Sometimes, when bug hunting an Android app, it’s important to try and get to the source code, if for instance you want to scrape all REST API endpoints, even if you already can intercept the requests with Burp Suite.
Note: The quotes are intentional, because you can‘t exactly get to the actual source code from an APK, due to the default ProGuard settings, however you can get pretty close to it.
Getting the APK
In order to get the APK from your phone, you must first enable USB debugging.
Your machine also needs ADB (which comes with Android Studio).
Note: Remember to update the app in question, as you could find a duplicate by missing security updates.
With your phone plugged in, or your Android Virtual Device turned on, run this command to open a shell to Android:
PS C:\Users\L3n> adb shell generic_x86:/ $
If you are on the phone, you need to confirm a dialog.
The first step of extracting the APK, is by identifying the package name of the app:
generic_x86:/ $ pm list packages package:com.android.cts.priv.ctsshim package:com.google.android.youtube package:com.android.internal.display.cutout.emulation.corner package:com.google.android.ext.services package:com.android.internal.display.cutout.emulation.double package:com.android.providers.telephony package:com.android.dynsystem ...
Normally you can just grep that result with the target company.
generic_x86:/ $ pm list packages | grep facebook package:com.facebook.orca
… Which is Facebook in this case.
Now find the path:
generic_x86:/ $ pm path com.facebook.orca package:/data/app/com.facebook.orca-b64==/base.apk
Now outside ADB’s shell, pull the APK with:
PS C:\Users\L3n> adb pull /data/app/com.facebook.orca-b64==/base.apk /data/app/com.facebook.orca-b64==/base….e pulled, 0 skipped. 182.1 MB/s (49825900 bytes in 0.261s)
Done, you now have the app in the current directory.
Decompiling the APK
For this part, you could either go an extra mile to decompile with apktool and JD-GUI.
Or you could just open it with JADX.
Personally I haven’t had any issues with JADX, though if you want to modify the source (like making the app accept user certificates, to use Burp Suite on Nougat+ devices), you must go that extra mile.