Skip to content

Android Reverse Engineering

Reverse engineering Android apps is essential for mobile security testing , malware analysis , and vulnerability discovery

APK Structure

APK is a ZIP archive (rename to .zip to extract):

AndroidManifest.xml          # Binary XML (parsed with aapt)
classes.dex                  # DEX bytecode (Dalvik Executable)
classes2.dex                 # Multi-dex support
lib/armeabi-v7a/             # Native libraries
lib/arm64-v8a/                # 64-bit native
res/                         # Resources (strings, layouts)
assets/                      # Raw application assets
META-INF/                    # Signatures and manifests
resources.arsc               # Compiled resources

Decompilation Tools

# APKTool - decode resources
apktool d target.apk -o output/

# JADX - decompile to Java source
jadx-gui target.apk
jadx target.apk -d output/

# Dex2Jar + JD-GUI
d2j-dex2jar target.apk -o output.jar
# Open output.jar in JD-GUI

# Enjarify (better dex2jar alternative)
enjarify target.apk -o output.jar

Manifest Analysis

# Extract manifest
aapt dump badging target.apk
aapt dump permissions target.apk
apktool d target.apk && cat AndroidManifest.xml

Common Vulnerabilities to Hunt

  • WebView XSS - setJavaScriptEnabled(true) without sanitization
  • Cleartext Traffic - android:usesCleartextTraffic="true" or no SSL pinning
  • Insecure Storage - World-readable databases , preferences
  • Content Provider Leakage - URIs accessible without permission
  • Intent Redirection - Open redirect via PendingIntent
  • Deeplink Exploitation - Malformed URLs bypassing validation
  • Tapjacking - filterTouchesWhenObscured not set
  • Backup Flag - android:allowBackup="true" exposes data
  • Debuggable Flag - android:debuggable="true" in release build

Dynamic Analysis

# Install Frida
pip install frida-tools

# Frida script injection
frida -U -l script.js -f package.name

# Start Frida server on device
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

# Objection (Frida wrapper for mobile testing)
objection -g package.name explore

Modifying APKs

# Decode , edit , rebuild , sign
apktool d target.apk -o out/
# Edit files in out/
apktool b out/ -o modified.apk

# Generate keystore and sign
keytool -genkey -alias test -keystore test.ks -keyalg RSA
jarsigner -keystore test.ks modified.apk test

# Zipalign (required for production)
zipalign -v 4 modified.apk aligned.apk

SSL Pinning Bypass

# Frida script
frida -U -l ssl_bypass.js -f package.name

# Objection automatic bypass
objection -g package.name explore
android sslpinning disable

Resource Extraction

# Dump strings
strings classes.dex | grep -i "password\|api_key\|secret\|token\|jwt\|http"

# Extract shared preferences
adb pull /data/data/package.name/shared_prefs/

# Dump SQLite databases
adb pull /data/data/package.name/databases/
sqlite3 database.db .dump