Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services

Android Application Security Assessments - Part 5: Reverse Engineering The .apk File

Created: 24 Jan 2012 • Updated: 01 Feb 2012 • 4 comments
Christopher.Emerson's picture
+4 4 Votes
Login to vote

There are times in security engagements when having an application’s source code can make your life infinitely easier.  Fortunately, there are publicly available tools to make this a painless process.

If you you are looking for how to install apps into your environment, take a look here, or check here for a list of all the previous entries in this series.

Convert The Android Application Package File (.apk) File To A Java Archive (.jar)

Remember that copy of the .apk file that our project team gave us (or that we downloaded from the Marketplace)?  You are going to need that.

The Android .apk file is essentially a compressed file, containing the manifest file, certificates, resources, assets and the program code, compiled in the Dalvik Executable (.dex) format.

Converting your target .apk file into a .jar file is pretty simple.

  1. Download dex2jar, a tool for converting Android's .dex format to Java's .jar format.
  2. Run the following command:
    a.    Linux: $ ./dex2jar targetfile.apk
    b.    Windows: C:\>dex2jar targetfile.apk

The above assumes that you are in the directory containing dex2jar, or that dex2jar is included in your PATH

You should now see your Java Archive of your target file in the dex2jar folder.  Almost there…

Convert the Java Archive (.jar) to Java (.java) files

  1. Uncompress your .jar file to a new project folder:
    a.    Linux: $ jar xf targetfile_dex2jar.jar
    b.    Window: Right-Click targetfile_dex2jar.jar and select ‘Open With’ > ‘WinZip’ (or your personal favorite file archive utility).
  2. Convert your .jar file to .java files
    a.    Linux: $./jad -r -sjava -dproject_folder project_folder/**/*.class
    b.    Windows: C:\>jad -r -sjava -dproject_folder project_folder/**/*.class

            i.The above assumes that you are in the directory containing jad, or that jad is included in your PATH

            ii.I would be remiss if I did not point out JadClipse, an Eclipse plug-in for Jad.

You now have the source code for your target application.  From here you can perform a code and configuration review or use your favorite source code security tool.

Next we will will conclude this series with some additional tools and tips for your Android Assessments.

Comments 4 CommentsJump to latest comment

patriot3w's picture

Hi while using jad, got below errors

Couldn't fully decompile method b
Couldn't resolve all exception handlers in method b
Couldn't fully decompile method b
Couldn't resolve all exception handlers in method b
Couldn't fully decompile method c
Couldn't fully decompile method d
Couldn't fully decompile method f
Couldn't resolve all exception handlers in method f
Couldn't fully decompile method <clinit>
Jad can not decompile the class files? Any other tools?
Thank you.
Login to vote
Benild's picture


Plz clarify my doubt.
   I have work with how to retrieve the source code. i have get the resource file everything. And i need to generate the classes.dex.dex2jar.dex file, if i give the command as " dex2jar classes.dex" it show the error msg as " Error occurred during initialization of VM
Could not reserve enough space for object heap
Error: Could not create the Java Virtual Machine.
Error: A fatal exception has occurred. Program will exit."  Kdly help me to get java code
Thanks in advance 


Login to vote
DopeFish's picture

Before you even think of opening a file extension you should search for a file extension resource first. You need to understand what it does exactly so you can properly open it in a safe environment. Before I opened my .apk file extension, I've read this resource artile on it to know what I am dealing with :

Login to vote