93

Are the users able to convert the apk file of my application back to the actual code? If they do - is there any way to prevent this?

skolima
  • 31,963
  • 27
  • 115
  • 151
aryaxt
  • 76,198
  • 92
  • 293
  • 442
  • 1
    There are several [methods of decompiling APK](http://geeknizer.com/decompile-reverse-engineer-android-apk). I just APKTool more often, its the best and most powerful. Its very easy to [modify apk files](http://www.androidng.com/how-to-modify-android-apk) with it. – Taranfx Mar 06 '11 at 17:41
  • I have written a blog post here: http://codexplo.wordpress.com/2012/03/15/how-to-decompile-android-apk-to-java-source-code/ but again, it would be difficult for obfuscated code... – A N M Bazlur Rahman Jun 18 '12 at 12:39
  • 1
    http://yeblon.com/how-to-decompile-android-apk-app-files - This might belp – Badr Hari Feb 05 '13 at 20:01
  • 3
    possible duplicate of [Is there a way to get the source code from an APK file?](http://stackoverflow.com/questions/3593420/is-there-a-way-to-get-the-source-code-from-an-apk-file) – Reaz Murshed Jun 07 '15 at 05:59

7 Answers7

84

First, an apk file is just a modified jar file. So the real question is can they decompile the dex files inside. The answer is sort of. There are already disassemblers, such as dedexer and smali. You can expect these to only get better, and theoretically it should eventually be possible to decompile to actual Java source (at least sometimes). See the previous question decompiling DEX into Java sourcecode.

What you should remember is obfuscation never works. Choose a good license and do your best to enforce it through the law. Don't waste time with unreliable technical measures.

Community
  • 1
  • 1
Matthew Flaschen
  • 278,309
  • 50
  • 514
  • 539
  • 46
    Never say never. Obfuscation will not stop a determined thief but it will slow down or deter many others. Processing with Proguard is an easy and RELIABLE way to obfuscate your code and as a bonus it will optimize it too. And it's included in the Android SDK, so it's endorsed by Google. – Barry Fruitman Jul 26 '11 at 19:39
  • 3
    Obfuscation definitely works, but you have to more clearly define what your goal is. Obviously the only way you could ever keep your source code truly safe is to never give anyone access to it, server or client. Note that Proguard doesn't work well on classes that have references in XML files. You need to utilize manual obfuscation to get around that. – MattC Jan 03 '12 at 22:57
38

Decompilation of APK file is possible. But it might be difficult to understand the code if it is obfuscated.

Use Aapt (part of the Android SDK) or AXMLParser (from AndroGuard) to analyse and view info of an APK File

  • Retrieves the content of the AndroidManifest.xml file

  • Shows various information (e.g. permissions, activities, services, broadcast receivers, ...)

  • Command:

    Aapt

     aapt dump badging sampleApp.apk
 aapt dump permissions sampleApp.apk
 aapt dump xmltree sampleApp.apk

    AXMLParser

     apkinfo sampleApp.apk

Use ApkTool or NinjaDroid to disassemble and view the resources of an APK File

  • Disassembles the bytecode to smali/assembly

  • Extracts the AndroidManifest.xml, the CERT.RSA file and everything in res folder (layout xml files, images, htmls used on webview etc..)

  • Command:

    ApkTool

    apktool.bat d sampleApp.apk

java -jar apktool.jar -q decode -f sampleApp.apk -o myOutputDir

    NinjaDroid

    ninjadroid MyApk.apk --all --extract myOutputDir/

  • NOTE: You can achieve something similar by using zip utility like 7-zip. But, these tools also extract the .smali files of all .class files.

Use dex2jar to decompile the DEX files of an APK File into Java code

  • Generates the .jar file from a .apk file (note that the Java code of Android apps is usually obfuscated)

  • Needs JD-GUI to view the source code from the output .jar file

  • Command:

    dex2jar sampleApp.apk

d2j-dex2jar.sh -f sampleApp.apk -o myOutputDir/sampleApp.jar

Use JD-GUI to view the .jar file

  • Decompiles the .class files (obfuscated in a case of Android apps, but not in a case of other .jar files) and shows the corresponding Java code
Paolo Rovelli
  • 9,396
  • 2
  • 58
  • 37
gtiwari333
  • 24,554
  • 15
  • 75
  • 102
  • apktool does not spit out java source files! Only smali – IgorGanapolsky Apr 30 '12 at 18:43
  • 1
    as i already said in the answer, apktool creates .jar from .apk and we have to use JD-GUI like tool to decompile .jar to achieve .java source files. – gtiwari333 Apr 30 '12 at 19:07
  • 2
    you freakin' saved my life! what an awesome post! I lost the last two days of code because of a failed SSD (sadly, I didn't commit to git). However, I did have the apk and now I have my source, mind you, a little bit different, but source! – farcrats Aug 21 '12 at 18:28
3

I may also add, that nowadays it is possible to decompile Android application online, no software needed!

Here are 2 options for you:

Andrew Rukin
  • 959
  • 11
  • 16
  • decompileandroid.com is offline (when you upload the apk you will have problems downloading it again) and http://www.javadecompilers.com/apk has put my apk in a queue for a long time. I went offline,then online, it was still in a queue. I cleared all browsing history and now the apk I uploaded for the second time is in a queue. – iOSAndroidWindowsMobileAppsDev Aug 11 '16 at 07:16
2

Are the users able to convert the apk file of my application back to the actual code?

yes.

People can use various tools to:

  • analysis: your apk
  • decode/hack your apk
    • using FDex2 to dump out dex file
      • then using dex2jar to convert to jar
        • then using jadx to conver to java source code

If they do - is there any way to prevent this?

yes. Several (can combined) ways to prevent (certain degree) this:

  • low level: code obfuscation
    • using Android ProGuard
  • high level: use android harden scenario

More details can refer my Chinese tutorial: 安卓应用的安全和破解

crifan
  • 12,947
  • 1
  • 71
  • 56
1

Download this jadx tool https://sourceforge.net/projects/jadx/files/

Unzip it and than in lib folder run jadx-gui-0.6.1.jar file now browse your apk file. It's done. Automatically apk will decompile and save it by pressing save button. Hope it will work for you. Thanks

akhilesh Jha
  • 11
  • 1
0

Sometimes you get broken code, when using dex2jar/apktool, most notably in loops. To avoid this, use jadx, which decompiles dalvik bytecode into java source code, without creating a .jar/.class file first as dex2jar does (apktool uses dex2jar I think). It is also open-source and in active development. It even has a GUI, for GUI-fanatics. Try it!

polym
  • 628
  • 1
  • 14
  • 26
0

Yes, there are tons of software available to decompile a .apk file.

Recently, I had compiled an ultimate list of 47 best APK decompilers on my website. I arranged them into 4 different sections.

  1. Open Source APK Decompilers
  2. Online APK Decompilers
  3. APK Decompiler for Windows, Mac or Linux
  4. APK Decompiler Apps

I hope this collection will be helpful to you.

Link: https://www.edopedia.com/blog/best-apk-decompilers/

Muhammad Furqan Ul Haq
  • 180
  • 8