By aryaxt


2010-06-26 03:51:50 8 Comments

Are the users able to convert the apk file of my application back to the actual code? If they do - is there any way to prevent this?

6 comments

@crifan 2019-04-29 08:35:42

Are the users able to convert the apk file of my application back to the actual code?

yes.

People can use various tools to:

  • analysis: your apk
  • decode/hack your apk
    • using FDex2 to dump out dex file
      • then using dex2jar to convert to jar
        • then using jadx to conver to java source code

If they do - is there any way to prevent this?

yes. Several (can combined) ways to prevent (certain degree) this:

  • low level: code obfuscation
    • using Android ProGuard
  • high level: use android harden scenario

More details can refer my Chinese tutorial: 安卓应用的安全和破解

@gtiwari333 2012-02-09 16:26:24

Decompilation of APK file is possible. But it might be difficult to understand the code if it is obfuscated.

ApkTool to view resources inside APK File

  • Extracts AndroidManifest.xml and everything in res folder(layout xml files, images, htmls used on webview etc..)
  • command : apktool.bat d sampleApp.apk
  • NOTE: You can achieve this by using zip utility like 7-zip. But, It also extracts the .smali file of all .class files.

Using dex2jar

  • Generates .jar file from .apk file, we need JD-GUI to view the source code from this .jar.
  • command : dex2jar sampleApp.apk

Decompiling .jar using JD-GUI

  • decompiles the .class files (obfuscated- in a case of the android app, but a readable original code is obtained in a case of other .jar file). i.e., we get .java back from the application.

@IgorGanapolsky 2012-04-30 18:43:22

apktool does not spit out java source files! Only smali

@gtiwari333 2012-04-30 19:07:45

as i already said in the answer, apktool creates .jar from .apk and we have to use JD-GUI like tool to decompile .jar to achieve .java source files.

@farcrats 2012-08-21 18:28:46

you freakin' saved my life! what an awesome post! I lost the last two days of code because of a failed SSD (sadly, I didn't commit to git). However, I did have the apk and now I have my source, mind you, a little bit different, but source!

@akhilesh Jha 2017-05-02 17:24:03

Download this jadx tool https://sourceforge.net/projects/jadx/files/

Unzip it and than in lib folder run jadx-gui-0.6.1.jar file now browse your apk file. It's done. Automatically apk will decompile and save it by pressing save button. Hope it will work for you. Thanks

@Andrew Rukin 2015-12-12 11:27:07

I may also add, that nowadays it is possible to decompile Android application online, no software needed!

Here are 2 options for you:

@iOSAndroidWindowsMobileAppsDev 2016-08-11 07:16:29

decompileandroid.com is offline (when you upload the apk you will have problems downloading it again) and javadecompilers.com/apk has put my apk in a queue for a long time. I went offline,then online, it was still in a queue. I cleared all browsing history and now the apk I uploaded for the second time is in a queue.

@polym 2015-03-04 21:08:03

Sometimes you get broken code, when using dex2jar/apktool, most notably in loops. To avoid this, use jadx, which decompiles dalvik bytecode into java source code, without creating a .jar/.class file first as dex2jar does (apktool uses dex2jar I think). It is also open-source and in active development. It even has a GUI, for GUI-fanatics. Try it!

@Matthew Flaschen 2010-06-26 03:55:21

First, an apk file is just a modified jar file. So the real question is can they decompile the dex files inside. The answer is sort of. There are already disassemblers, such as dedexer and smali. You can expect these to only get better, and theoretically it should eventually be possible to decompile to actual Java source (at least sometimes). See the previous question decompiling DEX into Java sourcecode.

What you should remember is obfuscation never works. Choose a good license and do your best to enforce it through the law. Don't waste time with unreliable technical measures.

@Barry Fruitman 2011-07-26 19:39:30

Never say never. Obfuscation will not stop a determined thief but it will slow down or deter many others. Processing with Proguard is an easy and RELIABLE way to obfuscate your code and as a bonus it will optimize it too. And it's included in the Android SDK, so it's endorsed by Google.

@MattC 2012-01-03 22:57:53

Obfuscation definitely works, but you have to more clearly define what your goal is. Obviously the only way you could ever keep your source code truly safe is to never give anyone access to it, server or client. Note that Proguard doesn't work well on classes that have references in XML files. You need to utilize manual obfuscation to get around that.

Related Questions

Sponsored Content

11 Answered Questions

[SOLVED] Reverse engineering from an APK file to a project

97 Answered Questions

47 Answered Questions

[SOLVED] Is there a unique Android device ID?

33 Answered Questions

[SOLVED] How do you install an APK file in the Android emulator?

27 Answered Questions

[SOLVED] How to create a release signed apk file using Gradle?

21 Answered Questions

[SOLVED] Is there a way to get the source code from an APK file?

33 Answered Questions

[SOLVED] How to avoid reverse engineering of an APK file?

77 Answered Questions

11 Answered Questions

[SOLVED] Proper use cases for Android UserManager.isUserAGoat()?

12 Answered Questions

[SOLVED] How to build an APK file in Eclipse?

Sponsored Content