Mobile Security

Android APK Reverse Engineering

Tools:

  • > Android Device Emulator:
      - GenyMotion (recommended) or Android Studio
  • > openjdk-21-jre (OpenJDK)
  • > APK Tool
  • > dex2jar
  • > jadx-gui

Execution and Process

  • 1. Use unzip command to extract APK (APK is just a type of an archive).
  •   > "unzip yourapp.apk -d apk_unzip_folder" -> it extractes a classes.dex file
  • 2. Use dex2jar to extract classes.dex file.
  •   > "d2j-dex2jar classes.dex -o output.jar"
  • 3. Open output.jar file in jadx-gui
  • 4. Search for key words like "wrong code" with "navigation -> text search" in jadx-gui
  • Screenshot of JADX-GUI
  • 5. Find obfuscated code like
    "([...]md5(MainActivity.[...].equals("735c3628699822c4c1c09219f317a8e9")"
  • Screenshot of JADX-GUI
  • -> Try to crack hash
  • 6. Or create patched apk file:
  • 7. Use apktool to decompile the apk file:
  •   > "apktool d yourapp.apk -o output_folder"
  • 8. To create a patched file, take a new keyword like "hacked" and create the md5 hash
  •   > "echo -n 'hacked' | md5sum" -> copy the created md5 hash value (4d4098d64e163d2726959455d046fd7c)
  • 9. search for the currently implemented hash "735c3628699822c4c1c09219f317a8e9"
  •   > "grep -ir '735c3628699822c4c1c09219f317a8e9'" (use command in unzipped apk folder)
  •   Command Output: "APKrypt/APKrypt/smali/com/example/apkrypt/MainActivity$1.smali:
      const-string v0, "735c3628699822c4c1c09219f317a8e9" grep: APKrypt/unzipped/classes.dex:
      binary file matches "
  • see example below:
  • Screenshot of JADX-GUI
  • 10. take the path from the command output and inject your new md5 hash to smali code
  •   > "sed -i 's/735c3628699822c4c1c09219f317a8e9/4d4098d64e163d2726959455d046fd7c/g' APKrypt/APKrypt/smali/com/example/apkrypt/MainActivity$1.smali"
  • 11. create new patched apk file with new inserted hash value with apk tool
  •   > "apktool b folder_with_modified_files -o modified.apk" (use command in unzipped apk folder)
  • new apk created:
  • Screenshot of JADX-GUI
  • 12. Generating a Keystore
    Before signing an APK, a keystore must be generated:
  •   > "keytool -genkey -v -keystore mykey.keystore -alias mykey -keyalg RSA -keysize 2048 -validity 10000"
  • Screenshot of JADX-GUI
  • 13. Signing the APK
    The APK must be signed after modifications:
  •   > "jarsigner -verbose -keystore mykey.keystore modified.apk mykey"
  • 13. Install the new APK to target/test device
    enter new code and you're in!

External Resources

Here are some trusted sources for further information:

APK Tool
dex2jar
Latest research and exploit analysis in mobile security.
DFIR Blog
Digital forensics & incident response experts share analysis and case studies.
Hack The Box
Practical cybersecurity training with real-world penetration testing labs.
TryHackMe
Hands-on cybersecurity learning platform with guided exercises and real-world scenarios.