An easy guide to reverse engineering Android apps using APKTool. Learn how to decompile, analyze, and modify APK files to gain insights into their inner workings. Explore the world of Android app security and customization. Unlock the secrets of APK reverse engineering with this in-depth writeup.
- APKTool Usage (Decompiled APK)
- Bypassing Root Detection & SSL Pinning (Frida)
- Bypassing Application-Only Trusted User Certificates
- Sign the APK (Optional)
- Save the code to
apktool.bat
@echo off
setlocal
set BASENAME=apktool_
chcp 65001 2>nul >nul
set java_exe=java.exe
if defined JAVA_HOME (
set "java_exe=%JAVA_HOME%\bin\java.exe"
)
rem Find the highest version .jar available in the same directory as the script
setlocal EnableDelayedExpansion
pushd "%~dp0"
if exist apktool.jar (
set BASENAME=apktool
goto skipversioned
)
set max=0
for /f "tokens=1* delims=-_.0" %%A in ('dir /b /a-d %BASENAME%*.jar') do if %%~B gtr !max! set max=%%~nB
:skipversioned
popd
setlocal DisableDelayedExpansion
rem Find out if the commandline is a parameterless .jar or directory, for fast unpack/repack
if "%~1"=="" goto load
if not "%~2"=="" goto load
set ATTR=%~a1
if "%ATTR:~0,1%"=="d" (
rem Directory, rebuild
set fastCommand=b
)
if "%ATTR:~0,1%"=="-" if "%~x1"==".apk" (
rem APK file, unpack
set fastCommand=d
)
:load
"%java_exe%" -jar -Duser.language=en -Dfile.encoding=UTF8 "%~dp0%BASENAME%%max%.jar" %fastCommand% %*
rem Pause when ran non interactively
for /f "tokens=2" %%# in ("%cmdcmdline%") do if /i "%%#" equ "/c" pause
- Download the latest APKTool JAR file from https://bitbucket.org/iBotPeaches/apktool/downloads/ and rename it to
apktool.jar
- Open the command prompt in Windows
- Decompile the APK
apktool d <file.apk>
- Use the editor tool such as
Vscode
orAndroid Studio
to modify and view the source code. - Recompile the APK
apktool b <folder>
- Install Frida
pip install frida-tools
- Check the app package name
adb shell pm list packages
- Download the frida server from https://github.com/frida/frida/releases (check the version) and push the file into the phone.
adb push [frida server file] /data/local/tmp
- Execute the frida server in the adb shell
adb shell
su
cd /data/local/tmp
./[frida server file]
- Run the frida script to bypass Root Detection & SSL Pinning
frida --codeshare dzonerzy/fridantiroot -U --no-pause -f [app_package name]
or
frida --codeshare dzonerzy/fridantiroot -U -f [app_package name]
- Create a
network_security_config.xml
config file in<decompiled_folder>/res/xml
- Edit the file and add the following script.
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>
- Add the line
android:networkSecurityConfig="@xml/network_security_config"
under application tag in<decompiled_folder>/AndroidManifest.xml
- Recompile the APK
apktool b <folder>
- Install JDK from https://www.oracle.com/java/technologies/downloads/
- Add binary file
path\Java\jdk-20\bin
to Environment Variables. - Open the command prompt in Windows
- Generate a new key pair and store it in a keystore file
keytool -genkey -v -keystore test.keystore -storepass password -alias android -keypass password -keyalg RSA -keysize 2048 -validity 10000
- Sign the APK file using a keystore and key pair
jarsigner.exe -verbose -keystore test.keystore -storepass password -keypass password /path/<file.apk> android