protium

Posted on Jun 27, 2019

Extract code from Android APK with 3 commands

#android #java #ethicalhacking

I mean, with 3 tools

Disclaimer

This post is for informational and educational purposes only

Requirements

Terminal Time

# extract classes.dex
unzip -j <apkfile.apk> classes.dex
# transform dex file to jar file
d2j-dex2jar.sh classes.dex
# read the sources
jd-gui classes-dex2jar.jar

Bonus

Do you use NativeScript/Ionic/Cordova/Phonegap/"insert some webview based mobile framework"?
This is how easy someone can read your javascript code

# find the bundled JS
unzip -l <apK file> | grep '.js'
# extract the bundle
unzip -j <apk file> assets/app.js
# find endpoint, or api keys
cat app.js | grep 'api*\|http*'
# DoS the endpoints
echo "just kidding"

Edit

If you want to avoid commands an just use an app with UI you have

Hope you find it useful and educational.

Cover Image from https://www.eff.org/issues/coders/reverse-engineering-faq

Build apps, not infrastructure.

Dealing with servers, hardware, and infrastructure can take up your valuable time. Discover the benefits of Heroku, the PaaS of choice for developers since 2007.

Visit Site

Top comments (2)

Nguyễn Trung Kiên • Jun 27 '19 • Edited

you don't have to unzip it.
Unzip only need when there is more than 1 dex file

protium • Jun 27 '19

You are right. I wanted to mention unzip for the bonus part.
And, as a matter of fact, you can use jadx and open directly the apk. Also you have a binary analysis tool from google

DEV Community

Extract code from Android APK with 3 commands

Disclaimer

Requirements

Terminal Time

Bonus

Edit

Build apps, not infrastructure.

Top comments (2)

The Next Generation Developer Platform

Read next

Inversion of Control and Dependency Injection: A Practical Guide with Java and Spring Boot

Servlet: The Foundation of Java Web Technology

The Best Way to Optimize Garbage Collection for Java Applications

Let's Create Google Gemini 2.0 Using JavaScript | Gemini AI Chatbot Clone

Okay