Hacktricks-skills android-apk-decompiler
How to decompile and analyze Android APK files using various decompilation tools. Use this skill whenever the user needs to reverse engineer Android applications, extract Java source code from APKs, analyze Android bytecode, or investigate mobile app security. Trigger on mentions of APK analysis, Android reverse engineering, decompiling Android apps, extracting source code from mobile applications, or any request to understand what an Android app does internally.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/mobile-pentesting/android-app-pentesting/apk-decompilers/SKILL.MDsource content
Android APK Decompiler
A comprehensive guide to decompiling and analyzing Android APK files using industry-standard tools.
Quick Start
When you receive an APK file to analyze, follow this workflow:
- Initial inspection: Use Jadx for quick, readable source code extraction
- Deep analysis: Use multiple decompilers in parallel for complex cases
- Obfuscated apps: Use frida-DEXdump to extract runtime DEX files
- Modern Java features: Use CFR for better handling of recent Java syntax
Tool Selection Guide
For Quick Analysis (Recommended Default)
Jadx - Best all-around tool for most scenarios
- User-friendly GUI and CLI options
- Cross-platform support
- Good balance of speed and accuracy
# GUI mode jadx-gui # CLI mode - basic decompilation jadx app.apk # CLI mode - with options jadx app.apk -d ./output --no-res --no-src --no-imports
For Complex/Obfuscated Apps
Bytecode-Viewer - Multiple decompilers in one interface
- Compare outputs from different decompilers simultaneously
- Best for apps with heavy obfuscation
- Download from releases page, run, load APK, select decompilers
GDA-android-reversing-Tool - Windows-only, feature-rich
- Extensive reverse engineering features
- Install on Windows, load APK for analysis
For Modern Java Features
CFR - Handles modern Java syntax well
# Standard decompilation java -jar ./cfr.jar "app.jar" --outputdir "output_directory" # For large JAR files (increase memory) java -Xmx4G -jar ./cfr.jar "app.jar" --outputdir "output_directory"
For Runtime Analysis (Beating Obfuscation)
frida-DEXdump - Extract DEX from running app in memory
- Useful when static obfuscation is removed at runtime
- Dump the DEX of a running APK to analyze deobfuscated code
For Bytecode Translation
Enjarify - Convert Dalvik to Java bytecode
enjarify app.apk
- Enables Java analysis tools to work with Android apps
- Generates Java bytecode equivalent of the APK
For Detailed Control
Krakatau - Fine-grained decompilation control
./Krakatau/decompile.py -out "output_directory" -skip -nauto -path "./jrt-extractor/rt.jar" "app.jar"
- Specify standard library paths
- Handle external libraries effectively
For Simple JAR Decompilation
procyon - Straightforward decompilation
procyon -jar "app.jar" -o "output_directory"
Fernflower - JetBrains' analytical decompiler
# After building from source java -jar ./fernflower.jar "app.jar" "output_directory" # Then extract .java files from generated JAR unzip output.jar
JD-Gui - Pioneering GUI decompiler
- Open APK directly in JD-Gui
- Simple, straightforward interface
- Good for quick inspection
Analysis Workflow
Step 1: Initial Reconnaissance
- Run Jadx on the APK to get a quick overview
- Look at the manifest file for permissions and components
- Identify main entry points and suspicious activities
Step 2: Deep Dive
- Use multiple decompilers if code is obfuscated
- Compare outputs to find the most readable version
- Focus on key areas: network calls, file operations, crypto functions
Step 3: Runtime Analysis (if needed)
- If static analysis shows heavy obfuscation, use frida-DEXdump
- Run the app and dump DEX from memory
- Analyze the deobfuscated runtime code
Step 4: Documentation
- Document findings: vulnerabilities, suspicious behavior, data flows
- Note which decompiler produced the clearest results
- Save relevant code snippets for reporting
Common Use Cases
Finding Hardcoded Secrets
- Search for API keys, passwords, tokens in decompiled source
- Look in strings.xml, constants, and initialization code
- Check for encryption keys and certificates
Analyzing Network Communication
- Find HTTP/HTTPS client implementations
- Identify endpoints and data being transmitted
- Check for SSL pinning and certificate validation
Understanding App Behavior
- Review manifest for permissions and components
- Trace main activity and service flows
- Identify third-party SDKs and libraries
Security Assessment
- Look for insecure data storage
- Check for proper input validation
- Identify potential attack vectors
Tips for Success
- Start simple: Jadx works for 80% of cases
- Use multiple tools: Different decompilers handle edge cases differently
- Check the manifest first: It tells you what the app can do
- Look for patterns: Obfuscated code often has telltale signs
- Document everything: Keep track of which tool produced which output
- Be patient: Complex apps may require multiple passes
When to Use Each Tool
| Scenario | Recommended Tool |
|---|---|
| Quick inspection | Jadx |
| Obfuscated code | Bytecode-Viewer + multiple decompilers |
| Modern Java (records, var, etc.) | CFR |
| Runtime deobfuscation | frida-DEXdump |
| Windows environment | GDA |
| Dalvik to Java conversion | Enjarify |
| Fine-grained control | Krakatau |
| Simple JAR files | procyon or Fernflower |
References
- Original decompilation guide: https://eiken.dev/blog/2021/02/how-to-break-your-jar-in-2021-decompilation-guide-for-jars-and-apks/
- Jadx: https://github.com/skylot/jadx
- CFR: https://github.com/leibnitz27/cfr
- Bytecode-Viewer: https://github.com/Konloch/bytecode-viewer/releases
- frida-DEXdump: https://github.com/hluwa/frida-dexdump