I mean, with 3 tools
Disclaimer
This post is for informational and educational purposes only
Requirements
Terminal Time
# extract classes.dex unzip -j <apkfile.apk> classes.dex # transform dex file to jar file d2j-dex2jar.sh classes.dex # read the sources jd-gui classes-dex2jar.jar Bonus
Do you use NativeScript/Ionic/Cordova/Phonegap/"insert some webview based mobile framework"?
This is how easy someone can read your javascript code
# find the bundled JS unzip -l <apK file> | grep '.js' # extract the bundle unzip -j <apk file> assets/app.js # find endpoint, or api keys cat app.js | grep 'api*\|http*' # DoS the endpoints echo "just kidding" Edit
If you want to avoid commands an just use an app with UI you have
Hope you find it useful and educational.
Cover Image from https://www.eff.org/issues/coders/reverse-engineering-faq
Top comments (2)
you don't have to unzip it.
Unzip only need when there is more than 1 dex file
You are right. I wanted to mention unzip for the bonus part.
And, as a matter of fact, you can use jadx and open directly the apk. Also you have a binary analysis tool from google