Step-by-Step Guide To Decompiling Android Apps

It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles. – Sun Tzu

With the pressure for every company to have an app (or two, or three) in both iTunes and Google Play, the pressure is on both security teams and development teams to make sure those apps are secure. If you’ve ever read viaForensic’s 42+ Secure Mobile Development Best Practices paper, you know that Android app developers are at a disadvantage. Simply put, it’s harder for a developer to secure an Android app than an iOS app.

If you have an app available for download from Google Play, an attacker (or security researcher) can download that app and take it apart with relative ease. Maybe the attacker is looking for a tidbit they can use to gain a foothold in your organization, analyzing the app as a form of passive reconnaissance (i.e., never touching the systems you’re monitoring with your SIEM). Or maybe the attacker wants to develop a competitive app, and s/he has no problem with stealing your source code to get a “head start.”

Whatever the reason, the simple truth is this: if you have an app in Google Play, you need to make sure you’ve taken the appropriate steps to protect that app.

How easy is it to decompile an Android app? If you have an Android tablet and a Windows laptop with the right tools installed, it takes all of 10 minutes (if that). Here’s how:

  1. Install Apk Extractor on your Android device
  2. Download your target app from Google Play
  3. Run APK Extractor to send the .apk file to your laptop
  4. Download the Android SDK (Eclipse/ADT) and unzip
  5. Download dex2jar and unzip
  6. Download JD_GUI and unzip
  7. In Eclipse/ADT, click File > New > Java Project
  8. Name your project, then click Next > Finish
  9. Right click on your project, then click Build Path > Configure Build Path
  10. On the Libraries tab, Select Add External Jars, browse to your unzipped dex2jar\lib directory, select all the .jar files, and click Open > OK
  11. Drag your .apk file into the Eclipse/ADT project (choose Copy Files > OK)
  12. Right click on your project, then click Run As > Run Configurations
  13. Right click on Java Application, then click New
  14. Set Project to the same name you assigned to your project
  15. Set Main class to com.googlecode.dex2jar.v3.Main
  16. Go to the Arguments tab, and type the name of the .apk file in the Program arguments field
  17. Click Run (will create a new .jar file in your project workspace directory)
  18. Minimize Eclipse/ADT and go toy our project workspace directory (if not sure, right click Project > Properties > Resource > Location)
  19. Run jd-gui.exe
  20. In jd-gui, click File > Open, and point to the .jar file created in your Eclipse/ADT workspace directory
  21. Boom. Source code.

If the process is so simple that a script kiddie can do it, then that should be an indicator that you need to take the necessary steps to secure your code. One technique you can (and should) apply is code complexity and obfuscation. This includes:

  • Anti-debug techniques
  • Restricting debuggers
  • Trace checking
  • Optimizations
  • Stripping binaries

You should also consider using tools like ProGuard and DexGuard. Otherwise, some security researcher is likely to download your app, tear it apart, and publish an article about how weak your app is when it comes to app security.

If you want a little more info on how to integrate appsec into your mobile appdev process, check this out.

2 thoughts on “Step-by-Step Guide To Decompiling Android Apps”

  1. Thanks for your tutorial it helps me a lot. After decompiling from an apk file I need to run the app in my android workspace.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s