Bug Bounty · Mobile · Pentesting

How to “Decompile” an Android APK (from Play Store)

Sometimes, when bug hunting an Android app, it’s important to try and get to the source code, if for instance you want to scrape all REST API endpoints, even if you already can intercept the requests with Burp Suite.

Note: The quotes are intentional, because you can‘t exactly get to the actual source code from an APK, due to the default ProGuard settings, however you can get pretty close to it.

Getting the APK

In order to get the APK from your phone, you must first enable USB debugging.

Your machine also needs ADB (which comes with Android Studio).

Note: Remember to update the app in question, as you could find a duplicate by missing security updates.

With your phone plugged in, or your Android Virtual Device turned on, run this command to open a shell to Android:

PS C:\Users\L3n> adb shell
generic_x86:/ $

If you are on the phone, you need to confirm a dialog.

The first step of extracting the APK, is by identifying the package name of the app:

generic_x86:/ $ pm list packages
package:com.android.cts.priv.ctsshim
package:com.google.android.youtube
package:com.android.internal.display.cutout.emulation.corner
package:com.google.android.ext.services
package:com.android.internal.display.cutout.emulation.double
package:com.android.providers.telephony
package:com.android.dynsystem
...

Normally you can just grep that result with the target company.

generic_x86:/ $ pm list packages | grep facebook
package:com.facebook.orca

… Which is Facebook in this case.

Now find the path:

generic_x86:/ $ pm path com.facebook.orca
package:/data/app/com.facebook.orca-b64==/base.apk

Now outside ADB’s shell, pull the APK with:

PS C:\Users\L3n> adb pull /data/app/com.facebook.orca-b64==/base.apk
/data/app/com.facebook.orca-b64==/base….e pulled, 0 skipped. 182.1 MB/s (49825900 bytes in 0.261s)

Done, you now have the app in the current directory.

Decompiling the APK

For this part, you could either go an extra mile to decompile with apktool and JD-GUI.

Or you could just open it with JADX.

Personally I haven’t had any issues with JADX, though if you want to modify the source (like making the app accept user certificates, to use Burp Suite on Nougat+ devices).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s