.0.+'

You can encrypt the data in preferences and keep the encryption key in the Android Keystore system. This way your encryption key would also be safe.
You can look into a library doing this
https://github.com/ophio/secure-preferences