Both for developers and for curious people who want to know what’s really going on inside the device and who it communicates with outside.
We can have the source code of an application with just a few simple steps. The code may not be as clean as we’d like it to be, but something can be seen.
Reverse engineering with an APK file – is it legal?
The process of getting programming code from an executable file or any other already compiled file is called reverse engineering. Normal engineering, if you like, would be the development of the source code itself.
This activity is legal depending on the case. In each country the legislation may be different and may allow more or less.
In the particular case of Spain, the legislation allows reverse engineering with a series of conditions that we can read in article 100 of the Law on Intellectual Property.
To sum up. We will be able to extract the code as long as we own or are licensed for use, the information has not been previously disclosed, and the information obtained is not used for the marketing of a substantially similar program which infringes copyright.
In our case it is mainly useful to learn how to develop code by looking at real examples.
Removing the code from an APK
If the application is Open Source you only have to look for the source code that is normally hung in GitHub repositories. If it’s not Open Source we’re going to have to do the following:
To be able to read the code of a file with extension . apk we need several tools and to start we need the APK file of the application.
To achieve this we can look for it in the repositories of online applications or if we have the application installed in the device we can extract the APK from a file explorer.
From here there are several methods, several paths that lead more or less to the same result. Here’s the one that’s easiest for me.
Download two tools that we will need later. One is a file for exporting APK classes to a java file with extension . jar dex2jar. And an application to read the files with extension . jar JD-GUI, available for different systems.
Make a copy of the application’s APK file and change the extension from . apk to .zip. Put it away.
Open the .zip file and extract the classes.dex file. Place this file in the uncompressed folder of dex2jar.
In an empty place of the folder press the right mouse button at the same time that you press on the keyboard shift (in Windows). From the menu choose ‘Open a command window here’.
In the newly opened console enter the following command ‘d2j-dex2jar.bat classes.dex‘. Press enter and after a few seconds in the same folder you will find a new file called ‘classes-dex2jar.jar’. Alternatively you can use the online platform APK decompiler.
With this new file ‘classes-dex2jar.jar‘ we can explore the source code of the application and see all its classes with the JD-GUI program.
Unzip the .zip file with the JD-GUI and execute the .exe file that you will find in its folder. Once the program starts. Select the icon to open a file or go to File > Open file… choose the ‘classes-dex2jar.jar’ file located in the dex2jar folder and open it.
You will be able to see the libraries that the application uses and the classes that it has.
Problems that may arise with the code
Reverse engineering tools don’t usually get the original code 100%. There is a certain mismatch between the code being written and the code being retrieved. Generally the creators of an application do not like that third parties can play with the code that so much work has taken them to develop.
To protect the code of the applications Google created a few years ago a tool called ProGuard. This tool optimizes the application code and protects it from further reverse engineering. Nowadays most applications usually have the code optimized with ProGuard so the code can be very complicated to understand by the loss of organization.