Actually I am new to android. Can we encrypt a folder which
contains sub folders and files in sdcard and decrypt it back ?
Any Help will be greatly appreciated.
Thank you.
How new are you to Java in general? You can use all the javax.security and javax.crypto classes (like Cipher) in Android to provide data encryption/decryption.
Keep in mind that files on the SD card can be accessed by the user directly (either by mounting on a PC and exploring or through File Manager apps), which means there is a chance that, while they may not be able to read the data in the file, a user could theoretically delete the directories you create there if they so choose...and that may not be kosher for your application.
Also, there really is no way to simply set up a folder as "encrypted" and automatically have any file there be protected for you. You would need to create the directory you want to use, and then encrypt/decrypt each file as you write/read the data.
Hope that helps!
If you're trying to encrypt data private to your application, and not the user, then you would need access to a key/token/nonce to unencrypt. Unless you're doing the encryption remotely or using the Android NDK it would be trivial to obtain the key/token/nonce and unencrypt it. Apk's aren't compiled and can easily be unpackaged and the source viewed.
You certainly can encrypt and decrypt data on Android as explained in the other answers. But consider the "doing" gets more complicated.
1) Use DES and a 56 bit key and you do not need an export license in the US. Use AES or TDES with 128 or 256 bit key and you may need to start filling out the paperwork :)
2) Unless you want the user to enter a passphrase exactly equal to the key size you may want to seed and then multi hash the passphrase using say SHA256.
3) You may need to encode the cipher data into a 64 bit character set (letters upper and lower case, numbers,+ and /) as cipher text. This usually takes groups of three bytes, expands them to four bytes with = as a pad when needed. Just search the internet for base64 encode decode algorithms.
4) You may want to add a LEVEL OF INDIRECTION into the scheme so that the user can change the password at a later date WITHOUT changing the file symmetric key. So there are two encryptions, encrypting the file with a random symmetric key and then encrypting the random symmetric key with the users passphrase. UGH.
Related
I've been trying to decompile and extract useful data from an APK for some time now. This data is stored in CSV files inside an "assets" folder. Unfortunately, the developers got smart, and have begun encrypting these CSVs starting in July. I've exhausted every way I know of to try and turn these files into readable versions of themselves without any success. But then, I realized, there are a few files in the assets folder that haven't changed since well before July—thus, I have both the decrypted and encrypted versions of these files. Using this knowledge, is it possible to predict the encryption pattern that all other files in the directory went through?
I'm fairly sure that it was encrypted bit-level, not byte-level since there are a lot of unknown characters (represented as special question marks) while trying to read these CSVs using Notepad/TextEdit/Atom in UTF-8 mode (or any other mode except UTF-16, really).
You're talking about a "known plain text" attack. No modern, widely used
method is vulnerable to this kind of attack, but many home grown encryption
methods are. Even with known text, you need to know or guess a lot about
the details of the encryption algorithm.
A better plan might be to hack the software that you know is doing the
decrypting, which must contain both the algorithm and the key.
You'd have better luck simply guessing based on the encrypted output. You'll need to familiarize yourself with characteristics of the output of algorithms and compare against what you see. This is probably a lot easier for hashes but you're talking about encryption. To answer your question though, it's unlikely that you're going to be able to use an unencrypted version of a file to break the encrypted one. You might try encrypting that file using different algorithms and comparing the results. That might give you the algo but could take longer.
Alternatively, here are some tools I found that might be able to automate the process for you...
https://code.google.com/archive/p/aligot/
https://bitbucket.org/daniel_plohmann/simplifire.idascope
https://www.aldeid.com/wiki/IDA-Pro/plugins/FindCrypt2
To crack it, you're also going to need to find the key that was used to encrypt it. Since it's a program that obvious must be decrypted to use, that key shouldn't be impossible to find. It's either in the apk or on a server somewhere in which case use wireshark but I'm guessing it's embedded.
They might be usig DexGuard or ProGuard. Here's a related post What methods are being used to protect this Android APK: Reflection? Encryption? How do I reverse engineer it and analyze it?
If it's ProGuard you might start with something like this: http://proguard.sourceforge.net/manual/retrace/examples.html
Here's some info on that: How to decode ProGuard's obfuscated code precisely?
I generate a small metadata file (2KB) from my app which needs to be unreadable if the user browse through file system. These files will not be transferred elsewhere through my app.
After prolong research I figured I have to use Symmetry encryption. But I am lost what type of algorithm and how to use key/salt. Efficiency of the algorithm is important because the file is updated on onPause method.
Should I declare it in code and use that for all users or should I generate new one for each user. If I go with second option, where do I store the key/salt for later use. Should I obfuscate the code?
Please advice.
Currently I have short listed these two. Are they secure enough for my requirement? How can I improve them?
http://www.codejava.net/coding/file-encryption-and-decryption-simple-example
String Encryption in Android
I've tried to package the apk with encrypted assets(image, text, etc.).
When it's run on Android the assets will be decrypted and then displayed (of course I hard-coded the decryption key in the source code).
I guess: as long as the source code is protected, then the decryption key will also be protected, which means the assets is finally protected?
Questions:
1. If ProGuard is used to obfuscate the apk, is the decryption key safe?
2. If I code the decryption key in JNI(C++) and let JNI do the decryption, is the decryption key safer?
I've also made 2 demo Android apps with encrypted assets that you can try hacking.
The first one uses obfuscated Java to decrypt the assets with AES key (hard-coded in Java):
https://drive.google.com/file/d/0B9O3ChlSQJL1dVZUZmFtWlRyMXc/edit?usp=sharing
The second one uses JNI to decrypt the assets with AES key (hard-coded in JNI):
https://drive.google.com/file/d/0B9O3ChlSQJL1UWU0VlprcXdVUjg/edit?usp=sharing
If you are able to get the original assets in the first demo, please let me know.
If you are able to get the original assets in the second demo, please also let me know.
Any suggestions about better solutions for assets protection are appreciated!
Without looking at your code, no amount of obfuscation is going to 100% hide an "in the clear" private key.
I had stumbled upon this simple question of what is the best way for me to open a database or use a service which is secured, in the sense, will work only when correct password is provided.
I have looked at SharedPreferences as a way of retrieving information,but i need to create an app which will store the password in the first case, which by itself means i need to write it on code somewhere or the other
Account Manager is yet another way i've considered.
Store the actual password in an AES encrypted format, in a file, or in an sqlite db. But that means the key will have to be in the code.
I would've thought that this is a fairly common problem that people face and i'm wondering how people solved it!
In my opinion you can encrypt your data using AES encryption. But the main problem is the key is not safe. APK can be decompiled. So there is a method to hide the key. Implantation is bit difficult. Use native coding (NDK). You can write your key in a C file and after compilation you get a .SO file. This file can be included in your project. Make a call from java to a C function and return the key. But another problem is the strings written in C is visible when you open the .SO file. So assign generate ascii code of your key and make a string using the ascii code in C.
I am completely new to android. What I wanna do is, from a given textbox, I want to get the number, encrypt it with a key stored in the android app (which increments each time the user does the encryption) and then pass the ciphertext through sha1 and then print it back on the screen. Can anybody give me some basic help?
I don't understand what is incrementing, but I will give a shot.
You can use BouncyCastle (how to add bouncycastle algorithm to android) for the encryption, and then just use base64 on the SHA1 (which is weak) hash in order to have it be printable.
The only trick is how you get the key on the Android, your best bet may be to have it be generated on the device.