The article you linked describes extracting the FileDescriptorProto
s embedded as string literals in a C++ application that uses Protobufs. The Java code generator embeds similar string literals into Java code. If you ran the Java classes through a decompiler, you should be able to recover the descriptor strings and decode them.
However, note that this only works if the application uses the standard, Google-authored Java protobuf implementation and does not use "lite mode". In lite mode, descriptors are not included in the generated code. Implementations other than the Google-authored ones may or may not include the descriptor. I would guess that most Android developers prefer to use lite mode or some alternative lightweight implementation that doesn't include descriptors, so you might have trouble extracting from APKs. (I don't know about objective C.)
That said, note that you can actually decode a lot of the information in a protobuf message without having the schema at all. If you use protoc
with the --decode-raw
command-line option and feed it a protobuf message on stdin, it will decode it to tag/value pairs. You'll only get numbered fields (not names) and some type information is lost, but you'll find it much easier to reverse-engineer the format from there than you would with just the raw bytes.