Decrypting Cordova "Crypt File" plugin

6 comments
Hey, It has been a while since the last update.

While doing my daily job, I found an interesting android mobile application. It's a hybrid mobile application, written using Cordova.

Cordova in a nutshell:
"Apache Cordova is an open-source mobile development framework. It allows you to use standard web technologies - HTML5, CSS3, and JavaScript for cross-platform development. Applications execute within wrappers targeted to each platform, and rely on standards-compliant API bindings to access each device's capabilities such as sensors, data, network status, etc."

Reference: https://cordova.apache.org/docs/en/latest/guide/overview/

As usual I start with static analysis by "decompiling" the application using "apktool", and browse to "assets/www" folder, this is where all HTML/CSS/JS file for Cordova located.

What's make this application interesting is, all the files is encrypted.
Encrypted File Content


After analyzing the application, I found that it is using Cordova plugin called "crypt file" (https://github.com/tkyaji/cordova-plugin-crypt-file)

I have made a decryptor in order to ease static analysis. I have also made a encryptor for application recompilation during analysis. Example for patching the SSL Pinning/Root Detection mechanism.

In order to use the tool, first you need to retrieve the KEY and IV from the application. It not complicated as the KEY and IV is located at com.tkyaki.cordova.DecryptResource.class
CRYPT_IV and CRYPT_KEY
And finally this is the tool, written in nodejs, update config.key and config.iv accordingly


Thanks!

6 comments :

  1. Error: Invalid key length
    at new Decipheriv (crypto.js:241:16)
    at Object.Decipheriv (crypto.js:238:12)
    at Decrypt (E:\xampp\htdocs\android\scrypt.js\app.js:76:25)
    at E:\xampp\htdocs\android\scrypt.js\app.js:52:32
    at Array.forEach (native)
    at DecryptThis (E:\xampp\htdocs\android\scrypt.js\app.js:49:8)
    at Object. (E:\xampp\htdocs\android\scrypt.js\app.js:26:9)
    at Module._compile (module.js:571:32)
    at Object.Module._extensions..js (module.js:580:10)
    at Module.load (module.js:488:32)

    ReplyDelete
  2. I don't know how to work with node.js. Can you please make a detailed tutorial?

    ReplyDelete
  3. Is there a way that at the moment of decompiling the apk it is not possible to see the "CRYPT_KEY"?

    ReplyDelete