How To Reverse Engineer An Android Application In 3 Easy Steps
Many beginners or even intermediate Android developers fail to realize that the Android app they build and ship can be reverse engineered to a greater extent. If you are one of the developers who think hard-coding secret keys or even storing it in build.gradle file will prevent it from going into the hands of hackers or other developers, you are wrong.
Security has never been easy and the very first rule is to never trust the security on the client-side. The Client-side is not an environment we control and thus we should not rely on it by hard-coding or storing secrets that can disrupt our system. So the best way to ensure you do not end up getting caught by developers and hackers is to reverse engineer the application by yourself and fix the issues if possible.
Interesting Incident — Once I was working on an Android Application which required a mathematical formula to be used in a feature. Disliking math to the core, I found it more easy and interesting to reverse engineer one of the competitors application and then I took out the Math formula from the code successfully! :p
So, let’s get started. For reverse engineering an application, we would need a few things beforehand —
- APK of the application.
- Some set of codes to execute.
- Java Decompiler Tool (JD JUI in this article) to view the decompiled code.
First Step —
We would need the APK of the application we want to reverse-engineering. There are many ways to do that but I will suggest a simple way here. Download the app Apk Extractor on your device and select the application from the list inside the application. Once done, open any File Explorer and go to the ExtractedApks folder present in the Internal Storage directory. There, you will find the APK. Copy that APK to your system and we will proceed with the below steps.
Second Step —
Once we have the APK, we will reverse it to know and see the code. That will enable us and give us insights about the structuring of the code as well as find the security measures they have taken to avoid facing a reverse engineering attack.
Here, we will rename our {app}.apk file to {app}.zip and extract it. Inside the extracted folder, we will find the classes.dex file which contains the application code.
A DEX file is an executable file which contains the compiled code and runs on the Android platform.
Now, we will use the classes.dex file we took from the APK zip file and convert it to JAR. For doing that, we can use ‘dex2jar’ open-source tool available here. Head over to the release section and download the latest available zip file and extract it. Copy the extracted classes.dex file and paste it inside the ‘dex2jar-x.x’ directory.
Open Terminal on your machine and head over to the ‘dex2jar-x.x’ directory. Now we will run the command -
d2j-dex2jar.bat classes.dex
This will convert the classes.dex file to a JAR file which we can view using any Decompiler Tool.
Third Step —
We will use JD JUI which is a simple Java Decompiler tool. You can get it from here. Download and extract the zip. Run the jd-gui.exe and open the dex file and Voila! We reverse-engineered the application!!
In case we are meeting for the first time, I am Varun — Founder of Dwarsoft. We at Dwarsoft turn ideas into reality with the speed of light and the same perfection of Dettol killing the germs. Hit me up with your ideas and let us make it a reality together!