Recently, I discovered how to convert an APK file into readable Java source code and XML files. There are three tools you will need: apktool, dex2jar, and jd-gui (or any other java decompiler, JD Gui happens to be the best one I’ve found so far). You can download them from the following URLs:

Make sure you follow the installation instructions for APKTool. Windows users will have to download two files to get it working.

Once you have these downloaded and installed, the next thing you will need is an APK. With a bit of googling you can easily find APKs for just about anything (e.g. Facebook, Twitter, Amazon App Store).

Now, that you have everything you will need to do the following:
1) Extract the APK using APKTool. Run: apktool d <apk>
2) Extract the classes.dex file found in the APK file. Run: jar xvf <apk> classes.dex
3) Extract the classes from classes.dex file. Run: dex2jar classes.dex
4) Extract the classes.dex.dex2jar.jar. Run: jar xvf classes.dex.dex2jar.jar

You now have the raw data available to you. You can use JD-Gui to peruse the extracted classes and even save the source down as Java. All of the layouts, manifest, strings, images, and assets are also available to you in the appropriate folders.

Some things I’ve discovered while playing around with this:
1) Hardly anyone actually runs Proguard on their source code.
2) Some developers (e.g. Rovio) have encoded much of their assets into proprietary files. This leads me to my next topic: safe guarding your applications.

There are several things you can do to help safeguard your application against hackers:
1) Run Proguard on your release APK. This obfuscates all class names, method names, and variables to make it more difficult for hackers to read.
2) Sensitive data should be encoded in a proprietary binary format.
3) If you have sensitive logic (e.g. encoding / decoding mechanisms), I would suggest writing native code and calling it from Java.

These safeguards aren’t 100% fool proof, but it will at least slow down hackers from easily gaining access to sensitive information.

EDIT: I’ve written another article on how to pull APKs from non-rooted Android devices. Give it a read if you are curious.

Tagged with:

3 Responses to HOWTO: Extract APK into readable Java source code and XML files

  1. [...] have Android APK though You can decompike APK files to Java source. This way worked for me: HOWTO: Extract APK into readable Java source code and XML files | DroidDudes You do not get the best source, but it is ok to understand wat is going on…. [...]

  2. APK Modding says:

    [...] calls the recovery reboot would be the most recent example. I used this resource for decompiling: HOWTO: Extract APK into readable Java source code and XML files | DroidDudes And there are plenty of Smali bytecode reference sheets if you'd like to go down that [...]

  3. [...] it. You should now have the APK for the application. See our other article “HOWTO: Extract APK into readable Java source code and XML files” for tips on how to convert that APK into readable Java / XML source code.   [...]