Bug Bounty · Mobile · Pentesting · Reverse Engineering

How to Decompile an Android App

Sometimes, when bug hunting an Android app, it’s important to try and get to the “source code”, for instance, if you want to look into all REST API endpoints, to save you from manually finding them with Burp Suite.

Note: The quotes are intentional because you can’t exactly get to the actual source code from an APK, due to the default ProGuard settings, however, it’s still a helpful tool.

Getting the APK

In order to get the APK from your phone, you must first enable USB debugging.

Your machine also needs ADB (which comes with Android Studio).

Note: Remember to update the app in question, as you could find a duplicate by missing security updates.

With your phone plugged in, or your Android Virtual Device turned on, run this command to open a shell to Android:

PS C:\Users\L3n> adb shell
generic_x86:/ $

If you are on the phone, you need to confirm a dialog.

The first step of extracting the APK, is by identifying the package name of the app:

generic_x86:/ $ pm list packages
package:com.android.cts.priv.ctsshim
package:com.google.android.youtube
package:com.android.internal.display.cutout.emulation.corner
package:com.google.android.ext.services
package:com.android.internal.display.cutout.emulation.double
package:com.android.providers.telephony
package:com.android.dynsystem
...

Normally you can just grep that result with the target company.

generic_x86:/ $ pm list packages | grep facebook
package:com.facebook.orca

… Which is Facebook in this case.

Now find the path:

generic_x86:/ $ pm path com.facebook.orca
package:/data/app/com.facebook.orca-b64==/base.apk

Now outside ADB’s shell, pull the APK with:

PS C:\Users\L3n> adb pull /data/app/com.facebook.orca-b64==/base.apk
/data/app/com.facebook.orca-b64==/base….e pulled, 0 skipped. 182.1 MB/s (49825900 bytes in 0.261s)

Done, you now have the app in the current directory.

Decompiling the APK

For this part, you could either go the extra mile to decompile with apktool and JD-GUI.

Or you could just open it with JADX.

Personally, I haven’t had any issues with JADX, though if you want to modify the source (like making the app accept user certificates, to use Burp Suite on Nougat+ devices), you must use apktool.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s