I signed my Android app with a keystore a couple years ago, now need to update it, and have forgotten the password that I used. I know it was probably a simple password, so is there any way to extract the hash of the password so I can brute force it?
I have been working with Patator to brute force the keystore but it seems like Patator can only try candidates from a list, not generate new candidates. But if I can get that password hash it seems like it would be an easier problem to solve.
Or if anyone knows anything else about brute forcing a password from a keystore I am all ears.
It's not that simple, but if you want to have go at it, the format is here: http://metastatic.org/source/JKS.html
You can also find relevant source on that site (for the store implementation, but you should be able to modify it try new things).
Getting the hash would only help you if use a rainbow table (precomputed hashes for common words/passwords). Since the JKS implementation has a salt (of sorts), you probably wouldn't be able to use a ready made table, and generating one would take about the same time. If you are sure it's simple, try using a larger dictionary. If it has numbers, symbols, combine the dictionary with those.
Or just publish the app again.
Related
What I want to know is can a signed apk be extracted and edited? And can the attacker again compress the apk and attack a victim?
I know that we can use proguard to obscure the code but some people said that the apk still can be extracted and modified through reverse engineering.
My main concern is I want to encrypt my java files because I have some authentication data in my java files.
Can anyone give me a bulletproof method to protect java files from being inaccessible.
Edit -
Found few old thread in stack but they never explained about signed apk and protect them from getting exploited.
Yes. Cryptographic signing is not encryption. Signing proves that whoever signed it knew a secret key. Assuming the key is kept secure, you can be sure that two files signed by the same key are from the same person. With some forms of signing with public and private keys, it can be used to prove the identity of the signer. This does not provide any protection against reading that data, although it does provide protection against a counterfeit copy of the app being claimed as the real thing (assuming the user pays attention to the signature).
There is no way to do what you want to do. In the end, an app has to be run by a processor or interpreter. That means it needs to be translated into instructions that the processor understands. If you want something to be secure, do not put it on a client device. There is no way to protect it if you're sending it to a device that needs to decrypt it and use it.
Any APK can be decompressed and have its sources read. You cannot, however, edit it and sign it without the signing key.
There is no way to encrypt your source files and everything inside of them is readable by anyone. Authentication data shouldn't be stored in an application if it is expected to be secret.
signed apks can easily be reverse engineered. You should never place authentication data in the source code. There is no bullet proof solution for this. However you can make it difficult for the attacker by encoding and not placing your critical data in obvious places.
You should use another way to use your authentication data, I've read something about building a binary and storing inside the lib directory as a .so file, I'm not sure how exactly it's the proccess because I didn't tried, but you can research another methods, storing private data on Java source it's not secure.
I am trying to generate release apk for my new game. Even though I updated one of my other app just 3 days ago keystore had no problem at all. I am absolutely sure I remember my passwords correctly. Because when I give wrong passwords it says your password or username is incorrect.
Here's what I'm doing:
And here's what I'm getting:
Please help me what am I doing wrong here? Android studio updated 2 days ago. Do you think it would cause this problem? What should I do? Any help will be very much appreciated...
I actually had read this post Android Studio: cannot recover key before I post this question. I tried to do as he shown in his answer though I faced with this prompt: "file tampered with or password is incorrect". Now that I know that password is absolutely correct. I'm afraid I'll never be able to update my apps again.
I recommend you run a smart word list attack on the alias password using this tool here:
http://maxcamillo.github.io/android-keystore-password-recover/
Download the JAR file for this project using the URL above.
Create a text file called wordlist.txt with the words and strings that make up your password, in the order you think they appear. Put each string that you think is part of your password on a separate line. Do not leave blank lines in between each string. You may need to tinker with the wordlist.txt several times in this process to crack the password. You may also try all the variations of what you think is your password that you can possible think of.
Save wordlist.txt to the same folder as the JAR file.
From command line, navigate to the directory that contains the wordlist.txt and the JAR file.
At the command line type: java -jar AndroidKeystoreBrute_v1.06.jar -k "full path to your keystore.jks" -d wordlist.txt to see the available options. You may want to try and use different options than what I used in my testing.
Run java -jar AndroidKeystoreBrute_v1.06.jar -m 3 -k "full path to your keystore.jks" -d wordlist.txt
The -m option specifies the method used to crack your password:
1 = brute force attack (could take weeks, months or longer)
2 = dictionary attack (your password must be in the dictionary)
3 = smart word list attack (strings that you specified in wordlist.txt)
I tested this for my own alias password many times and with many different variations in wordlist.txt, and it either cracked my password in less than 1 second or didn't find the password at all. Since you believe your alias password is the same as your key store password, this procedure should help you find both passwords.
Of course I know my password so I knew what strings to put in that would work. But since you are fairly certain your remember your password, the smart word list attack should quickly find your password if it is actually a close variation of what you remember.
Good luck!!
In future you may want to store your password in a password manager, and always copy and paste passwords. Human memory is great for remembering general ideas, and completely unreliable for remembering exact items or details.
After some, R&D I got solution
that your "Key store password" and your "Key password" need to be the same.
Got succes after following #joshgoldeneagle reply.
The prompt gave me the alias passowrd only but using the -w feature i got a key with both passwords setted to the recovered password.
"-w saves the certificate in a new Keystore with same password as key"
java -jar AndroidKeystoreBrute_v1.06.jar -m 3 -k "full path to your keystore.jks" -d wordlist.txt -w
I exported application for the first time and I'm a little bit confused about keystore.
I want to use one keystore for all next apps. So in Eclipse I will make new keystore but what to put in Alias? Can I put there app name or what? Because I want make universal keystore for all kinds of apps. Can I will put different Alias in my next app? Or will be better to put in alias my first and last name?
Is keystore visible when someone decompile your app?
Thanks for little explanation about keystores.
The keystore is simply a file format designed to contain one or more keys, a.k.a. certificates. It doesn't matter whether you keep all your keys in a one keyfile, and it doesn't matter what you name the keyfiles or the key aliases. Nothing but the actual content of the key itself has any affect whatsoever on your app.
The keystore does not normally become part of the app, and you should make sure not to put it in your /res folder or anywhere else where it might end up getting compiled into the APK. In fact, it's probably a good idea to keep it outside the project directory entirely. Most of the strength of the key is in the practical impossibility of guessing or regenerating its contents. If someone acquires a copy of your keystore, the only thing stopping them from publishing bogus versions of your app is whatever password you put on it.
If you want to split hairs, the docs are wrong. The certificate does not identify the author of the app. It only proves that the app was signed by someone who was in possession of your key. Protect your keystores!
If you want to have one keystore file for all the apps then you cannot change the alias name. It is asked during creating the keystore file.
Next time whenever you compile and build the apk file you have to use the existing keystore file.
Hope you understood.
I had stumbled upon this simple question of what is the best way for me to open a database or use a service which is secured, in the sense, will work only when correct password is provided.
I have looked at SharedPreferences as a way of retrieving information,but i need to create an app which will store the password in the first case, which by itself means i need to write it on code somewhere or the other
Account Manager is yet another way i've considered.
Store the actual password in an AES encrypted format, in a file, or in an sqlite db. But that means the key will have to be in the code.
I would've thought that this is a fairly common problem that people face and i'm wondering how people solved it!
In my opinion you can encrypt your data using AES encryption. But the main problem is the key is not safe. APK can be decompiled. So there is a method to hide the key. Implantation is bit difficult. Use native coding (NDK). You can write your key in a C file and after compilation you get a .SO file. This file can be included in your project. Make a call from java to a C function and return the key. But another problem is the strings written in C is visible when you open the .SO file. So assign generate ascii code of your key and make a string using the ascii code in C.
I am completely new to android. What I wanna do is, from a given textbox, I want to get the number, encrypt it with a key stored in the android app (which increments each time the user does the encryption) and then pass the ciphertext through sha1 and then print it back on the screen. Can anybody give me some basic help?
I don't understand what is incrementing, but I will give a shot.
You can use BouncyCastle (how to add bouncycastle algorithm to android) for the encryption, and then just use base64 on the SHA1 (which is weak) hash in order to have it be printable.
The only trick is how you get the key on the Android, your best bet may be to have it be generated on the device.