Decode & Decompile APK
For a lot of the static and dynamic analysis of the mobile app, reviewing the source and/or SMALI files could be very beneficial. In this section we will decode and decompile the apk file. While we will typically be provided the APK file by the app team, there are some instances where you will need to install the app from the Google Play Store. In these cases, we can still obtain the APK file after the app is installed.
Obtaining the APK
To obtain the APK from the device, you must know the package name so that you can find the appropriate directory. We will use the pm command to search for the package name, and then obtain the package path:
# get the package name
$ adb shell pm list packages | grep -i insecure
package:com.insecureshop
# get the apk path for that package
$ adb shell pm path com.insecureshop
package:/data/app/~~N5iAbCtp83Ezs6DzH_MgzQ==/com.insecureshop-0pwqOhV_cw9-wzQQh6-hEg==/base.apk
The APK filename will always be “base.apk”. We can then copy this file to our computer to start the static analysis of the application. In this example, I will rename the file when I pull it to the computer:
$ adb pull /data/app/~~N5iAbCtp83Ezs6DzH_MgzQ==/com.insecureshop-0pwqOhV_cw9-wzQQh6-hEg==/base.apk insecureshop.apk
/data/app/~~N5iAbCtp83Ezs6DzH_MgzQ==/com.insecureshop-0pwqOhV_cw9-wz...e.apk: 1 file pulled, 0 skipped. 34.1 MB/s (4754534 bytes in 0.133s)
Example:
$ adb pull /data/app/com.spotify.music-GlOA4soCX4BO-pYPQ-lKMw==/base.apk spotify.apk
/data/app/com.spotify.music-GlOA4soCX4BO-pYPQ-lKMw==/base.apk: 1 file pulled, 0 skipped. 10.7 MB/s (17853172 bytes in 1.594s)
Decoding the APK
To decode the APK file:
apktool d -o App/ ExampleApp.apk
dis to decode-ois the output directory
Here's an example of using apktool to decode the app:
% apktool d -o App InsecureBankv2.apk
I: Using Apktool 2.11.1 on InsecureBankv2.apk with 8 threads
I: Baksmaling classes.dex...
I: Loading resource table...
I: Decoding file-resources...
I: Loading resource table from file: /Users/steve/Library/apktool/framework/1.apk
I: Decoding values */* XMLs...
I: Decoding AndroidManifest.xml with resources...
I: Regular manifest package...
I: Copying original files...
I: Copying unknown files...
In the output directory, which for this example is App/, we will see the following files/directories:
-rw-r--r--@ 1 steve staff 4116 Sep 13 11:03 AndroidManifest.xml
-rw-r--r--@ 1 steve staff 371 Sep 13 11:03 apktool.yml
drwxr-xr-x@ 4 steve staff 128 Sep 13 11:03 original
drwxr-xr-x@ 122 steve staff 3904 Sep 13 11:03 res
drwxr-xr-x@ 4 steve staff 128 Sep 13 11:03 smali
Decompiling the APK
To decompile to (near) source code:
jadx -d App ExampleApp.apk
Here is an example of decompiling the app:
% jadx -d App/ InsecureBankv2.apk
INFO - loading ...
INFO - processing ...
INFO - done
In this example, I used the same output directory as before so that all of this information is available in one place. This command adds two new directories under App/:
. . . (apktool directories) . . .
drwxr-xr-x 5 steve staff 160 Sep 13 11:11 resources
drwxr-xr-x 4 steve staff 128 Sep 13 11:11 sources
While using the jadx command is great for automating analysis, if you prefer to use a GUI when reviewing these files, you can use the jadx-gui command.
% jadx-gui
INFO - Checking for updates...
INFO - Update channel: STABLE, current version: 1.5.2
INFO - Found new jadx version: 1.5.3
In the GUI, drag and drop the APK file to the window.
