Many beginners or even intermediate Android developers fail to realize that the Android app they build and ship can be reverse engineered to a greater extent. If you are one of the developers who think hard-coding secret keys or even storing it in build.gradle file will prevent it from going into the hands of hackers or other developers, you are wrong. For this reason, the following article explains how to reverse engineer an android application in easy steps.
Security has never been easy and the very first rule is to never trust the security on the client-side. The Client-side is not an environment we control and thus we should not rely on it by hard-coding or storing secrets that can disrupt our system. So the best and to ensure you do not end up getting caught by developers and hackers is to reverse engineer the application by yourself and fix the issues if possible.
Interesting Incident — Once I was working on an Android Application which required a mathematical formula to be used in a feature. Disliking math to the core, I found it more easy and interesting to reverse engineer one of the competitor’s application, and then I took out the Math formula from the code successfully! :p
So, let’s get started.
Reverse Engineer An Android Application –
- APK of the application.
- Some set of codes to execute.
- Java Decompiler Tool (JD JUI in this article) to view the decompiled code.
First Step —
We would need the APK of the application we want to reverse-engineering. There are many ways to do that but I will suggest a simple way here. Download the app Apk Extractor on your device and select the application from the list inside the application. Once done, open any File Explorer and go to the ExtractedApks folder present in the Internal Storage directory. There, you will find the APK. Copy that APK to your system and we will proceed with the below steps.
Second Step —
Once we have the APK, we will reverse it to know and see the code. That will enable us and give us insights about the structuring of the code as well as find the security measures they have taken to avoid facing a reverse engineering attack.
Here, we will rename our {app}.apk file to {app}.zip and extract it. Inside the extracted folder, we will find the classes.dex file which contains the application code.
A DEX file is an executable file that contains the compiled code and runs on the Android platform.
Now, we will use the classes.dex file we took from the APK zip file and convert it to JAR. For doing that, we can use ‘dex2jar’ open-source tool available here. Head over to the release section and download the latest available zip file and extract it. Copy the extracted classes.dex file and paste it inside the ‘dex2jar-x.x’ directory.
Open Terminal on your machine and head over to the ‘dex2jar-x.x’ directory. Now we will run the command –
d2j-dex2jar.bat classes.dex
This will convert the classes.dex file to a JAR file which we can view using any Decompiler Tool.
Third Step —
We will use JD JUI which is a simple Java Decompiler tool. You can get it from here. Download and extract the zip. Run the jd-gui.exe and open the dex file and Voila! We reverse-engineered an android application!!
Conclusion —
Thus if you see, by following these simple steps which takes less than 5 minutes, we can Reverse Engineer An Android Application and understand how it works. This will help you understand how to prevent hackers from stealing your secrets and how you can better product your code from being exploited.
Useful Links –
- If you respect your users and want to have File-Storage related features in your app without asking for Storage Permissions, read the article here on how to implement it.
Hello there! This is kind of off topic but I need some guidance from an established blog. Is it very hard to set up your own blog? I’m not very techincal but I can figure things out pretty quick. I’m thinking about setting up my own but I’m not sure where to begin. Do you have any points or suggestions? Appreciate it
Fantastic blog! Do you have any tips and hints for aspiring writers? I’m hoping to start my own blog soon but I’m a little lost on everything. Would you advise starting with a free platform like WordPress or go for a paid option? There are so many choices out there that I’m totally overwhelmed .. Any ideas? Thanks a lot!