What is inside APK file
This article belongs to the series How your APK file can be used for extracting information from your Android project. Here is the list of all blog posts from mentioned series (the list is not finished yet, so it will be updated in future):
- Process of compiling Android app with Java/Kotlin code,
- Deep insight into APK (current one).
Motivation
I suppose most of you, who are reading this, know that APK file is used for app installation purpose on Android OS. But have you ever wondered what type of file is it, and how is it actually generated from Android Studio?
This article has a goal to help Android developers understand APK in depth.
It is important to mention, that this topic relies on knowledge behind compiling Java/Kotlin code. If you would like to learn more regarding that process, I would be more than happy to invite you to read my previous blog post Process of compiling Android app with Java/Kotlin code.
Introduction
APK (Android Package Kit) is package file format which is used by Android OS, for distribution and installation of Android apps.
Basically, if we look from the point of view of an Android developer, APK file holds compiled code along with data and resources files from Android project. Therefor, we are safe to say that APK file is like archive for compiled Android project.
At first sight, maybe this doesn’t mean much to you, but if you’ve ever wondered how can someone extract sensitive data from your app, this is the beginning of that process.
Considering that APK is archive, it’s easy to say that .apk file behaves similar to .zip file. I suppose you already know how to open and extract .zip file. Well, just by renaming your test.apk file to test.zip manually, we have enabled ourselves to easily look at what’s inside of .apk file.
Insight into APK
Before we open the apk file, let’s take a moment to check what can we expect to find in it.
For Android project to run on Android device/emulator, it needs to compile its Java/Kotlin code. The end result of mentioned compilation is .dex classes, which must be included in .apk file (for more information regarding compilation process please read my previous article Process of compiling Android app with Java/Kotlin code).
Another important part of Android projects are resources. They must be included in .apk file, otherwise our app won’t contain images, strings, styles… The same thing applies to assets, certificates and AndroidManifest file, which holds metadata for our app (general information regarding Android app and components such as Activities).
Therefor, we are safe to say that APK file represents packaged container for Android compiled code and all other parts of Android project. To summarize, APK file contains .dex files, resources, assets, certificates and manifest file.
Example
Now when we have an idea of what we can expect to find in .apk file, let’s take a look at concrete example.
I’ve created Hello World project, just for purpose of checking what’s inside of generated apk.
It is almost empty project, I’ve just imported android_icon.xml (vector drawable) and hello_world string in strings.xml file.
Why am I telling you this? Well you will see once we open the apk file.
Once we rename our freshly generated .apk file to .zip, nothing can stop us from opening it as regular .zip file.
Not bad. But if you try to open classes.dex file in regular editor, chances are that it won’t be readable. Same applies for resources.arsc (here we can see strings file).
Luckily for us, Android Studio has provided us with great tool, which you can find inside Android Studio at Build -> Analyze APK… By selecting our .apk we get insight into apk which is much more readable.
As you can see, everything is here, and more importantly, we can open everything.
Depending on how much code and libraries do we have in our project, there will be multiple classes.dex files. In this example, if we select classes2.dex file, we will have more information loaded under the Analyze APK window (as shown in upper screenshot). There, we will find our app package name, in this example it’s com.example.testapp, where we can find our MainActivity file.
Right click on MainActivity -> Show bytecode -> Voila.
We’ve opened Dalvik byte-code of our MainActivity. Probably you won’t understand much here, but the thing is, if you search through the file, you can find any constant value. For example, I’ve left TAG static String field as “MainActivity”. If we scroll down a little, we can find it in Dalvik byte-code as
So next time you think about putting some sensitive data inside your code, please consider this situation, where everyone, who has access to your apk file, can find it. If you are interested in solution of this problem, I will write article about it soon, so stay tuned.
Regarding our resources, we can find them too, pretty easily.
To check android_icon.xml drawable, just go into res -> drawable -> android_icon.xml.
To check our strings.xml file, click on resources.arsc -> string -> hello_world.
From my point of view, Analyze APK tool can be helpful in two ways for any Android developer:
- We can check if our apk contains any sensitive data which can be captured just by opening our apk.
- We can check if some part of our Android project contains more memory than it should. For example, we’ve imported image which holds 30% of apk memory. By checking that with Analyze APK, we can try to lower the resolution on image and save more than 15% of apk memory.
Conclusion
The goal of this article was to help Android developers get the answers to couple of questions:
- What is APK file?
- What does APK file contain?
- How can we open it?
- How can we find all sort of things inside it?
The reason for that was to raise awareness of Android app security. Because I stumbled upon on a lot of comments which were suggesting not to save sensitive data into code. In my case, I just couldn’t imagine how can someone brake into my app and steel that data.
I hope by now, you understood how steeling sensitive data from your code is easy. So always keep in mind, whoever posses your apk, they have access to your resources and .dex files.
Before finishing the article, I just want to say thank you for taking time to read my article. I hope it was helpful and please feel free to comment or give me any feedback regarding the article. Stay tuned for future posts.
Cheers!
Also I am always open for commenting on Android stuff, so if you feel like talking, contact me on twitter or linkedin.
