Is it possible to decompile an Android .apk file?
-
30-09-2019 - |
Pergunta
Are the users able to convert the apk file of my application back to the actual code? If they do - is there any way to prevent this?
Solução
First, an apk file is just a modified jar file. So the real question is can they decompile the dex files inside. The answer is sort of. There are already disassemblers, such as dedexer and smali. You can expect these to only get better, and theoretically it should eventually be possible to decompile to actual Java source (at least sometimes). See the previous question decompiling DEX into Java sourcecode.
What you should remember is obfuscation never works. Choose a good license and do your best to enforce it through the law. Don't waste time with unreliable technical measures.
Outras dicas
ApkTool to view resources inside APK File
- Extracts AndroidManifest.xml and everything in res folder(layout xml files, images, htmls used on webview etc..)
- command :
apktool.bat d sampleApp.apk
- NOTE: You can achieve this by using zip utility like 7-zip. But, It also extracts the .smali file of all .class files.
Using dex2jar
- Generates .jar file from .apk file, we need JD-GUI to view the source code from this .jar.
- command :
dex2jar sampleApp.apk
Decompiling .jar using JD-GUI
- decompiles the .class files (obfuscated- in a case of the android app, but a readable original code is obtained in a case of other .jar file). i.e., we get .java back from the application.
I may also add, that nowadays it is possible to decompile Android application online, no software needed!
Here are 2 options for you:
Download this jadx tool https://sourceforge.net/projects/jadx/files/
Unzip it and than in lib folder run jadx-gui-0.6.1.jar file now browse your apk file. It's done. Automatically apk will decompile and save it by pressing save button. Hope it will work for you. Thanks
Sometimes you get broken code, when using dex2jar
/apktool
, most notably in loops. To avoid this, use jadx, which decompiles dalvik bytecode into java source code, without creating a .jar
/.class
file first as dex2jar
does (apktool uses dex2jar I think). It is also open-source and in active development. It even has a GUI, for GUI-fanatics. Try it!
Are the users able to convert the apk file of my application back to the actual code?
yes.
People can use various tools to:
- analysis: your apk
- decode/hack your apk
- using
FDex2
to dump outdex
file- then using
dex2jar
to convert tojar
- then using
jadx
to conver tojava
source code
- then using
- then using
- using
If they do - is there any way to prevent this?
yes. Several (can combined) ways to prevent (certain degree) this:
- low level: code obfuscation
- using Android
ProGuard
- using Android
- high level: use android harden scenario
More details can refer my Chinese tutorial: 安卓应用的安全和破解