PNGSafeBox Project for Android
As we commented in a previous article the two parts of the project are summarized as follows:
Personal PNGSafeBox Project (I) – Windows Application
An application developed by us – for free – in VB.NET will allow us to obfuscate the graphic files that contain the information to be protected.
This application allows encryption and decryption of such images.
Personal PNGSafeBox Project (II) – Android Application
A Mobile App developed by us – for free – will allow us to transport mentioned images with confidential information in our terminal. This application can query these files (data) securely, decrypting them and show us the information we need on the terminal screen and, of course, will remain encrypted inside our mobile phone.
Even if we lose our mobile phone the files would be difficult to extract as they are natively packed within the application and, in the case of a “rooted” mobile, you would only get obfuscated graphic files that could not be seen unless you know exactly the obfuscation method used and the triple DES keys.
Part II Personal PNGSafeBox for Android
With this application for mobile device we can carry confidential information in the form of a graphic file (PNG).
We can, for example, carry this kind of documents:
List of appointments / personal data
Bank coordinates card.
Payment card data
Secret number (PIN) for applications.
The process to follow, for a maximum of four images, will be:
Create images (PNG format) of the documents to be protected.
Encrypt with the PNG SafeBox for Windows program commented on a previous entry.
Install IDE B4A and compile the commented project below.
Replace the 4 “dummy” images of the project with ours.
Recompile the project and install it on our Android device.
Used encryption files
We will use as ciphering info for this portable app. the files generated (obfuscated) by using the algorithm from our previous entry.
In that case we obtained some PNG files but internally the information of those files was totally “mixed” by three consecutive swapping of bytes in 3 random positions. Finally, the information regarding the 3 positions randomly obtained are wrote to file using some of first positions at PNG file ( named “chunks”). One more security step was based in the fact that the string that contains 3 numbers (positions of 3 matrix swapping) is cyphered using a 3DES algoritm.
Now, our Android application must include the cyphered PNG files as part of application component and the only way to decipher these files is based in a reverse algoritm that uses the 3DES Key and IV selected when we created the files.
To have more details regarding the offuscating procedure we can consult the previous article PNGSafeBox Project for Windows
The algorithm to recover the image – in PNG format – must performs these steps:
1) Read the position where is located the cyphered string that contains numbers N1, N2 and N3
2) Decipher the string (3DES) using our KEY and IV values and obtain these three numbers.
3) Transpose back the array (matrix) of bytes starting by cycle number 3 (N3).
4) Repeat twice more – similar procedure for numbers N2 and N1.
5) “Repair” previous modifications in the initial zone of the header of the file PNG.
Once these steps are done, the PNG file obtained is an standard graphic file and can be shown in our phone screen.
Software used for the Android Project
As mentioned in previous article we used the Sharp Develop environment for create our ciphered files.
For developing Android sofware we can use the excellent IDE Basic for Android – most known as B4A – that makes possible to develop the Android program in VBasic (close VB.NET) language. This can simplify the develop, specially for people not to familiar with Java programming.
Another advantage of using B4A is that we can install the evaluation version and develop (really compile) our App. All we need is to download the version from his page and install it. All instructions are very clear in Anywhere Software page.
In order to create the Android application we must obtain firstly the four cyphered images using the program explained in previous entry. We must note that these files were internally ciphered by the program using some personal passwords => 3DES Key and 3DES IV . In both case we can use the default values or select a personal value.
Once we have these 4 (coded) files we need :
Download the B4A IDE
Download the Project files (PNGSafeBox Project for Android)
Download the extra libraries to use in the Project.
Replace the 4 png “dummy” files that exists in Project (folder Files) by our images
Is important keep exactly the file naming for PNG files (draw0x.png), where x is 1 to 4.
Compile the Project and copy to our Android phone.
The Files directory must contain these files:
Before modify the files of original Project we can try to compile and test the complete Android installation process. In this case 4 “dummy” images will be installed and access code is 1234567+
Once tested we must substitute the 4 images by our ciphered images, re-compile and install the application to phone. In this case the access code will be our personal code, same used to cipher images previously in Windows program.
In the links at bottom of this article you can download the B4A Project, ready to compile and be installed in your Android device as well some extra libraries used for the project.
Notes on the program code
The program has been developed for to be self-explanatory (contains many comments) but we prefer to explain here some of the its highlights.
Some general variables are declared in Sub Globals. Some important variables are
These two variables are used for the TripleDES deciphering process. The value for 3DES Key is declared in program and must matchs with value used in the Windows program. In our example program this value is
Private my_3DES_key As String = “TheKey1234567890”
Regarding the second 3DES parameter (Initialization Vector) we used a “dummy” value as variable initialize, but this will be keying in later in the application and, same way, must matchs with used value for files ciphering in Windows program.
In the example code (in Windows program as well in Android application) we have used the following values, but is highly recommnedable to select a new (personal) values for obtain the máximun of security and privacy.
3DES_IV = “1234567+”
3DES_key = “TheKey1234567890”
Another easier possibility – due to less length – is to select only a new value for the I.V. (3DES_IV )
This value is easily selectable in Windows program and must be typed accordingly in the Android application. The value for Key (3DES_key) is declared into code before to compile and install the program to our device.
The ordinogram of program shows some details regarding each subroutine.
The first routine that executes the program is “Initialization” which – as its name indicates – will perform certain basic initializations. Once this is done the initial screen is shown and the control is focused on “OK” button, which validates the eight characters code that we must key in. This code is the Initialization Vector (I.V.) and its value is “1234567+” only for the demo program. When we substitute the four PNG files for ours we must use our IV value.
The routine Check_IV( ) must validate the introduced code. This code is mandatory 8 character length and – same that occurs in Windows program – must belong to Base64 character table.
In case of any of controls is not successfuly validate a warning message “Wrong Key” will prompt and user must key in the code again.
This code match with the I.V. value used to 3DES deciphering of string that contains the 3 numbers (positions) where transposed matrix coordinates are located.
Once we have introduced the correct code a new screen is shown where we can press on any of four available buttons.
Now , after pressing any of available buttons, a new routine is called : Decode (X), where X match the name of graphic file to de-ofuscate. I.e. when the button 4 (Docs 4) is pressed the program execute the routine to load the image “draw04.png” to screen.
The image is copied previously to a internal cache directory and later loaded to screen. Is important to note that the “decoded” image is only available in the screen and, inmediately after the loading, used image is deleted from any internal directory (routine MrProper).
The main security for this application is based in the fact that coded (ofuscated) images are part of application bunch of files but all manipulation, copy, etc. is inmeditely deleted from the phone directories.
The activation of a variable (setup_DEBUG = True) can help us to show more specific messages in certain events of the program.
Installation of B4A IDE and extra libraries
The instructions to install the IDE are enought described in Anywhere page. Basically are:
Install the Java JDK
Install the Android SDK
Install the B4A program.
Configure the B4A IDE paths
When IDE is installed and running we can check it.
For compile our Project (PNG SafeBox) we must install some additional libraries.
This is the aspect of Libraries Admin at B4A IDE after these libraries are installed and activated:
Installation of App to Android phone
In order to install the application to our device (phone) we must enable the option for installing application from other fonts than Play Store. I.e. on Android 4.0 or higher, you must go to Settings, scroll down to Security, and select Unknown sources. On devices running an earlier version of Android, go to Settings, open the Applications option, select Unknown sources, and click OK on the popup alert.
It is clear that this is an application fully developed by us and under our full control, which is why its installation does not represent a risk for our device. In any case, once the installation is complete, we recommend activating again the security measure previously deactivate.
The app installation can be done:
– via link (B4A-Bridge app.) directly from B4A IDE
– copying the generated .apk file (at Objects folder) to our phone and executing it.
The application will be installed and – as an additional probe of confidence – we can check that installation do not ask for extra permission for access to anything. (Some other applications used to require permissions to access to camera, SD, network, contacts, etc.)
PNGSafeBox_Android Project (Main) … PNGSafeBox_Android Project (Main)
PNGSafeBox_Android (Extra Libraries) … PNGSafeBox_Android (Extra Libraries)
PNGSafeBox_Document download (English) … PNGSafeBox_Document download (English)
PNGSafeBox_Descarga de documentación (Español) … PNGSafeBox_Descarga de documentación (Español)