Learn how to use jadx to decompile an Android app and gain access to the manifest file and the Java code.
- [Instructor] A key issue to keep in mind when developing Android apps, is that that their manifest resources and Java source code are all recoverable from the APK and therefore should not contain secrets or sensitive processing functions. We can use a tool called Jadx to extract the source files from an APK. Jadx can be downloaded from the Github site as a ZIP archive. I've downloaded this and extracted it. So let's take a look. The Jadx gui batch file and executable are in the bin folder. I can start Jadx by double clicking the bat file.
We've now got the user interface up and can open an APK file. I'll load a commercial mobile app I've downloaded, the Vodafone Australia text reader application. Jadx shows two top level folders in the left pane. A source folder and a resources folder. I'll firstly look at the resources folder. When I expand it, I see that the manifest file is listed. If I click on that, I can see the XMR source. The manifest file is a good place to start exploring the characteristics of the application.
We can see Android activities being declared, and the permissions required. We'll also see intent filters declared in the manifest file. We can see the five folders in the top level source code folder. I'll expand the au.com.vodafone.Android.SMSReader entry. And we can see the list of classes it contains. Let's look at a source file, if I click on the BackgroundEmailSender class, I can see the reconstituted Java source code. Applications can often have a large number of files and we can use features in Jadx to help navigate around.
Jadx offers a search function from the navigation main menu item, which allows us to select where in the app we can find the text. For example, we can enter SMS. We can also right click on an item to find other places where it's used. For example if I right click on the call to send mail, and select find usage, I get the call and the declaration of the function listed. Now we know how to look at the source of an application, let's go back to the apps we've built, using PhoneGap and Rad Studio.
The PhoneGap app is called hello-release.apk Let's open it. We can see the top level com.malcolmshore.hello and when we expand this, we can see three source files, one of which is called Hello. I'll click on that to display the source. What PhoneGap has done for us, is to create a mobile app which calls a function named load url. This takes launch url as a parameter. I can search for this string.
And we see it's declared in org.apache.cordova.ConfigXmlParser as being asset/www/index.html. If I expand the resources top level entry, and expand assets, and then expand www, we can see a number of files listed including index.html Scrolling down, we can see the text a big Hello that we inserted.
So when using PhoneGap, we can recover the complete app through its web content pages held as assets. Let's look at the rad studio app. That's called SMX.apk Again we see the source code and resources folders. I'll firstly open the resources and look at AndroidManifest.xml We can see the activity section which is annotated launcher, pointed to the Java routine firemonkey.fmxnativeactivity I'll now expand the source code folder Android and com.
And under com we can see android.vending.billing, embarcadero, and google. If we expand embarcadero we can see the firemonkey folder, that's the rad studio visual interface for mobiles. If I expand that, I can see FMXNativeActivity. This is a live routine which manages the running of the app. But of our source code, there's no trace. It's been converted to native code in a .so form.
If we look at resources lib, we can see the supported processor types, and under each, the relevant .so files.
- Understanding Android OS, app, and hardware security components
- Using the Trusted Execution Environment
- Developing Android apps with security in mind
- Analyzing existing applications
- Understanding Android vulnerabilities
- Securing Android apps
- Developing secure enterprise apps