Reverse Engineering Android app binaries (APK) for Legitimate Analysis
Finally, I have some chance to get back to blogging since I was very busy last month. Now, let’s go in the details in our today’s topic.
Sometimes, you may have a situation to reverse engineer your existing APKs for legitimate analysis reasons such as making queries on the app source (including used third party libraries) for getting more inside information.
This post shows you how to revere engineer an existing APK for the purpose of such good reasons (again for purpose of *good* reasons).
Detailed way / Using Mainly Three Tools
In order to reverse engineer an APK file from its source, you need to do the following:
Exploding APK
Extracting Java Classes
Decompiling Java Sources
Inspecting APK Content
Now, let’s go through them quickly.
Exploding APK
First of all, we need to explode the apk file to mainly the apk resources (assets, libraries, and manifest files).
In order to achieve this step, you need to download and use ApkTool which can be found in:
https://ibotpeaches.github.io/Apktool/
After downloading the jar, execute the library jar as follows.
java -jar apktool_2.2.0.jar decode --no-src myApk.apk
Note that if you do not specify the no-src parameter, then the Apk tool will decode sources and generate SMALI code (Not Java).
Extracting Java Classes
The second step is to convert the APK DEX file(s) into Java jar file(s). You will be find the DEX files whose names
are following classes(i).dex pattern under the exploded apk file directory (note that if your apk is multi-dex then beside the main classes.dex file, you can find classes2.dex, (and/or) classes3.dex … and so on).
In order to make this extraction, you can use a very good tool called (dex2jar) which can be found below:
https://sourceforge.net/projects/dex2jar/
Download the zip file and extract it, then run the dex2jar tool from command line as follows (assuming
that the dex2jar directory is directly located in the same level of the DEX file(s)).
sh d2j-dex2jar.sh ../myApk/classes.dex -o ../myApk/src.jar
Decompiling Java Sources
After having the jars, now we can simply decompile these jars into original Java sources. For this, we can use the command line Java Decompiler which is available in:
https://github.com/kwart/jd-cmd
For every jar we have, we can simply decompile it by running jd-cli as follows.
./jd-cli src.jar
Inspecting APK Content
Finally, we can inspect the APK content as much as we wish. For example, we can get all the strings in the content which are following a URL pattern by executing the following grep command on the exploded apk root folder.
grep -Eo '(http|https)://[^/"]+' -R .
This command will output the complete list of files whose contents are matching this grep regular expression.
Fast way / Using Jadx
Jadx is a powerful tool for directly converting an APK to its original sources, it can be found in:
https://github.com/skylot/jadx
So for our myApk.apk, all what we need to get its original source is to use Jadx tool as follows.
./jadx myApk.apk
Executing the previous command will do all the previous explained three steps for you.
Now, we are done, see you in the next post.
