Security Information
Enable proguard in release mode. This will make it harder for reverse engineering. Also check this developer training documentation on security.
(from comment on this question)
Package signature validation
You can verify if a package has been repackaged by checking the signature. Some articles to help with that:
Retrieving APK signature during runtime.
Self checking an APK signature.
How to check APK signature.
(originally posted ad Verify Android apk has not been repackaged?)
Decompile DEX into Java
I answered a question about decompiling DEX code in the past. My original answer might be outdated by now but the question has been kept up to date by others. Here is an overview of some of the tools listed there.
A more complete version of fred's answer:
Manual way
First you need a tool to extract all the (compiled) classes on the DEX to a JAR. There's one called dex2jar, which is made by a chinese student.
Then, you can use jd-gui to decompile the classes on the JAR to source code. The resulting source should be quite readable, as dex2jar applies some optimizations.
1: http://code.google.com/p/dex2jar/
2: http://java.decompiler.free.fr/?q=jdguiAutomatic way
You can use APKTool. It will automatically extract all the classes (
.dex
), resources (.asrc
), then it will convert binary XML to human-readable XML, and it will also dissassemble the classes for you.
Disassembly will always be more robust than decompiling, especially with JARs obfuscated with Pro Guard!Just tell APKTool to decode the APK into a directory, then modify what you want, and finally encode it back to an APK. That's all.
Important: APKTool dissassembles. It doesn't decompile. The generated code won't be Java source. But you should be able to read it, and even edit it if you're familiar with jasmin. If you want Java source, please go over the Manual way.
(original question: decompiling DEX into Java sourcecode)