Overview
Android apps are distributed as.apk files, ZIP archives containing compiled Dalvik bytecode (.dex), resources, and the manifest. Reverse engineering converts that bytecode back to readable Java/Kotlin source to find hardcoded secrets, logic flaws, and attack surface.
Primary tool: JADX, decompiles .dex → Java source directly, no intermediate smali step required.
JADX
Install
Decompile: CLI
Decompile APK to Java source:Decompile: GUI
- Tree view of all packages/classes
- Built-in search across all decompiled source (
Ctrl+Shift+F) - Cross-reference view, see every caller of a method
- Inline smali view alongside Java
- Jump to declaration (
Ctrl+Click)
Hunting for Secrets
Hardcoded Strings (CLI)
After decompilation, grep the source:strings.xml and resources
BuildConfig: often contains env flags and keys
Analyzing Authentication Logic
Find Login Activity
Find Crypto Usage
Find Network Calls / Endpoints
Find Root / Tamper Detection
isRooted() with Frida to always return false.