Android external file encryption and decryption and application practice

There is such an application scenario. When we put some important files in the asset folder, we can directly get the file by decompressing the .apk. We don’t want some files involving important information to be decompiled. At this time, we need to encrypt the file first, and then put it in the resource directory in Android, and then decrypt it when used.

In modern cryptography, the security of encryption systems is based on keys rather than algorithms. Now I will introduce a complete set of encryption, decryption and application processes. I think this encryption process is very reliable in terms of practicality and security. It is also a commonly used practice on the market. The core logic is actually quite simple. After all, the most difficult part of the encryption and decryption algorithm implementation is ready-made. Part of our company has also used this process, which is of course more complicated than what I am talking about.

1. Introduction

It mainly involves the application of the following algorithms: RSA, AES, and Base64 encoding. The basic idea is to use [AES algorithm + AES key] to encrypt files. In order to ensure the security of the key, the AES key will be encrypted using [RSA algorithm + RSA private key].

If you are not familiar with these algorithms, you can take a look at the article "Common Encryption Methods and Application Scenarios" by our boss. It is enough to know the general principles and usage methods, because the algorithms are ready-made in Java and can be used directly.

After arranging the process, it is the above flowchart, which is divided into three parts:

• The first part is to encapsulate the encryption process into a small tool and use the encryption tool to encrypt the file;
• The second part is to encapsulate the decryption process into a small decryption tool, and use the decryption tool to decrypt our files so as to make relevant modifications;
• The purpose of the third block is to put the encrypted files and the AES algorithm keys for encryption and decryption into the Android resource file for specific use.

One thing to add is the public and private keys of the RSA algorithm. From the third block, we can see that the RSA public and private keys are not placed in the resource file. In fact, if you think about it, you will know that if the encrypted file, the AES key for encryption and decryption, and the RSA key used to encrypt the AES key are all placed in the folder, there will be no security (Note: the encryption and decryption algorithm can be modified to be unique to your company, which is what our company does). Therefore, in order to ensure security, our RSA public and private keys are dynamically obtained through the code in the application signature (.keystore signature file). If you are interested, you can read this article: [Extract private keys and certificates from Java Keystore files].

2. Block 1: Encryption tool for encryption

The Java interface development of the tool is implemented through the Java swing package. Those who are interested in swing can refer to this article Introduction to Java Swing Graphical Interface Development, which explains it in great detail.

At the beginning, there is no AES key, so we need to generate a secure key, so generate a random AES key and save it. The operation page interface of the encryption tool is:

2.1. Generate a random key

Generating a random key is mainly divided into several steps:

• Generate a random number as a seed using UUID.randomUUID();
• The seed is provided to the KeyGenerator to generate the AES key. As long as the AES key generated by the seed is consistent;
• Obtain the public and private keys required by the RSA algorithm through application signature;
• RSA encrypts the AES key with the private key;

Because the generated key is byte[], it is displayed on the interface through Base64 encoding.

 /**  
 * Generate a random key  
 */  
 private void randomKey() {  
 try {  
 //Generate a random number as a seed  
 String uuid = UUID.randomUUID().toString();  
 byte[] seed = uuid.getBytes( "UTF-8" );  
 //Generate AES key  
 byte[] rawkey = AES.getRawKey(seed);  
 //Get the key pair for application signing  
 KeyPair pair = SignKey.getSignKeyPair();  
 //Encrypt the AES key using the RSA private key  
 byte[] key = RSA.encrypt(rawkey, pair.getPrivate());  
 //Base64 encoding into a string for display  
 String base64Key = Base64.encode( key );  
 mKeyText.setText(base64Key);  
 } catch (Exception e) {  
 e.printStackTrace();  
 }  
 }  
 AES.getRawKey(seed) mainly uses the AES key generator to generate a 128-bit key. The specific implementation is:  
 /** 
  * Generate a key stream encrypted with the AES algorithm. This key will be encrypted again with the key of the application signature {@link SignKey}  
 */  
 public   static byte[] getRawKey(byte[] seed) throws Exception {  
 KeyGenerator kgen = KeyGenerator.getInstance( "AES" );  
 SecureRandom sr = SecureRandom.getInstance( "SHA1PRNG" );  
 sr.setSeed(seed);  
 //192 and 256 bits may not be available  
 kgen.init(128, sr);  
 SecretKey skey = kgen.generateKey();  
 return skey.getEncoded();  
 }

SignKey.getSignKeyPair() is used to obtain the public and private keys required for the RSA algorithm. It comes from our application signature. Everyone should be familiar with it. Application packaging and uploading requires signature packaging.

Java provides an API to obtain the private key and certificate of the testkey.keystore file (generate one yourself using studio), and put the testkey.keystore file in the directory:

 /**  
 * Author:xishuang  
 * Date :2018.05.06  
 * Des: Read the key pair and certificate according to the imported application signature  
 */  
 public class SignKey {  
 // Application signature  
 private static final String keystoreName = "testkey.keystore" ;  
 private static final String keystorePassword = "123456" ;  
 //Alias ​​of application signature  
 private static final String alias = "key0" ;  
 private static final String aliasPassword = "123456" ;  
 /**  
 * Get the signed key pair to encrypt the key  
 */  
 public   static KeyPair getSignKeyPair() {  
 try {  
 File storeFile = new File(keystoreName);  
 if (!storeFile.exists()) {  
 throw new IllegalArgumentException( "Signature file has not been set yet!" );  
 }  
 String keyStoreType = "JKS" ;  
 char [] keystorepasswd = keystorePassword.toCharArray();  
 char [] keyaliaspasswd = aliasPassword.toCharArray();  
 KeyStore keystore = KeyStore.getInstance(keyStoreType);  
 keystore.load (new FileInputStream(storeFile), keystorepasswd);  
 //Get the private key  
 Key   key = keystore.getKey(alias, keyaliaspasswd);  
 if ( key instanceof PrivateKey) {  
 //Get the public key  
 Certificate cert = keystore.getCertificate(alias);  
 PublicKey publicKey = cert.getPublicKey();  
 ///Public and private keys are stored in KeyPair 
  return new KeyPair(publicKey, (PrivateKey) key );  
 }  
 } catch (Exception e) {  
 e.printStackTrace();  
 }  
 return   null ;  
 }  
 }

The parameters required to get the testkey.keystore are the same as those required for signing the packaged application, and are obtained through the keystore class provided by java. Then the AES key is encrypted with the testkey.keystore private key just obtained, and then converted into a string through Base64 for display. The encoding is converted only for displaying the key.

2.2. Exporting Keys

Export the key to a file and import it directly next time to decrypt the file. To export the key, you need to convert the Base64 key string in the text box into Byte[] using Base64 before saving it.

 byte[] key = Base64.decode(base64Key);  
 // Output the raw key  
 File keyFile = new File(dir, "testkey.dat" );  
 FileOutputStream fos = new FileOutputStream(keyFile);

2.3 Encrypted Files

The key is already available, and the AES algorithm is ready-made. Just call the API to encrypt:

 private static final String AES = "AES" ;  
 /**  
 * AES algorithm to encrypt files  
 *  
 * @param rawKey AES key  
 * @param fromFile The file to be encrypted  
 * @param toFile encrypted file  
 */  
 public   static void encryptFile(byte[] rawKey, File fromFile, File toFile) throws Exception {  
 if (!fromFile.exists()) {  
 throw new NullPointerException( "File does not exist" );  
 }  
 if (toFile.exists()) {  
 toFile.delete ();  
 }  
 SecretKeySpec skeySpec = new SecretKeySpec(rawKey, AES);  
 Cipher cipher = Cipher.getInstance(AES); 
  //Encryption mode  
 cipher.init(Cipher.ENCRYPT_MODE, skeySpec);  
 FileInputStream fis = new FileInputStream(fromFile);  
 FileOutputStream fos = new FileOutputStream(toFile, true );  
 byte[] buffer = new byte[512 * 1024 - 16];  
 int offset;
 //Use encryption stream to encrypt  
 CipherInputStream bis = new CipherInputStream(fis, cipher);  
 while ((offset = bis. read (buffer)) != -1) { 
  fos.write(buffer, 0, offset);  
 fos.flush();  
 }  
 fos.close ();  
 fis.close ();  
 }

Select the file and encrypt it using the AES algorithm and AES key. The final result is as follows. If there is no key that can decrypt it, I lose.

3. Block 2: Decryption by decryption tool

There is actually no need to explain the decryption process, because the decryption process is the reverse process of the encryption process.

This decryption is not used in the application, but to facilitate us to update the encrypted file. The file must be decrypted before modifying it.

3.1. Import AES key

This key is the key we generated earlier. After importing it, use the RSA public key signed by the application to decrypt the AES key:

 //Get the encrypted key raw key    
 String keyStr = mKeyText.getText();  
 byte[] key = Base64.decode(keyStr);  
 //Get the application signature key pair and public key to decrypt the raw key    
 KeyPair keypair = SignKey.getSignKeyPair();  
 byte[] rawkey = RSA.decrypt( key , keypair.getPublic());  
 //Use raw key to decrypt the file  
 AES.decryptFile(rawkey, fromFile, toFile);

3.2 Decrypting Files

After getting the pure version of the AES key, you can directly call the AES algorithm to decrypt the file:

 /**  
 * AES algorithm decrypts files  
 *  
 * @param rawKey AES key  
 * @param fromFile the encrypted file  
 * @param toFile decrypted file  
 */  
 public   static void decryptFile(byte[] rawKey, File fromFile, File toFile) throws Exception {  
 if (!fromFile.exists()) {  
 throw new NullPointerException( "File does not exist" );  
 }  
 if (toFile.exists()) {  
 toFile.delete ();  
 }  
 SecretKeySpec skeySpec = new SecretKeySpec(rawKey, AES);  
 Cipher cipher = Cipher.getInstance(AES);  
 //Decryption mode  
 cipher.init(Cipher.DECRYPT_MODE, skeySpec);  
 FileInputStream fis = new FileInputStream(fromFile);  
 FileOutputStream fos = new FileOutputStream(toFile, true );  
 byte[] buffer = new byte[512 * 1024 + 16];  
 int offset;  
 //Use the decryption stream to decrypt  
 CipherInputStream cipherInputStream = new CipherInputStream(fis, cipher);  
 while ((offset = cipherInputStream. read (buffer)) != -1) {  
 fos.write(buffer, 0, offset);  
 fos.flush();  
 }  
 fos.close ();  
 fis.close ();  
 }

Compared with the AES encryption process, it can be found that it is just switching the AES algorithm mode.

3. Block 3: Decrypting files in Android applications

To decrypt the file, you need to add the encrypted AES key to the resource folder, which is the key derived above, and the encrypted file. The premise for correct decryption is that your application signature is the same as the signature used to encrypt the file.

3.1. Decrypting the AES key

The main difference between decrypting files in Android applications and decrypting files in Java tools lies in the acquisition of RSA keys. In Java tools, the application signature testkey.keystore is owned by the developer, and all the information in it can be obtained. In Android, applications are released to the application market, and anyone can download our package. The application signature can only obtain its public key through the API provided by Android.

 /**  
 * Author:xishuang  
 * Date :2018.05.06  
 * Des: Application signature reading tool class  
 */  
 public class SignKey {  
 /**  
 * Get the signature of the current application  
 *  
 * @param context context  
 */  
 public   static byte[] getSign(Context context) {  
 PackageManager pm = context.getPackageManager();  
 try {  
 PackageInfo info = pm.getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES);  
 Signature[] signatures = info.signatures;  
 if (signatures != null ) {  
 return signatures[0].toByteArray();  
 }  
 } catch (NameNotFoundException e) {  
 e.printStackTrace();  
 }  
 return   null ;  
 }  
 /**  
 * Get the public key based on the signature  
 */  
 public   static PublicKey getPublicKey(byte[] signature) {  
 try {  
 CertificateFactory certFactory = CertificateFactory  
 .getInstance( "X.509" );  
 X509Certificate cert = (X509Certificate) certFactory  
 .generateCertificate(new ByteArrayInputStream(signature));  
 return cert.getPublicKey();  
 } catch (CertificateException e) {  
 e.printStackTrace();  
 } 
  return   null ;  
 }  
 }

After obtaining the public key of the application signature testkey.keystore, the process is basically the same as the operation in the Java tool, using the RSA public key to decrypt the AES key.

 private static final String SIMPLE_KEY_DATA = "testkey.dat" ;  
 /**  
 * Get the decrypted file encryption key  
 */  
 private static byte[] getRawKey(Context context) throws Exception {  
 //Get the application's signing key  
 byte[] sign = SignKey.getSign(context);  
 PublicKey pubKey = SignKey.getPublicKey(sign);  
 //Get the key for the encrypted file  
 InputStream keyis = context.getAssets(). open (SIMPLE_KEY_DATA);  
 byte[] key = getData(keyis);  
 //Decryption key  
 return RSA.decrypt( key , pubKey);  
 }

Finally, use the decrypted AES key to decrypt the file.

3.2. AES key decryption file

Get the file stream of the encrypted file through the resource manager, and use the AES algorithm to decrypt the file stream using the AES key.

 /**  
 * Get the decrypted file stream  
 */  
 public   static InputStream onObtainInputStream(Context context) {  
 try {  
 AssetManager assetmanager = context.getAssets();  
 InputStream is = assetmanager.open ( "encrypt_test.txt" ) ;  
 byte[] rawkey = getRawKey(context);  
 //Using the decryption stream, the data will be decrypted before being written to the underlying OutputStream  
 SecretKeySpec skeySpec = new SecretKeySpec(rawkey, "AES" );  
 Cipher cipher = Cipher.getInstance( "AES" );  
 cipher.init(Cipher.DECRYPT_MODE, skeySpec);  
 return new CipherInputStream( is , cipher);  
 } catch (Exception e) {  
 e.printStackTrace();  
 }  
 return   null ;  
 }

After getting the encrypted file stream, the purpose is achieved, which can be parsed into a string and displayed:

 private void inputData() {  
 InputStream in = DecryptUtil.onObtainInputStream(this);  
 try {  
 BufferedReader reader = new BufferedReader(new InputStreamReader( in , "GBK" ));  
 StringBuilder sb = new StringBuilder();  
 String line;  
 while ((line = reader.readLine()) != null ) {  
 sb.append(line + "\n" );  
 }  
 contentTv.setText(sb.toString());  
 } catch (IOException e) {  
 e.printStackTrace();  
 finally  
 try {  
 in .close () ;  
 } catch (IOException e) {  
 e.printStackTrace();  
 }  
 }  
 }

The example effect diagram is as follows. Please pay attention to the content in the red box. Because I am too lazy to create a new project, I tested it with the original project:

Currently, the tool uses the encryption and decryption algorithms that are common on the market. You can change the algorithm, such as DES or other symmetric and asymmetric algorithms, or even your own modified algorithms. If you want to run the example demonstration:

Just run the java file and you can open the encryption and decryption tool. The encryption and decryption tool interface is a small part extracted from our toolkit. After all, writing the interface is very annoying. Thanks to our great god who wrote such a tool many years ago.