I get more than a hundred visits a day to my iPhone Decompilation & Obfuscation post, that’s why writing an Android equivalent and comparing the results between them will be so interesting to assess platform demand from developers.
To decompile an Android .apk file, you must follow the next steps:
- Download the app from the Android Market to your smartphone and backup the app with a tool like Titanium to get the .apk file
- Next, use apktool to get back the project file structure and resources
- Then, use dex2jar to the obtain .class files from the .dex files
- After that, use jd-gui or JAD to decompile the .class files
- Most bytecode won’t perfectly decompile and some routines will be hard to reconstruct from the bytecode: get ready to read java ASM disassembled with smali
To obfuscate/protect your application, consider following these steps:
- ProGuard is the most complete and useful tool to obfuscate applications, but you must use it with the following configuration file to avoid any problem. Note that ProGuard is pre-packed in the SDK from Android 2.3
- Use LVL for your paid applications, but remember that it has already been broken.
- Lastly, consider using Android NDK for the most critical code. Writing JNI code is a really cumbersome and error-prone, process that’s why using specialized tools is essential to avoid errors and speedup development: to interface C libraries with Java, try SWIG and GlueGen; in reverse, to interface Java with C try HawtJNI. It’s a pity that the Integrated Debugger for Java/JNI Environments is only available for the Apache Harmony JVM, as it really helps in the difficult Java/JNI debugging process.
As a final note, the results from the superb paper “On the (Im)Possibility of Obfuscating Programs” will always tame our aspirations in the obfuscation enterprise:
GDE Error: Error retrieving file — if necessary turn off error checking (403:Forbidden)