HOWTO: Extract APK into readable Java source code and XML files

By On May 8, 2011

Recently, I discovered how to convert an APK file into readable Java source code and XML files. There are three tools you will need: apktool, dex2jar, and jd-gui (or any other java decompiler, JD Gui happens to be the best one I’ve found so far). You can download them from the following URLs:
http://code.google.com/p/dex2jar/
http://code.google.com/p/android-apktool/
http://java.decompiler.free.fr/?q=jdgui

Make sure you follow the installation instructions for APKTool. Windows users will have to download two files to get it working.

Once you have these downloaded and installed, the next thing you will need is an APK. With a bit of googling you can easily find APKs for just about anything (e.g. Facebook, Twitter, Amazon App Store).

Now, that you have everything you will need to do the following:
1) Extract the APK using APKTool. Run: apktool d <apk>
2) Extract the classes.dex file found in the APK file. Run: jar xvf <apk> classes.dex
3) Extract the classes from classes.dex file. Run: dex2jar classes.dex
4) Extract the classes.dex.dex2jar.jar. Run: jar xvf classes.dex.dex2jar.jar

You now have the raw data available to you. You can use JD-Gui to peruse the extracted classes and even save the source down as Java. All of the layouts, manifest, strings, images, and assets are also available to you in the appropriate folders.

Some things I’ve discovered while playing around with this:
1) Hardly anyone actually runs Proguard on their source code.
2) Some developers (e.g. Rovio) have encoded much of their assets into proprietary files. This leads me to my next topic: safe guarding your applications.

There are several things you can do to help safeguard your application against hackers:
1) Run Proguard on your release APK. This obfuscates all class names, method names, and variables to make it more difficult for hackers to read.
2) Sensitive data should be encoded in a proprietary binary format.
3) If you have sensitive logic (e.g. encoding / decoding mechanisms), I would suggest writing native code and calling it from Java.

These safeguards aren’t 100% fool proof, but it will at least slow down hackers from easily gaining access to sensitive information.

Tagged with:
 
If you enjoyed this article, please consider sharing it!
Reddit Facebook Twitter StumbleUpon Digg

Comments are closed.