blog dds


How to Decrypt "Secrets for Android" Files

Secrets for Android is a nifty Android application that allows you to securely store passwords and other sensitive data on your Android phone. Your data are encoded with your supplied password using strong cryptography and are therefore protected if your phone gets stolen. Although the application offers a backup and an export facility, I found both wanting in terms of the availability and confidentiality associated with their use.

Specifically, the backup data that the application saves on the SD card remain encrypted, which means that if your phone gets stolen you will not be able to access your data until you find another Android phone to install the application and restore the data. An alternative involves exporting the data to the SD card. This operation will decrypt them, which however means that your data are exposed if you forget to delete the file after you create a (hopefully secure) backup or if someone un-deletes the file from the SD card.

Given that the program's source code is available as open source software I decided to modify it so that it could run on any standard Java-SE environment, like my PC. It turned out that this wasn't trivial, because the code intermingled Java-SE code with Android API classes and calls. After some work I managed to isolate a subset of the code that would decrypt the data. At that point I could write a command-line program to decrypt the data after prompting the user for the corresponding password. The program thus allows any standard Java-SE platform to decode Secrets for Android files. You can download an executable version of the program from its web page.

To decode an existing file run

java -jar lib/secrets.jar inputfile outputfile
If you use non-ASCII characters in your secrets, note that the output file uses the UTF-8 Unicode character encoding.

Unfortunately, the default installation of the Java runtime environment doesn't offer cryptographic services, nor does it play particularly well with existing crypto providers. Therefore, you will need to obtain the Legion of the Bouncy Castle crypto provider library bcprov-jdk....jar and install the secrets.jar file alongside the crypto provider library bcprov-jdk....jar corresponding to the JVM you're using.

Furthermore, to avoid an InvalidKeyException: Illegal key size, which is generated when a vanilla Java installation tries to use a long cryptographic key, you must modify your Java runtime installation to support strong cryptography. For that download the strong cryptography policy files from the location where you downloaded your Java runtime environment, and install them according to the supplied instructions.

Needless to say, I'm making the project's source code available as open source software. You can access the project at GitHub through this link.

Read and post comments, or share through   

Creative Commons License Last modified: Thursday, February 9, 2012 1:19 am
Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-Share Alike 3.0 Greece License.