Jens Klingenberg

Reverse Engineering Android Apps Part1 : Apktool

Posted on June 7, 2016  •  3 minutes  • 546 words
Table of contents

In this post i want to show you, how to reverse engineer Android apps with Apktool. Disclaimer : This guide is for educational purposes only. Copying/Reusing the decompiled code other than this example might be illegal. Please check the license !

1) Background

A few days ago i wanted to know how hard it is to change a compiled Android app. I wanted to find out how much is possible and what is the best way to protect apps against it. It turns out that it's not that hard, if you don't use any obfuscation techniques.

I created a simple example app. In this example i’m trying to bypass the login check, to get to the “SecretActivity”.

the MainActivity MainActivity
SecretActivity SecretActivity

2) Grab the apk over adb

In this example you can just download the apk from my Github Profile, but here's a way to grab apk's from already installed apps.

With this command you get a list of all installed packages:

adb shell pm list packages

This command should return the path of the apk:

adb shell pm path

This downloads the apk:

adb pull /data/app/

3) What is inside an apk?

An apk is nothing else than a zip file. You can open it with any archive manager.

Content of my example apk Content of my example Apk

Usually it contains the AndroidManifest.xml, the ressource folders and a classes.dex, which contains the dalvik bytecode (Dalvik EXecutable)

4) Install Apktool

Follow the instructions on Apktool converts the dex file to smali bytecode, which is human readable code.

Disassemble the app

apktool d ReverseMe.apk

Apktool will generate a new folder with the extracted files from the apk.

Android Manifest

The first file we to take a look at is the android manifest. Here we can see which is the activity that is opened first.

As we can see here, the class MainActivity has the intent filter action android.intent.action.MAIN this means that this class is the entry class.

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="" package="">

    <application android:allowBackup="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:supportsRtl="true" android:theme="@style/AppTheme">
        <activity android:name="">
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
        <activity android:name=""></activity>


5) Change the bytecode

We can find the MainActivity in the smali folder.

This was the method checkLogin() in :

public boolean checkLogin(String username,String password){

        //Imagine a network request here

        return false;

And here it is in bytecode in MainActivity.smali:

# virtual methods
.method public checkLogin(Ljava/lang/String;Ljava/lang/String;)Z
    .locals 1
    .param p1, &quot;username&quot;    # Ljava/lang/String;
    .param p2, &quot;password&quot;    # Ljava/lang/String;

    .line 43
    const/4 v0, 0x0 //&lt;-- This value is returned

    return v0
.end method

The method checkLogin() returns the value of v0. We see in the line above, that v0 is set to 0x0 which means false. We want the method to return true so we edit 0x0 to 0x1 and save the file.

6) Build the apk

apktool b ReverseMe -o newReverseMev1.apk

Now we use Apktool to build the app again

7) Sign the apk

The last step is to sign the app.

We need to create a keystore:

keytool -genkey -v -keystore my-release-key.keystore -alias myAlias -keyalg RSA -keysize 2048 -validity 10000

Then we use the keystore to sign the apk:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore newReverseMev1.apk myAlias

We can now install the apk again and see that the “login” was successful.

Let's connect: