How to Decrypt "Secrets for Android" Files
Secrets for Android is a nifty Android application that allows you to securely store passwords and other sensitive data on your Android phone. Your data are encoded with your supplied password using strong cryptography and are therefore protected if your phone gets stolen. Although the application offers a backup and an export facility, I found both wanting in terms of the availability and confidentiality associated with their use.
Specifically, the backup data that the application saves on the SD card remain encrypted, which means that if your phone gets stolen you will not be able to access your data until you find another Android phone to install the application and restore the data. An alternative involves exporting the data to the SD card. This operation will decrypt them, which however means that your data are exposed if you forget to delete the file after you create a (hopefully secure) backup or if someone un-deletes the file from the SD card.
Given that the program's source code is available as open source software I decided to modify it so that it could run on any standard Java-SE environment, like my PC. It turned out that this wasn't trivial, because the code intermingled Java-SE code with Android API classes and calls. After some work I managed to isolate a subset of the code that would decrypt the data. At that point I could write a command-line program to decrypt the data after prompting the user for the corresponding password. The program thus allows any standard Java-SE platform to decode Secrets for Android files. You can download an executable version of the program from its web page.
To decode an existing file run
java -jar lib/secrets.jar inputfile outputfileIf you use non-ASCII characters in your secrets, note that the output file uses the UTF-8 Unicode character encoding.
the default installation of the Java runtime environment doesn't offer
cryptographic services, nor does it play particularly well with existing
Therefore, you will need to obtain the
Legion of the Bouncy Castle
crypto provider library
bcprov-jdk....jar and install the
secrets.jar file alongside the
crypto provider library
to the JVM you're using.
Furthermore, to avoid an
InvalidKeyException: Illegal key size,
which is generated when a vanilla Java installation tries to use
a long cryptographic key,
you must modify
your Java runtime installation to support strong cryptography.
For that download the strong cryptography policy files from
the location where you downloaded your Java runtime environment,
and install them according to the supplied instructions.
Needless to say, I'm making the project's source code available as open source software. You can access the project at GitHub through this link.Read and post comments