Reverse engineering obfuscated Android APK
Happy devSecOps
Background
The Android obfuscation is process of modifying an APK
so that it is hard to understand and no longer useful to unauthorized parties(e.g hackers) but remains fully functional. Obfuscated code can be more difficult for other people to reverse engineer. But almost all the code can be reverse-engineered with enough time and effort. Though obfuscation won’t guarantee code security, this process would give hackers a hard time reversed-engineering your Android app. In this post I’m gonna discuss about Android APK
obfuscation and reverse engineering obfuscated APK
. All the source code which related to this post available in gitlab. Please clone the repo and continue the post.
Obfuscate APK
Android ProGuard
tool can be used to obfuscate
, shrink
, and optimize the code. ProGuard renames classes, fields, and methods with semantically obscure names and removes unused code. To obfuscate we can set the minifyEnabled true
in the app/build.gradle
file.
Reverse engineering APK
We can reverse engineering android APK
and extract the source code. For that we need to use three tools apktool
, dex2jar
and jd-gui
. apktool
can be used to extract and access to the resource files from APK
. des2jar
is a tool to convert Dalvik byte code
(e.g classes.dex
) to JVM byte cod
e(e.g .JAR
file). jd-gui
is a Java decompiler which can use to extract source code from .jar
file. To revers engineer APK
file first we need convert the APK
file into .jar
file by using dex2jar
. Then the .jar
file can be decompile via jd-gui
. Finally the resource files in the APK
can be extracted via the apktool
. Following are the main steps.
1. Convert APK to .jar
dex2jar
can be used to convert APK
file into .jar
file. Download the dex2jar.zip
file from this link and unzip it. It contains d2j-dex2jar.sh
shell scripts to convert the APK
file to .jar
file. The following command will convert APK
file to .jar
file and generate app-release-dex2jar.jar
.
2. Decompile .jar file
The generated .jar
file can be decompile by using jd-gui
Java decompiler. jd-gui
tool available as .jar
file. Please download it from here and run below command. It will start jd-gui
graphical interface. Then we can open the generated app-release-dex2jar.jar
file from jd-gui
and decompile it.
3. Extract APK resources
The resources of the APK can be extracted via apktool
. Install apktool
from this link and run following command. It will extract the resources(e.g xml layouts, drawables etc) from the APK.
Reference
- https://medium.com/@jasjot784/how-to-extract-source-code-of-an-apk-using-apktool-b5f601383ab
- https://medium.com/@angelhiadefiesta/how-to-obfuscate-in-android-with-proguard-acab47701577
- https://medium.com/@angelhiadefiesta/how-to-obfuscate-in-android-with-proguard-acab47701577
- https://sodocumentation.net/android/topic/4500/proguard---obfuscating-and-shrinking-your-code
- https://blog.mindorks.com/applying-proguard-in-an-android-application
- https://github.com/java-decompiler/jd-gui/releases
- https://sourceforge.net/projects/dex2jar/
- https://ibotpeaches.github.io/Apktool/