In this post i want to show you, how to reverse engineer Android apps with Apktool. Disclaimer : This guide is for educational purposes only. Copying/Reusing the decompiled code other than this example might be illegal. Please check the license !

1) Background

A few days ago i wanted to know how hard it is to change a compiled android app.
I wanted to find out how much is possible and what is the best way to protect apps against it. It turns out that it’s not that hard, if you don’t use any obfuscation techniques.

I created a simple example app.
In this example i’m trying to bypass the login check, to get to the “SecretActivity“.

the MainActivity

MainActivity

SecretActivity

SecretActivity

2) Grab the apk over adb

In this example you can just download the apk from my Github Profile, but here’s a way to grab apk’s from already installed apps.

With this command you get a list of all installed packages:

This command should return the path of the apk:

This downloads the apk:

3) What is inside an apk?

An apk is nothing else than a zip file. You can open it with any archive manager.

Content of my example apk

Content of my example apk

Usually it contains the AndroidManifest.xml, the ressource folders and a classes.dex, which contains the dalvik bytecode (Dalvik EXecutable)

4) Install Apktool

Follow the instructions on http://ibotpeaches.github.io/Apktool/install/
Apktool converts the dex file to smali bytecode, which is human readable code.

Disassemble the app

Apktool will generate a new folder with the extracted files from the apk.

Android Manifest

The first file we to take a look at is the android manifest. Here we can see which is the activity that is opened first.

As we can see here, the class MainActivity has the intent filter action android.intent.action.MAIN this means that this class is the entry class.

5) Change the bytecode

We can find the MainActivty in the smali folder.

This was the method checkLogin() in MainActivity.java :

And here it is in bytecode in MainActivity.smali:

The method checkLogin() returns the value of v0.
We see in the line above, that v0 is set to 0x0 which means false. We want the method to return true so we edit 0x0 to 0x1 and save the file.

6) Build the apk

Now we use Apktool to build the app again

7) Sign the apk

The last step is to sign the app.

We need to create a keystore:

Then we use the keystore to sign the apk:

We can now install the apk again and see that the “login” was successfull.