Apktool - Android APK Unpacking and Resource Extraction

You are helping the user reverse engineer Android APK files using apktool for security analysis, vulnerability discovery, and understanding app internals.

Tool Overview

Apktool is a tool for reverse engineering Android APK files. It can decode resources to nearly original form and rebuild them after modifications. It's essential for:

• Extracting readable AndroidManifest.xml
• Decoding resources (XML layouts, strings, images)
• Disassembling DEX to smali code
• Analyzing app structure and permissions
• Repackaging modified APKs

Prerequisites

• apktool must be installed on the system
• Java Runtime Environment (JRE) required
• Sufficient disk space (unpacked APK is typically 2-5x original size)
• Write permissions in output directory

Instructions

1. Basic APK Unpacking (Most Common)

When the user asks to unpack, decode, or analyze an APK:

Standard decode command:

apktool d <apk-file> -o <output-directory>

Example:

apktool d app.apk -o app-unpacked

With force overwrite (if directory exists):

apktool d app.apk -o app-unpacked -f

2. Understanding Output Structure

After unpacking, the output directory contains:

app-unpacked/
├── AndroidManifest.xml          # Readable manifest (permissions, components)
├── apktool.yml                  # Apktool metadata (version info, SDK levels)
├── original/                    # Original META-INF certificates
│   └── META-INF/
├── res/                         # Decoded resources
│   ├── layout/                  # XML layouts
│   ├── values/                  # Strings, colors, dimensions
│   ├── drawable/                # Images and drawables
│   └── ...
├── smali/                       # Disassembled DEX code (smali format)
│   └── com/company/app/        # Package structure
├── assets/                      # App assets (if present)
├── lib/                         # Native libraries (if present)
│   ├── arm64-v8a/
│   ├── armeabi-v7a/
│   └── ...
└── unknown/                     # Files apktool couldn't classify

3. Selective Decoding (Performance Optimization)

Skip resources (code analysis only):

apktool d app.apk -o app-code-only -r
# or
apktool d app.apk -o app-code-only --no-res

• Faster processing
• Only extracts smali code and manifest
• Use when you only need to analyze code logic

Skip source code (resource analysis only):

apktool d app.apk -o app-resources-only -s
# or
apktool d app.apk -o app-resources-only --no-src

• Faster processing
• Only extracts resources and manifest
• Use when you only need resources, strings, layouts

4. Common Analysis Tasks

A. Examining AndroidManifest.xml

The manifest reveals critical security information:

# After unpacking
cat app-unpacked/AndroidManifest.xml

Look for:

• Permissions: What device features/data the app accesses
• Exported components: Activities, services, receivers accessible from other apps
• Intent filters: How the app responds to system/app intents
• Backup settings: android:allowBackup="true" (security risk)
• Debuggable flag: android:debuggable="true" (major security issue)
• Network security config: Custom certificate pinning, cleartext traffic
• Min/Target SDK versions: Outdated versions may have vulnerabilities

Example analysis commands:

# Find all permissions
grep "uses-permission" app-unpacked/AndroidManifest.xml

# Find exported components
grep "exported=\"true\"" app-unpacked/AndroidManifest.xml

# Check if debuggable
grep "debuggable" app-unpacked/AndroidManifest.xml

# Find all activities
grep "android:name.*Activity" app-unpacked/AndroidManifest.xml

B. Extracting Strings and Resources

# View all string resources
cat app-unpacked/res/values/strings.xml

# Search for API keys, URLs, credentials
grep -r "api" app-unpacked/res/values/
grep -r "http" app-unpacked/res/values/
grep -r "password\|secret\|key\|token" app-unpacked/res/values/

# Find hardcoded URLs in resources
grep -rE "https?://" app-unpacked/res/

C. Analyzing Smali Code

Smali is the disassembled Dalvik bytecode format:

# Find specific class
find app-unpacked/smali -name "*Login*.smali"
find app-unpacked/smali -name "*Auth*.smali"

# Search for security-relevant code
grep -r "crypto\|encrypt\|decrypt" app-unpacked/smali/
grep -r "http\|https\|url" app-unpacked/smali/
grep -r "password\|credential\|token" app-unpacked/smali/

# Find native library usage
grep -r "System.loadLibrary" app-unpacked/smali/

# Find file operations
grep -r "openFileOutput\|openFileInput" app-unpacked/smali/

Note: Smali is harder to read than Java source. Consider using jadx for Java decompilation for easier analysis.

D. Examining Native Libraries

# List native libraries
ls -lah app-unpacked/lib/

# Check architectures supported
ls app-unpacked/lib/

# Identify library types
file app-unpacked/lib/arm64-v8a/*.so

# Search for interesting strings in libraries
strings app-unpacked/lib/arm64-v8a/libnative.so | grep -i "http\|key\|password"

5. Repackaging APK (Build)

After modifying resources or smali code:

apktool b app-unpacked -o app-modified.apk

Important: Rebuilt APKs must be signed before installation:

# Generate keystore (one-time setup)
keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-key-alias

# Sign APK
jarsigner -verbose -keystore my-release-key.jks app-modified.apk my-key-alias

# Verify signature
jarsigner -verify app-modified.apk

# Zipalign (optimization)
zipalign -v 4 app-modified.apk app-modified-aligned.apk

6. Framework Management

For system apps or apps dependent on device manufacturer frameworks:

# Install framework
apktool if framework-res.apk

# List installed frameworks
apktool list-frameworks

# Decode with specific framework
apktool d -t <tag> app.apk

Common Workflows

Workflow 1: Security Analysis

# 1. Unpack APK
apktool d target.apk -o target-unpacked

# 2. Examine manifest for security issues
cat target-unpacked/AndroidManifest.xml

# 3. Search for hardcoded credentials
grep -r "password\|api_key\|secret\|token" target-unpacked/res/

# 4. Check for debuggable flag
grep "debuggable" target-unpacked/AndroidManifest.xml

# 5. Find exported components
grep "exported=\"true\"" target-unpacked/AndroidManifest.xml

# 6. Examine network security config
cat target-unpacked/res/xml/network_security_config.xml 2>/dev/null

Workflow 2: IoT App Analysis

For IoT companion apps, find device communication details:

# 1. Unpack APK
apktool d iot-app.apk -o iot-app-unpacked

# 2. Search for device endpoints
grep -rE "https?://[^\"']+" iot-app-unpacked/res/ | grep -v "google\|android"

# 3. Find API keys
grep -r "api\|key" iot-app-unpacked/res/values/strings.xml

# 4. Locate device communication code
find iot-app-unpacked/smali -name "*Device*.smali"
find iot-app-unpacked/smali -name "*Network*.smali"
find iot-app-unpacked/smali -name "*Api*.smali"

# 5. Check for certificate pinning
grep -r "certificatePinner\|TrustManager" iot-app-unpacked/smali/

Workflow 3: Resource Extraction Only

# Fast resource-only extraction
apktool d app.apk -o app-resources -s

# Extract app icon
cp app-resources/res/mipmap-xxxhdpi/ic_launcher.png ./

# Extract strings for localization
cat app-resources/res/values*/strings.xml

# Extract layouts for UI analysis
ls app-resources/res/layout/

Workflow 4: Quick Code Check (No Resources)

# Fast code-only extraction
apktool d app.apk -o app-code -r

# Analyze smali quickly
grep -r "http" app-code/smali/ | head -20
grep -r "password" app-code/smali/

Output Formats

Apktool doesn't have built-in output format options, but you can structure your analysis:

For human-readable reports:

# Generate analysis report
{
  echo "=== APK Analysis Report ==="
  echo "APK: app.apk"
  echo "Date: $(date)"
  echo ""
  echo "=== Permissions ==="
  grep "uses-permission" app-unpacked/AndroidManifest.xml
  echo ""
  echo "=== Exported Components ==="
  grep "exported=\"true\"" app-unpacked/AndroidManifest.xml
  echo ""
  echo "=== Package Info ==="
  grep "package=" app-unpacked/AndroidManifest.xml
} > apk-analysis-report.txt

Integration with IoTHackBot Tools

Apktool works well with other analysis workflows:

1. APK → Network Analysis: