Is there a way to get the source code from an APK file?

Question

The hard drive on my laptop just crashed and I lost all the source code for an app that I have been working on for the past two months. All I have is the APK file that is st

Answer 1

Yes, it is possible.

There are tons of software available to reverse engineer an android .apk file.

Recently, I had compiled an ultimate list of 47 best APK decompilers on my website. I arranged them into 4 different sections.

1. Open Source APK Decompilers
2. Online APK Decompilers
3. APK Decompiler for Windows, Mac or Linux
4. APK Decompiler Apps

I hope this collection will be helpful to you.

Link: https://www.edopedia.com/blog/best-apk-decompilers/

Answer 2

1. Extracting the source from a native Android application

The source code of a native Android application is not difficult to obtain, but it does require extra tools that are compatible with Windows, Mac, and Linux. My personal favorites when it comes to tools are dex2jar and JD-GUI.

If you’re unfamiliar with these tools, dex2jar will read Dalvik Executable files and convert them to the standard JAR format. JD-GUI will read JAR files and decompile the class files found in them.

To make the extraction process easier to understand, let’s start by creating a fresh native Android project:

android create project --target 19 --name TestProject --path . --activity TestProjectActivity --package com.nraboy.testproject

The above command will leave you with an Android project in your current command prompt path.

Since our project has an Activity class already included, lets jump straight into the build process. You can give me a hard time all day long about using Ant instead of Gradle or Maven, but for this tutorial I’m going to stick with it.

ant debug

The above command will create a debug build typically found at bin/TestProject-debug.apk.

Using your favorite unzip tool, extract the APK file. 7-zip is a popular tool, but if you’re on a Mac you can just run the following from the Terminal:

unzip TestProject-debug.apk

This will leave us with a bunch of files and folders, but one is important to us. Make note of classes.dex because it contains all of our source code. To convert it into something readable we need to run dex2jar on it. You can use dex2jar on Mac, Linux, and Windows, but I’m going to explain from a Mac perspective.

With the classes.dex file in your extracted dex2jar directory, run the following from the Terminal:

./dex2jar.sh classes.dex

Open the JD-GUI application that you downloaded because it is now time to decode the JAR and packaged class files. Open the freshly created classes_dex2jar.jar file and you should see something like the following:

See how easy it was to get to the source code of your native Android APK? Now what can you do to better protect yourself?

The Android SDK ships with Proguard, which is a obfuscation module. What is obfuscation you ask?

Obfuscation via Wikipedia:

Obfuscation (or beclouding) is the hiding of intended meaning in communication, making communication confusing, willfully ambiguous, and harder to interpret.

While obfuscation will not encrypt your source code, it will make it more difficult to make sense of. With Proguard configured, run Ant in release mode and your code should be obfuscated on build.

2. Extracting the source from a hybrid Android application

The source code of hybrid applications are by far the easiest to extract. You don’t need any extra software installed on your computer, just access to the APK file.

To make things easier to understand, lets first create a fresh Apache Cordova project and then extract it. Start by doing the following:

cordova create TestProject com.example.testproject TestProject
cd TestProject
cordova platform add android

During the project creation process you are left with the default Apache Cordova CSS, HTML, and JavaScript templates. That is fine for us in this example. Let’s go ahead and build our project into a distributed APK file:

cordova build android

You’re going to be left with platforms/android/ant-build/CordovaApp-debug.apk or something along the lines of platforms/android/ant-build/*-debug.apk.

Even though this is a debug build, it is still very usable. With 7-zip or similar installed, right click the APK file and choose to extract or unzip it. In the extracted directory, you should now have access to all your web based source files. I say web based because any Java files used by Apache Cordova will have been compiled into class files. However, CSS, HTML, and JavaScript files do not get touched.

You just saw how depressingly easy it is to get hybrid application source code. So what can you do to better protect yourself?

You can uglify your code, which is a form of obfuscation.

Doing this will not encrypt your code, but it will make it that much more difficult to make sense of.

If you want to uglify your code, I recommend you install UglifyJS since it is pretty much the standard as of now. If you prefer to use a task runner, Grunt and Gulp have modules for UglifyJS as well.

Answer 3

Android studio offers you to analyse any apk file.

1 - From build menu choose analyse apk option and select apk file. 2 - This will result in you the classes.dex file and other files. 3 - Click on classes.dex which will give you the list of folders, packages, libraries and files. 4 - From and android studio settings install a plugin called "Dex to Jar" 5 - click on any activity file of your extracted project and choose dex to jar from the build menu.

This will result in you the actual code of your java file.

Cheers.

Answer 4

I found the following as the simplest method:

1. Rename your app.apk to app.zip (Change extension from apk to zip)
2. Extract the zip file into a folder
3. Use JADX tool to read the source code, present in classes.dex file.

Answer 5

I developed a Tool - Code Analyzer, it runs in iPhone/iPad/Mac, to analyze Java/Android files, https://decompile.io

Answer 6

While you may be able to decompile your APK file, you will likely hit one big issue:

it's not going to return the code you wrote. It is instead going to return whatever the compiler inlined, with variables given random names, as well as functions given random names. It could take significantly more time to try to decompile and restore it into the code you had, than it will be to start over.

Sadly, things like this have killed many projects.
For the future, I highly recommend learning a Version Control System, like CVS, SVN and git etc.

and how to back it up.