Android reverse engineering

Often I am quite curious to see how an app is built and what tools the use under the hood. What libraries do they use, what clever tricks are used, etc, etc. Some companies will blog about this on their corporate site, others don’t. An easy way to figure things out is by reverse engineering the application.

Getting data off the phone
The first thing you need to do is get the application from your phone to your computer.

To do this, you can use the APK Extractor app.

“This application will extracts APK which is installed on android device and copy to SD card.”

From there it is a matter getting the data from the SD card. I normally just use adb pull. Have a look at the adb documentation for more details.

Once you have de application on your computer, there are various tools you can use to reverse engineer it.

The first step though, is to unpack the APK. Luckily this is really easy, as an APK is just a ZIP file. Extract it with your favorite ZIP-tool.

At this point all extracted data is mostly represented in binary form. Opening the AndroidManifest.xml for instance, won’t give you much information yet. This is where the various tools come in.

To “decode resources to nearly original form” you can use apktool. To decompile an application using apktool, run:

  1. apktool d name_of_apk.apk

For any additional options, have a look at the apktool documentation.

Decompiling using apktool will result in a new folder with the same name as the APK. This folder will contain all decoded data. If you open up the AndroidManifest.xml file from there, you’ll see it is now in a human-readable format. All code is decompiled to smali. Smali is disassembled code from the dex format used by Dalvik. It seems to follow the same package and class naming as the original Java code. If you want to learn more about smali, have a look at the links in the answer to “What’s the best way to learn Smali” on Stackoverflow.

If you don’t want to change any code and just want to learn about the application’s inner workings, you can make your life a little easier by using a combination of two other tools: dex2jar and jd-gui.

As the name says, dex2jar will convert a .dex file to a jar. This, again, is a fairly simple process. Running the command below will generate name_of_apk.jar. 

  1. d2j-dex2jar name_of_apk.apk

To explore the jar, open it in JD GUI. The dex2jar process does not guarantee to be able to convert everything. Sometimes you will find conversion errors in the exported code. These are indicated by a line starting with “// ERROR //”, followed by the smali code.

After decompiling, you can make changes to the code, recompile the application and install it on your device.

Make any modifications you want to the code and recompile using

  1. apktool b folder_of_decoded_apk

Next, sign the new application. Google has great instructions on how to sign an application, so I won’t repeat that here.

To install the new application on your phone, run

  1. adb install -r name_of_apk.apk

You will have to uninstall the original version first before you can install your modified one. This is because the version you created is signed with a different certificate.

Word to the wise

Make sure you are not breaking any laws when using reverse engineering. In some countries it is legal, in others it is illegal.

When reverse engineering is legal in the country you live in, make sure the software’s (or application’s) Terms and Conditions don’t explicitly forbid you to reverse engineer.

Even when the above hurdles are overcome, make sure to not blatantly copy and paste someone else’s code.