The task was to improve the work of the customer's Android application and add additional features to it. But the complexity arouse because the source code and the server documentation were accidentally lost. The only piece of the code available was the initial Java code written many years ago, representing the first half of the app. The customer wanted to improve the app, make it work on the newly emerged platforms and eliminate the bugs. Of course, the easiest way could be to write the code from scratch but this approach was under no discussion. The client wanted to save money. So, we ended up with APK reverse engineering solution.
The Mobile Development team was facing the challenge of being creative and using different combinations of tools and approaches to inspect the existing part of the code, try to reverse APK to source code, reconnect the app and the server communication and upgrade it to a high-quality flawless level.
The first step is to download the application APK file. Android application package looks like an ordinary ZIP file and it's rather easy to screen it and see what's inside. For example, Linux unzip could be used. Once you unzip the APK file the following structure is becoming visible:
- META-INF/ contains the digital certificate of the application. It holds the information about its creator and the package files check sum;
- res/ represents different resources that are used by the application, for example, pictures;
- AndroidManifest.xml features the description of the application. The list of the requested permissions and the target version of Android could be found there;
- classes.dex is a compiled application byte-code for the virtual machine Dalvik;
- resources.arsc are the resources of a different kind, these are mostly the strings of code;
- assetsis the analog of resources repository. To get access you have to provide its identifier;
- lib are native libraries that are written using NDK.
There are a couple of ways to get the application APK file from its existing form on Play Market to your personal computer:
- use the extension APK Downloader for Chrome;
- use the application Real APK Leecher or its analogs;
- use various share sites;
- use online services, for example, apk-dl.com or apps.evozi.com/apk-downloader/;
- get the root access for the device and with the help of Android application root explorer download the APK from the folder on your device: data/app.
The team was operating on the device with the root rights, so the last option mentioned was definitely the choice.
Once the APK file is transferred to the personal computer, it needs android reverse engineering to obtain the manageable format. There was no need to work with the smali code (you get with the help of apktool) to make small improvements and pack the application back into the APK format. That's why we modified dex code into Java code. It was clear that Java code won't be original and it'll be impossible to compile it back but it wasn't one of the goals. Java format made the code readable and easy to track the logic of how the application works.
There are two main reverse engineering tools we used:
- Dex2jar turns byte-code Dalvik into byte-code JVM. The latter serves as the basis to get the needed Java code;
- Jd-gui is a decompiler that helps to get a readable Java code out of JVM byte-code. As an alternative, one may use Jad even if it's quite old already. In some cases, it could generate a more readable code than Jd-gui.
When Java code is received the team reads and analyzes it carefully. Then it is relocated and its biggest part is modified. The restored resources and the code of the application are transferred to a new project created in Android Studio.
The next step was to figure out how the code communicates with the server under the condition that there was no server documentation left. There were two proxy servers installed: Fiddler went to Windows and Charles trial version went to MacOS. These tools work different ways so it was possible to gather all the information received from them and analyze it better. Eventually, having used the reverse engineered APK, it became possible to understand the logic of the application client-server communication and the routes were carefully written down to document the backend API;
The biggest amount of time was spent on fixing bugs, code cleaning, code restoring and adding new lines of code that will eventually add new features to the whole application. The goal was to turn the source APK into a working and reliable one.
We've managed to restore the original source code within 14 working days. It took a few more weeks to implement new features and improve the application according to the customer's requests. For the record, the amount of time spent by developers to fulfill this task could be shown by means of infographics:
Time Spent on Reverse Engineering part, %% (14 full days)
Finally, within the period of 14 working days, Scand mobile development team was able to perform a number of complex manipulations: decompiled android APK, got the initial code and analyzed it as well as restored the communication with the server part of the application.
Eventually, it became possible to update the code of the application and bring new features to life. It was challenging and quite exciting to go through the brainstorm and picking up the needed tools and actions to facilitate the work.