23

I've been trying to reverse engineer a paid android app that writes out some binary data so that I can export that data into other programs (it's a run/walk timer app, if anyone's curious, and I'm trying to get its GPS traces out). However, it looks like the apk is encrypted and stored in /data/app-asec/[app_id].asec.

There's a nice blog post that says the encryption used is TwoFish, with a key stored in /data/misc/systemkeys/AppsOnSD.sks, but I haven't been able to decrypt the file using the naïve strategy of just using that key directly with TwoFish on the .asec.

How can I decrypt this to get an apk I can actually analyze?

Note: I realize that this information is considered somewhat delicate in places like xda-developers, since it could be used to enable piracy. I have no such intentions, I just want to examine the serialization code.

Brendan Dolan-Gavitt
  • 2,888
  • 2
  • 19
  • 37

1 Answers1

18

After a little bit more work and some more careful re-reading, I figured out my mistake: the files in /data/app-asec/ are the encrypted containers. They're actually dm-crypt volumes, which then get mounted at /mnt/asec/[app_id]. The pkg.apk in that directory is the unencrypted apk that can be analyzed using any of the fine tools in this answer.

Community
  • 1
Brendan Dolan-Gavitt
  • 2,888
  • 2
  • 19
  • 37