Reverse engineering obfuscated Android APK

Happy devSecOps

Background

The Android obfuscation is process of modifying an APK so that it is hard to understand and no longer useful to unauthorized parties(e.g hackers) but remains fully functional. Obfuscated code can be more difficult for other people to reverse engineer. But almost all the code can be reverse-engineered with enough time and effort. Though obfuscation won’t guarantee code security, this process would give hackers a hard time reversed-engineering your Android app. In this post I’m gonna discuss about Android APK obfuscation and reverse engineering obfuscated APK. All the source code which related to this post available in gitlab. Please clone the repo and continue the post.

Obfuscate APK

Android ProGuard tool can be used to obfuscate, shrink, and optimize the code. ProGuard renames classes, fields, and methods with semantically obscure names and removes unused code. To obfuscate we can set the minifyEnabled true in the app/build.gradle file.

Reverse engineering APK

We can reverse engineering android APK and extract the source code. For that we need to use three tools apktool, dex2jar and jd-gui. apktool can be used to extract and access to the resource files from APK. des2jar is a tool to convert Dalvik byte code(e.g classes.dex) to JVM byte code(e.g .JAR file). jd-gui is a Java decompiler which can use to extract source code from .jar file. To revers engineer APK file first we need convert the APK file into .jar file by using dex2jar. Then the .jar file can be decompile via jd-gui. Finally the resource files in the APK can be extracted via the apktool. Following are the main steps.

1. Convert APK to .jar

dex2jar can be used to convert APK file into .jar file. Download the dex2jar.zip file from this link and unzip it. It contains d2j-dex2jar.sh shell scripts to convert the APK file to .jar file. The following command will convert APK file to .jar file and generate app-release-dex2jar.jar.

2. Decompile .jar file

The generated .jar file can be decompile by using jd-gui Java decompiler. jd-gui tool available as .jar file. Please download it from here and run below command. It will start jd-gui graphical interface. Then we can open the generated app-release-dex2jar.jar file from jd-gui and decompile it.

3. Extract APK resources

The resources of the APK can be extracted via apktool. Install apktool from this link and run following command. It will extract the resources(e.g xml layouts, drawables etc) from the APK.

Reference

1. https://medium.com/@jasjot784/how-to-extract-source-code-of-an-apk-using-apktool-b5f601383ab
2. https://medium.com/@angelhiadefiesta/how-to-obfuscate-in-android-with-proguard-acab47701577
3. https://medium.com/@angelhiadefiesta/how-to-obfuscate-in-android-with-proguard-acab47701577
4. https://sodocumentation.net/android/topic/4500/proguard---obfuscating-and-shrinking-your-code
5. https://blog.mindorks.com/applying-proguard-in-an-android-application
6. https://github.com/java-decompiler/jd-gui/releases
7. https://sourceforge.net/projects/dex2jar/
8. https://ibotpeaches.github.io/Apktool/