Android APK Reverse Engineering: Using JADX - Secplicity - Security Simplified (2024)

Android APK Reverse Engineering: Using JADX - Secplicity - Security Simplified (1)

In continuation of the Android APK Reverse Engineering series, this post will cover how to actually start digging into an APK’s programming logic. My last blog post detailed how to unzip an APK archive and what contents are within. While it’s useful to an extent, it’s not helpful in reading and understanding the programming logic. Remember the code itself is in binary format and cannot be read within a text editor or other development environment.

In my testing, I used quite a few different tools and frameworks. There are varying installation processes with each tool, but the most common installation among all was Java. I’ll explain how to go about getting set up using an Ubuntu VM. This post will specifically cover the JADX tool, which was the most simple to install and use in my experience. JADX is used to convert DEX/Smali code into Java source code.

Installing Java

At this point, I am assuming you’re in a VM running Ubuntu. Open the terminal and go into whatever directory you want to use for reverse engineering purposes. For me, I have a directory called “APKAnalysisTools” and this is where I am doing my APK testing. The two commands to run are:

sudo apt install default-jre

sudo apt install default-jdk

Note that the JADX GitHub mentions “JDK 8 or higher must be installed” but I ran both commands above just in case. JRE is the Java Runtime Environment, which allows running Java code. JDK is the Java Development Kit and this allows access to Java’s development kit. JDK should contain JRE as well per online resources, though I didn’t run into issues in running both commands.

Finally, run the following command to ensure you have Java 8 or higher

java -version

Installing JADX

Still within the APKAnalysisTools folder (or whatever you named your directory), follow the three commands listed under the “Build from source” section. Note that the use of “git” is required. You’ll need to install git prior, run:

sudo apt install git

After getting git, run:

git clone https://github.com/skylot/jadx.git

cd jadx

./gradlew dist

From here, you’ll have a few directories that house different content. In order to use the graphical version (GUI), you’ll need to call “jadx-gui” from within the “build/jadx/bin/” directory. That can get a bit messy depending on what command you run; I suggest creating an “alias” for this. This can be done by running:

alias jadx-gui=’~/<directoryName>/jadx/build/jadx/bin/jadx-gui’

This essentially creates a command called “jadx-gui” and assigns it the value of where the actual jadx-gui command is located. To be clear, instead of having to be in the “../jadx/build/jadx/bin/” directory, you can call jadx-gui from wherever you are. Note that the aliased command is tied to the current user you performed this as. If you have other users, they’ll need to do the same or do one of the other options that’d make this aliased command available but that’s beyond the scope of this post.

Using JADX

Okay, now that we got all the fun stuff taken care of, let’s actually use JADX!

If you completed the above step of creating an aliased command, simply type in “jadx-gui” in the terminal and you should be presented with the GUI version of JADX. See Figure 1 for reference.

Android APK Reverse Engineering: Using JADX - Secplicity - Security Simplified (2)

From here, target an APK you’d like to further investigate. You can see the hierarchy in the left windowpane and the main windowpane is empty. In using my sample “Hello World” APK I created, I see a few options that resonate with android packages, but I also see my package name as well. The android folders contain the development kit code used in my app. For the most part, I’d say it’s safe to skip these and look at the package name’s folder to see the code the author wrote. Within an APK, the “MainActivity” is generally the introduction point a user is presented with when running an app on their mobile device. Since this app is simple, there is just three Java classes listed to which I personally only wrote one in this case.

Android APK Reverse Engineering: Using JADX - Secplicity - Security Simplified (3)

As you can see in Figure 2, I drilled into the “com.proofofconcepts…” folder and there are the three Java classes. “R” and “BuildConfig” are defaults, “MainActivity” is the only class I authored. The presented code seems pretty easy to read, it’s in Java after all! However, if you’re curious of the Dalvik bytecode (aka Smali, as seen as one of the bottom-two tabs of the main windowpane), I urge you to check it out. Figure 3 shows the distinct contrast between Java source code and the Smali source code.

Android APK Reverse Engineering: Using JADX - Secplicity - Security Simplified (4)

I don’t know about you but I think the Smali code is much more difficult to read. The sample app I used isn’t terribly difficult to follow along with, but if you look at other published apps, the logic gets more difficult to follow. Also, bear in mind that some developers obfuscate their code for legitimate reasons, while malicious threat actors do so to complicate the reverse engineering process. As a reminder, obfuscation is the act of making source code much more difficult to read.

Conclusion

That’s it for this post. In summary, this blog post covered how to get set up using JADX, which is a tool that produces Java source code from Android DEX and APK files. The process covers getting Java and git installed prior to obtaining the JADX source code. I also threw a little bonus in and showed you how to create an aliased command to save you a few keystrokes!

Once we got JADX GUI open, we took a sneak peek at my Hello World APK and contrasted Smali code from Java source code. While this sample may have been easier to follow along with, some larger APKs are quite difficult to follow. One thing that I didn’t mention is that JADX automatically converts an APK into a readable format, so there isn’t a need to do anything prior. Simply run JADX, open an APK, and analyze away!

Related

Android APK Reverse Engineering: Using JADX - Secplicity - Security Simplified (2024)

FAQs

What is the difference between JADX and Apktool? ›

These tools are used in reverse engineering. Apktool extracts Dalvik bytecode, while Jadx provides Java source code. You can get more information here about android operating system. Open android studio, and create two textView then set their values in onCreate Method.

How are Android applications typically protected against reverse engineering? ›

The most typical techniques used by obfuscators are changing methods/parameters names, modifying the flow of the code and encrypting string and assets. Most popular obfuscators for Android code are ProGuard and DexGuard.

Is reverse engineering Android app legal? ›

Owner's consent: Reverse engineering is usually legal if it is performed on products, systems or software to which the person or company conducting analysis has the legal right to access (purchased it) or the owner's consent.

How to make APK secure? ›

Strategies to Protect Your APK
  1. Obfuscation. Using tools like ProGuard can obfuscate your code, making it more difficult to read when decompiled. ...
  2. Native Libraries. Consider moving critical parts of your application to native libraries written in C or C++. ...
  3. Encryption. ...
  4. Server-Side Processing. ...
  5. Anti-Debugging Techniques.
Jun 6, 2024

What is replacing APK? ›

An APK (Android Package Kit) is a file format used to distribute and install apps on Android devices. It contains all the necessary files and resources for an app to run on an Android device. An app bundle, on the other hand, is a new format introduced by Google in 2018 as a replacement for the APK.

What is the command to decompile the APK using Apktool? ›

For decompiling use the command "d". The "d" stands for decompile. 9. After the app is correctly decompiled, a new folder will be created in the same folder where you placed your app.

How to protect your code from reverse engineering? ›

Encryption involves using algorithms to scramble the software code so that it cannot be read or understood without the decryption key. This can be an effective method of preventing reverse engineering, as it makes it virtually impossible to understand the code without the key.

How do hackers use reverse engineering? ›

How Do Hackers Use Reverse Engineering? Hackers often use reverse engineering to find vulnerabilities in systems and devices. In many cases, hackers will obtain a copy of the software or hardware they want to attack. They will disassemble it, looking for ways to bypass security features or exploit weaknesses.

Is it illegal to decompile apps? ›

Using a decompiler is illegal because you are breaking the terms of the legal contract and are often bound by the agreements by virtue of having the program on your machine.

What are some fake apps for Android? ›

Some fake Android apps are:
  • Ultima Keyboard 3D Pro.
  • VideoMixer Editor Pro.
  • NewVision Camera.
  • Wi-Fi Password Unlock.
  • GT Sports Racing Online.
  • Fitness Ultimate 2021.
Apr 26, 2024

What apps can be removed from an Android phone? ›

Here are some specific examples of Android apps that can be safely removed:
  • Flashlight apps.
  • QR scanner apps.
  • Screen recorder apps.
  • Media player apps.
  • Screen dimmer apps.
  • Duplicate web browsers.
  • Duplicate note-taking apps.
  • Duplicate data backup apps.
Sep 18, 2023

Why is reverse engineering illegal? ›

Reverse engineering is generally legal. In trade secret law, similar to independent developing, reverse engineering is considered an allowed method to discover a trade secret. However, in patent law, because the patent owner has exclusive rights to use, own or develop the patent, reverse engineering is not a defense.

How do I know if my APK is secure? ›

Check Reviews and Developer Info: Before downloading an APK file, check app reviews and the authenticity of the developer information. Avoid Unofficial Websites: Many sites that offer free APK downloads are not officially sanctioned and can include harmful files.

Why APK is blocked for security reasons? ›

Here are some troubleshooting steps you can try:
  • Enable App Installation from Unknown Sources: By default, Android devices block the installation of apps from unknown sources as a security measure. ...
  • Check File Integrity: Ensure that the APK file you have downloaded is not corrupted or incomplete.
May 12, 2023

How to make APK trusted? ›

Allowing app installs from Unknown Sources in Android
  1. Navigate to Setting > Security.
  2. Check the option Unknown sources.
  3. Tap OK on the prompt message.
  4. Select Trust.
Feb 19, 2024

What is the use of JADX tool? ›

JADX is an open-source tool used for decompiling Android applications, with a specific focus on those developed for the Android platform. By utilizing JADX, users can analyze and comprehend the source code structure of an Android application.

What is APK tool used for? ›

Apktool is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step.

What is the best APK decompiler? ›

  • JD-Gui.
  • Jadx.
  • GDA-android-reversing-Tool.
  • Bytecode-Viewer.
  • Enjarify.
  • CFR.
  • Fernflower.
  • Krakatau. procyon.
Jul 18, 2024

What is APK extractor used for? ›

Extracting APK files from your Android device can be useful for backing up your apps, freeing up memory space, or studying the contents of the app.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Madonna Wisozk

Last Updated:

Views: 5735

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Madonna Wisozk

Birthday: 2001-02-23

Address: 656 Gerhold Summit, Sidneyberg, FL 78179-2512

Phone: +6742282696652

Job: Customer Banking Liaison

Hobby: Flower arranging, Yo-yoing, Tai chi, Rowing, Macrame, Urban exploration, Knife making

Introduction: My name is Madonna Wisozk, I am a attractive, healthy, thoughtful, faithful, open, vivacious, zany person who loves writing and wants to share my knowledge and understanding with you.