Recently, we've published a guide on how to add dependencies for only specific productFlavors. After we've implemented the steps necessary, we wanted to make sure that the final .apk actually does not contain any unwanted classes anymore. In this post, we'll show you how to check which classes and resources are in an apk.
Note: this guide is designed for decompiling your own apk, and not the hard work of other developers. Thus, we did not include any steps to reverse-engineer or work-around code obfuscation.
An Android apk is basically a zipped directory, which contains of some raw resources (images, layout files, .) and a classes.dex file. This file contains all actual code and interests us the most. Let's download all the tools we need:
For matters of personal study of specific commercial applications source code, in order to build my own (not stealing the source code, but Just figuring out how things are actually done), i intend to decompile mac OS X binaries, and get their source. I need an intelligent decompiler, preferably GPGPU based, which can get me the source code of the app by trying to guess the language it was. Sep 09, 2017 Android application package (APK) is the package file format. APK file is a compressed form of Java classes, XML and several other files. If you saw an amazing app and as a developer want to see the source behind it, then you can decompile APK files to get the actual source code.
classes.dex file to a .jar, you'll need to download the dex2jar tool..jar file readable for the human eye, download and run JD-Gui. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc. Jadx is a tool that decompiles.class and.jar files, but also it produces Java source code from Android Apk files. Mar 30, 2013 I will write a 5 step guide for setting up apktool and start modifying your app's or any other android framework. This guide will be strictly for windows users, since setting up and using apktool in windows is the easiest.
Alright, now it's time to do the actual work. Copy your apk file into a directory you want to work in. Unzip the apk using the tool of your choice and you should get a directory with a few sub directories and a few files.
Feel free to browse the AndroidManifest.xml or the res directory. The most interesting piece is the classes.dex. Thus, switch to your downloaded dex2jar tool and open a new terminal.
If you're on Mac OS, execute sh d2j-dex2jar.sh -f -o output.jar your_app_input.apk. Windows users can use the .bat file to create the .jar file. Once the tool ran through, browse to the new .jar file.
Lastly, start the downloaded JD-GUI tool and use it to open the .jar file.
You can browse all packages and classes, which are in your apk. The code is a stripped version and doesn't contain any comments or redundant structures you're seeing in your IDE. Remember, this is the compiled minimization of your app. Nevertheless, it should give you enough information to learn about the basics of the app. For example, it helped us to verify that there are no packages related to the admob library in the app anymore.
If you just need a quick decompile, you can use the online tool at www.decompileandroid.com/.
For more advanced decompiling purposes you could take a look at apktool, which gives a lot of additional helpers.
No matter what tool you use, there will be a time when you need to decompile an Android app. We hope this guide gave you a jump start. Share any additional tips you have in the comments!
10 Jul 2016Earlier this year, I was tasked with reverse engineering an APK. For reasons I won’t explain, I needed to extract the code from this APK because the APK contained the latest version of code for the project. So, I set out on researching how I can unzip the APK into its individual parts: the resources for the application and the decompiled java code.
There’s a few things I learned from doing this and I’ll explain them throughout this post, but it’s good to note upfront that APKs don’t necessarily contain all of the parts of the Android project. You won’t be able to extract the Gradle scripts from the APK, because the Gradle script files are not compiled into the APK (obviously). Also, if you’re expecting the java source code to be exactly as it is in the Android project, think again. Java code that is compiled and decompiled will be in short form (i.e., how it’s interpreted by the Java Virtual Machine). It won’t necessarily be “readable” anymore and it won’t contain any comments. But, if you’re a Java developer, you probably already know this. Also, it’s helpful to know that an APK is nothing more than a .zip file containing compiled Java code and Android resources. Technically, you can just unzip the APK, but you’ll find that the files are going to be unreadable.
Now, it’s good to note that there are websites out there that will decompile the APK for you in one easy upload of the file. And there are apps out there that you can download onto your Android phone that will decompile the APK to retrieve metadata from the APKs already installed on your phone. But, if you’re like me, you probably don’t trust those services with APKs that you built yourself and there’s honestly no telling what they’ll do with your decompiled code. Also, it’s worth mentioning that Google has built a single tool called Classy Shark which will handle the decompilation (both Java and Android resources) for you.
But, without further ado, here are the steps I followed to decompile an APK on my own.
Make sure to download these files and install them before following the steps below.
For the purposes of demoing how to decompile an APK, I’ve built a dummy APK out of an Android Studio project template that contains a single Activity and a single Fragment (along with layout resources for each). My project, like any other Android project contains the Android Manifest file and Gradle scripts. I’m also going to assume you’re using a Mac, but note that the three aforementioned tools have installation instructions for other platforms on their respective websites.
Latest Apktool installation instructions can be found here
mv apktool.txt apktoolchmod +x apktool and chmod +x apktool.jarYou’ll notice that you now have a folder containing the Android resources. But, at least the Android resources are readable!Take a look at the before and after Android Manifest files in my gist here
chmod -R +x ~/Desktop/dex2jar-2.0/cd ~/Desktop/dummy_appYou’ll notice that you now have a file titled something like “dummy_app-dex2jar.jar” in your current directory. This file was converted from the APK’s classes.dex (Dalvik Executable) file. This jar contains the APK’s java code! All we need now is a tool to decompile the jar.
Latest installation instructions on this tool can be found here.Alternatively, you can use any java decompiler tool that you prefer. This step isn’t necessarily specific to Android decompilation.
/trakt-app-for-mac.html. JD-GUI should now show folders containing the Java class files. These aren’t going to be exactly as they are in the developer’s Android project because they are the decompiled short-form classes, as I mentioned earlier.If you’d like to save the decompiled class files, just click on File -> Save All Sources.Take a look at the before and after Java class files in my gist here
That’s it! Now that you have the source code and the Android resource files, you can use it to help you get a glimpse of how the application is architected and to decipher how the application works.