{"id":614,"date":"2011-03-23T23:22:05","date_gmt":"2011-03-23T22:22:05","guid":{"rendered":"http:\/\/cerezo.name\/blog\/?p=614"},"modified":"2024-10-14T14:21:10","modified_gmt":"2024-10-14T12:21:10","slug":"android-decompilation-obfuscation","status":"publish","type":"post","link":"http:\/\/cerezo.name\/blog\/2011\/03\/23\/android-decompilation-obfuscation\/","title":{"rendered":"Android Decompilation <span class=\"amp\">&amp;<\/span> Obfuscation"},"content":{"rendered":"<p style=\"text-align: justify;\">I get more than a hundred visits a day to my <a href=\"http:\/\/cerezo.name\/blog\/2011\/03\/03\/iphone-decompilation-obfuscation\/\" target=\"_blank\" rel=\"noopener\">iPhone Decompilation <span class=\"amp\">&amp;<\/span> Obfuscation<\/a> post, that\u2019s why writing an Android equivalent and comparing the results between them will be so interesting to assess platform demand from developers.<\/p>\n<p style=\"text-align: justify;\">To decompile an Android .apk file, you must follow the next&nbsp;steps:<\/p>\n<ol style=\"text-align: justify;\">\n<li>Download the app from the Android Market to your smartphone and backup the app with a tool like <a href=\"http:\/\/matrixrewriter.com\/android\/\" target=\"_blank\" rel=\"noopener\">Titanium<\/a> to get the .apk&nbsp;file<\/li>\n<li>Next, use <a href=\"http:\/\/code.google.com\/p\/android-apktool\/\" target=\"_blank\" rel=\"noopener\">apktool<\/a> to get back the project file structure and resources<\/li>\n<li>Then, use <a href=\"http:\/\/code.google.com\/p\/dex2jar\/\" target=\"_blank\" rel=\"noopener\">dex2jar<\/a> to the obtain .class files from the .dex&nbsp;files<\/li>\n<li>After that, use <a href=\"http:\/\/jd.benow.ca\/\" target=\"_blank\" rel=\"noopener\">jd-gui<\/a> or <a href=\"http:\/\/www.varaneckas.com\/jad\/\" target=\"_blank\" rel=\"noopener\"><span class=\"caps\">JAD<\/span><\/a> to decompile the .class files<\/li>\n<li>Most bytecode won\u2019t perfectly decompile and some routines will be hard to reconstruct from the bytecode: get ready to read java <span class=\"caps\">ASM<\/span> disassembled with <a href=\"http:\/\/code.google.com\/p\/smali\/\" target=\"_blank\" rel=\"noopener\">smali<\/a><\/li>\n<\/ol>\n<p style=\"text-align: justify;\">To obfuscate\/protect your application, consider following these&nbsp;steps:<\/p>\n<ul>\n<li style=\"text-align: justify;\"><a href=\"http:\/\/android-developers.blogspot.com\/2010\/09\/proguard-android-and-licensing-server.html\" target=\"_blank\" rel=\"noopener\">ProGuard<\/a> is the most complete and useful tool to obfuscate applications, but you must use it with the following <a href=\"http:\/\/proguard.sourceforge.net\/index.html#\/manual\/examples.html#androidapplications\" target=\"_blank\" rel=\"noopener\" class=\"broken_link\">configuration file<\/a> to avoid any problem. Note that ProGuard is pre-packed in the <span class=\"caps\">SDK<\/span> from Android 2.3<\/li>\n<li style=\"text-align: justify;\">Use <a href=\"http:\/\/developer.android.com\/guide\/publishing\/licensing.html\" target=\"_blank\" rel=\"noopener\"><span class=\"caps\">LVL<\/span><\/a> for your paid applications, but remember that it has already been broken.<\/li>\n<li style=\"text-align: justify;\">Lastly, consider using Android <span class=\"caps\">NDK<\/span> for the most critical code. Writing <span class=\"caps\">JNI<\/span> code is a really cumbersome and error-prone, process that\u2019s why using specialized tools is essential to avoid errors and speedup development: to interface C libraries with Java, try <a href=\"http:\/\/www.swig.org\" target=\"_blank\" rel=\"noopener\"><span class=\"caps\">SWIG<\/span><\/a> and &nbsp;<a href=\"http:\/\/jogamp.org\/gluegen\/www\/\" target=\"_blank\" rel=\"noopener\">GlueGen<\/a>; in reverse, to interface Java with C try <a href=\"http:\/\/hawtjni.fusesource.org\/documentation\/index.html\" target=\"_blank\" rel=\"noopener\" class=\"broken_link\">HawtJNI<\/a>. It\u2019s a pity that the <a href=\"http:\/\/software.intel.com\/en-us\/articles\/integrated-debugger-for-javajni-environments\/\" target=\"_blank\" rel=\"noopener\" class=\"broken_link\">Integrated Debugger for Java\/<span class=\"caps\">JNI<\/span> Environments<\/a> is only available for the Apache Harmony <span class=\"caps\">JVM<\/span>, as it really helps in the difficult Java\/<span class=\"caps\">JNI<\/span> debugging process.<span id=\"v52717cc20\"><\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">As a final note, the results from the superb paper \u201c<a href=\"http:\/\/www.cs.princeton.edu\/~boaz\/Papers\/obfuscate.ps\" target=\"_blank\" rel=\"noopener\" class=\"broken_link\">On the (Im)Possibility of Obfuscating Programs<\/a>\u201d will always tame our aspirations in the obfuscation enterprise:<\/p>\n\n<div class=\"gde-error\"><span class=\"caps\">GDE<\/span> Error: Error retrieving file \u2014 if necessary turn off error checking (403:Forbidden)<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>I get more than a hundred visits a day to my iPhone Decompilation <span class=\"amp\">&amp;<\/span> Obfuscation post, that\u2019s why writing an Android equivalent and comparing the results between them will be so interesting to assess platform demand from developers. To decompile an Android .apk file, you must follow the next&nbsp;steps: Download the app from the Android&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"ngg_post_thumbnail":0},"categories":[12,6,15],"tags":[],"_links":{"self":[{"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/posts\/614"}],"collection":[{"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/comments?post=614"}],"version-history":[{"count":12,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/posts\/614\/revisions"}],"predecessor-version":[{"id":1651,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/posts\/614\/revisions\/1651"}],"wp:attachment":[{"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/media?parent=614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/categories?post=614"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/cerezo.name\/blog\/wp-json\/wp\/v2\/tags?post=614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}