Reverse Engineering APKS: Guide To See If Obfuscation Works

Previously, I tackled How to Obfuscate in Android. Obfuscation is basically giving hackers a hard time decompiling your code. So how to check if obfuscation works? This post is a step by step guide on how to reverse engineer your apk.

Remember, our goal is to puzzle hackers. After obfuscation, your classes are expected to be renamed and harder to comprehend.

1. Download dex2jar: https://github.com/pxb1988/dex2jar and put in a convenient location
2. Rename app.apk to app.zip. Unpack app.zip, and look for classes.dex file
3. In a convenient location, paste your classes.dex (note your classes.dex directory )
4. Using command line, go to dex2jar location and run this command:
   d2j-dex2jar.bat YourDexFileDirectory/classes.dex
5. Your .jar should now be available on your dex2jar folder
6. Download Java Decompiler, JD-GUI
7. Run the downloaded executable jar file
8. Drag and drop your classes-dex2jar.jar to JD-GUI
9. You can now read source code of each class files

Congratulations! You can now check your app source code! Sample decoded APK is seen below, classes are now renamed to a.class, b.class etc.