Third-Party Libraries & Frameworks
Java and Kotlin are the primary programming languages for Android. However, libraries that are included with the applications could be written in C/C++. These libraries should be evaluated for public CVEs, as well as examined for sensitive information leakage.
Extract The APK File
To extract and decode the APK file, follow this example:
apktool d -o App ExampleApp.apk
cd App/lib/{arch}
These files are the compiled Shared Libraries (.so
). Since these are ELF files, you will need to use tools such as readelf
and radare2
or Ghidra
to examine them.
Decompile APK File
To decompile the APK SMALI/DEX files, use the jadx tool:
jadx -d App ExampleApp.apk
The files will be in the App/sources
directory. Typically, the source files will be in a reverse domain format such as com/libname/android/*.java
where each ‘/’ indicates a sub-directory. So, in this example, the full path would be ~/App/sources/com/libname/android/
with all of the java files listed below that.