Intrepidus Group
Insight

Android App Decompilation Bake-Off

Posted: October 1, 2010 – 11:55 am | Author: | Filed under: android, Mobile Security, Tools

In our next blog post, we talk about the tools we’re using for decompiling Android applications during assessments. This is just a quick visual break down of how they each handle some code. Let’s take a look at the Open Source WordPress application for Android. Here is the actual source code for the signup class (click to enlarge the pics):

Original Source:

Source for the Signup Class ^

Undx:

First, we compiled the WordPress application, then ran undx against the APK file. This screen shot is from loading the jar that undx produces into into JD-GUI and locating the signup class. Notice the lack of variable names  and the URL string among other issues:

Undx output for the Signup Class ^

Dex2Jar:

Next, is the output from Dex2Jar also loaded into JD-GUI. This is much closer to the orginal source code:

Dex2Jar output for the Signup Class ^

Smali / Baksmali:

Unfortunately, the smali/baksmali output doesn’t screenshot nicely, but just for reference, here’s how most of that looks (this is with the debug flag and pulling out newlines):

Baksmali output for most of the Signup Class ^

We mentioned we’ve been using smali quite a bit and feel it’s the most reliable out of the three. Sometimes the undx and dex2jar decompilation will fail to return useful code. Here’s one case of what that can look like:

Dex2Jar Error ^

Overall, we find a number of these tools useful in our assessments. The next blog post will go into a few pitfalls we’ve had. Please stay tuned.

-benn

Both comments and trackbacks are currently closed.

One Trackback

  1. [...] This post was mentioned on Twitter by Tomasz Miklas, ChrisJohnRiley. ChrisJohnRiley said: [SharedReader] Android App Decompilation Bake-Off http://bit.ly/aziXbO [...]

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24731 items have been purified.