I'm using SpongyCastle (full implementation of BouncyCastle's crypto functions for Android) and I have a bks that contains a key of size 384. I'm trying to extract that key using the method KeyStore.getKey(alias, password) as you would any key in a keystore. But what I'm running into is the error
java.security.UnrecoverableKeyException: no match.
Doing a little bit of research indicates that it might be because the key size is too big for Android to handle which makes sense as my program gets the other keys of sizes 128 and 256 no problem. Normally in Java, this would be resolved by importing the "Unlimited Strength" JCE into the Java security folder but what about android? Can I import the unlimited strength JCE into android (my gut instinct is no) If not, are there any suggestions as to how to extract the key? SpongyCastle has solved a lot of my other issues, I'm hoping there's a SpongyCastle solution here too.
Thanks!
So after much wrestling with it, I figured out the problem.
I wasn't specifying a provider so my program defaulted to the default Android BouncyCastle. The minute I did
KeyStore ks = new KeyStore("BKS","SC");
as opposed to
KeyStore ks = new KeyStore("BKS");
it worked just fine and did not complain.
Related
A private key has been #define in the C code of .so file. This key is used for the customized authentication process between client-server.
In some video and blog, people show how to disassemble .so file using IDA as well as extract function information. The output should be assembly language. How difficult to extract the key value from such output?
If the answer is the key defined in .so also needs protection, do I need to apply obfuscation on the C code before converting it to .so? Whether the normal algorithm will be affected for C?
It is possible and for skilled reverse engineer it is more or less easy. Obfuscating the secret key only slows down the hacker, but don't give you 100% protection. Consider using certificates signed by some authority.
I've been trying to decompile and extract useful data from an APK for some time now. This data is stored in CSV files inside an "assets" folder. Unfortunately, the developers got smart, and have begun encrypting these CSVs starting in July. I've exhausted every way I know of to try and turn these files into readable versions of themselves without any success. But then, I realized, there are a few files in the assets folder that haven't changed since well before July—thus, I have both the decrypted and encrypted versions of these files. Using this knowledge, is it possible to predict the encryption pattern that all other files in the directory went through?
I'm fairly sure that it was encrypted bit-level, not byte-level since there are a lot of unknown characters (represented as special question marks) while trying to read these CSVs using Notepad/TextEdit/Atom in UTF-8 mode (or any other mode except UTF-16, really).
You're talking about a "known plain text" attack. No modern, widely used
method is vulnerable to this kind of attack, but many home grown encryption
methods are. Even with known text, you need to know or guess a lot about
the details of the encryption algorithm.
A better plan might be to hack the software that you know is doing the
decrypting, which must contain both the algorithm and the key.
You'd have better luck simply guessing based on the encrypted output. You'll need to familiarize yourself with characteristics of the output of algorithms and compare against what you see. This is probably a lot easier for hashes but you're talking about encryption. To answer your question though, it's unlikely that you're going to be able to use an unencrypted version of a file to break the encrypted one. You might try encrypting that file using different algorithms and comparing the results. That might give you the algo but could take longer.
Alternatively, here are some tools I found that might be able to automate the process for you...
https://code.google.com/archive/p/aligot/
https://bitbucket.org/daniel_plohmann/simplifire.idascope
https://www.aldeid.com/wiki/IDA-Pro/plugins/FindCrypt2
To crack it, you're also going to need to find the key that was used to encrypt it. Since it's a program that obvious must be decrypted to use, that key shouldn't be impossible to find. It's either in the apk or on a server somewhere in which case use wireshark but I'm guessing it's embedded.
They might be usig DexGuard or ProGuard. Here's a related post What methods are being used to protect this Android APK: Reflection? Encryption? How do I reverse engineer it and analyze it?
If it's ProGuard you might start with something like this: http://proguard.sourceforge.net/manual/retrace/examples.html
Here's some info on that: How to decode ProGuard's obfuscated code precisely?
MD5 fingerprint of any app can be easily acquired using keytool. Then what is the most unique identifier an app has?
I am trying to build a client server app and I want a secure the communications.
My problem revolves around these two assumptions -
1) Someone can reverse engineer my app and understand how I interact with server webservices
2) My app can be simply uninstalled and replaced with malicious app with similar package name.
The system can easily compromised using these two loopholes.
My solution to these problems was transmitting MD5 signature of my app to the server. The MD5 signature will be conveyed to server before hand. MD5 signature is unique for every app, But there is big problem in this approach. MD5 signature of any apk can be generated using keytool. Anyone may pull my apk and generate MD5 and use it in the webservices communication.
What is the unique identifier of an android app?
Package name and MD5 fingerprint can be easily compromised!
Basically you want to be sure that you are talking to your client app at server end.
Verify Back-End Calls from Android. This link could be helpful as it gives high confidence for such a case. (HTTPS is must here)
As an additional step for #Maddy 's answer, you might think about tamper resistance/integrity protection techniques, that will make your app inoperable in case somebody tried to modify it. DexProtector (http://dexprotector.com) could be the solution here. The slides under the link also should be helpful.
N.B.
I am Licel's CEO, thus I am affiliated with DexProtector.
First question
1) My app can be simply uninstalled and replaced with malicious app with similar package name.
best approach is probably the use of ANDROID_ID
Try this link http://blog.vogella.com/2011/04/11/android-unique-identifier/
Check this also http://android-developers.blogspot.in/2011/03/identifying-app-installations.html
Solution for the second issue
2) Someone can reverse engineer my app and understand how I interact with server webservices
Use DexGuard, which can make reverse engineering even harder, like by encrypting strings
https://www.saikoa.com/dexguard
Proguard
“The ProGuard tool shrinks, optimizes, and obfuscates your code by removing unused code and renaming classes, fields, and methods with semantically obscure names. The result is a smaller sized .apk file that is more difficult to reverse engineer.”
When you create android project.
1. proguard.cfg file is automatically generated in the root directory of the project.
2. The default configuration file only covers general cases, so customize as per your needs.
Enable it
“Set the proguard.config property in the /project.properties file. The path can be an absolute path or a path relative to the project’s root.”
Case1: Just add proguard.config=proguard.cfg if the proguard.cfg is in projects root path.
Case2: Configure from other location [proguard.config=/path/to/proguard.cfg]
Remove the “#” (or uncomment) the proguard configuring statement in project.properties. Which will be in commented initially.
Customize it. try this link http://1belong2jesus.wordpress.com/
I signed my Android app with a keystore a couple years ago, now need to update it, and have forgotten the password that I used. I know it was probably a simple password, so is there any way to extract the hash of the password so I can brute force it?
I have been working with Patator to brute force the keystore but it seems like Patator can only try candidates from a list, not generate new candidates. But if I can get that password hash it seems like it would be an easier problem to solve.
Or if anyone knows anything else about brute forcing a password from a keystore I am all ears.
It's not that simple, but if you want to have go at it, the format is here: http://metastatic.org/source/JKS.html
You can also find relevant source on that site (for the store implementation, but you should be able to modify it try new things).
Getting the hash would only help you if use a rainbow table (precomputed hashes for common words/passwords). Since the JKS implementation has a salt (of sorts), you probably wouldn't be able to use a ready made table, and generating one would take about the same time. If you are sure it's simple, try using a larger dictionary. If it has numbers, symbols, combine the dictionary with those.
Or just publish the app again.
I am completely new to android. What I wanna do is, from a given textbox, I want to get the number, encrypt it with a key stored in the android app (which increments each time the user does the encryption) and then pass the ciphertext through sha1 and then print it back on the screen. Can anybody give me some basic help?
I don't understand what is incrementing, but I will give a shot.
You can use BouncyCastle (how to add bouncycastle algorithm to android) for the encryption, and then just use base64 on the SHA1 (which is weak) hash in order to have it be printable.
The only trick is how you get the key on the Android, your best bet may be to have it be generated on the device.