June 13, 2026
Useful tools and commands for decoding APK files
TLDR
Iason Tzortzis
1 min read
This blog describes how someone can use command line tools to decode .apk files
What are APK files
APK files are nothing more than a zip file containing resources and assembled java code. If you were to simply unzip an apk like:
unzip TestApp.apkunzip TestApp.apkYou would be left with files such as classes.dex and resources.arsc.
However, at this point we would have simply inflated compiled sources. Meaning they are not humanly readable.
When decoding apk files the first file we want to look at is the android manifest file which is the main configuration file used by all Android applications. It's used by Android to get information about the application as well as what functionalities are exposed to other applications (amongst other things).
Using apktool to decode APK files
Editing or viewing a compiled file is next to impossible. That is where Apktool comes into play.
curl -L -O https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
curl -L -O https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_3.0.2.jar # Most current version available as of now
mv apktool /usr/local/bin
mv apktool_3.0.2.jar /usr/local/bin
chmod +x apktool
chmod +x apktool_3.0.2.jar
sudo apt install default-jre -y
apktool d TestApp.apkcurl -L -O https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
curl -L -O https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_3.0.2.jar # Most current version available as of now
mv apktool /usr/local/bin
mv apktool_3.0.2.jar /usr/local/bin
chmod +x apktool
chmod +x apktool_3.0.2.jar
sudo apt install default-jre -y
apktool d TestApp.apkThrough using the Apktool we end up with something much more humanly readable.
Using jad and dex2jar to reverse engineer the source code of APK files
Apktool will extract the application's code as Smali code in the Smali directory, however Smali code is not very intuitive and it will make it harder to reverse engineer the application.
Smali: Smali is the human-readable assembly language for Android's Dalvik/ART virtual machine. It is essentially the disassembled version of DEX (Dalvik Executable) bytecode.
To combat this, we can do the following:
- Extract the application ourself using unzip
- Use a tool such as dex2jar to convert the extracted classes.dex file to a jar file
- Use a tool such as jad to convert compiled Java bytecode (.class files) back into readable Java source code.
Download from here: https://sourceforge.net/projects/dex2jar/files/
unzip dex2jar-2.0.zip
unzip TestApp.apk
chmod +x dex2jar-2.0/d2j_invoke.sh
chmod +x dex2jar-2.0/d2j-dex2jar.sh
./dex2jar-2.0/d2j-dex2jar.sh classes.dex
unzip classes-dex2jar.jar
Download from here: https://www.javadecompilers.com/jad/Jad%201.5.8e%20for%20Linux%20(statically%20linked).zip
chmod +x jad
./jad com/foo/bar/TestJavaClass.class
mv TestJavaClass.jad TestJavaClass.javaDownload from here: https://sourceforge.net/projects/dex2jar/files/
unzip dex2jar-2.0.zip
unzip TestApp.apk
chmod +x dex2jar-2.0/d2j_invoke.sh
chmod +x dex2jar-2.0/d2j-dex2jar.sh
./dex2jar-2.0/d2j-dex2jar.sh classes.dex
unzip classes-dex2jar.jar
Download from here: https://www.javadecompilers.com/jad/Jad%201.5.8e%20for%20Linux%20(statically%20linked).zip
chmod +x jad
./jad com/foo/bar/TestJavaClass.class
mv TestJavaClass.jad TestJavaClass.javaNow we converted the compiled Java bytecode (.class files) back into readable Java source code, thereby having a more pleasant experience now reading the applications source code.
If you want to use this in practise I would highly recommend the Android labs in the cybersecurity education platform https://pentesterlab.com/
I would love to hear any feedback or any criticism if some concept was explained wrong so don't be afraid to contact me ๐
Social media links:
Github: https://github.com/Iason-Tzortzis
LinkedIn: https://gr.linkedin.com/in/iason-tzortzis-788559229