Apktool - Android APK Unpacking and Resource Extraction
You are helping the user reverse engineer Android APK files using apktool for security analysis, vulnerability discovery, and understanding app internals.
Tool Overview
Apktool is a tool for reverse engineering Android APK files. It can decode resources to nearly original form and rebuild them after modifications. It's essential for:
- Extracting readable AndroidManifest.xml
- Decoding resources (XML layouts, strings, images)
- Disassembling DEX to smali code
- Analyzing app structure and permissions
- Repackaging modified APKs
Prerequisites
- apktool must be installed on the system
- Java Runtime Environment (JRE) required
- Sufficient disk space (unpacked APK is typically 2-5x original size)
- Write permissions in output directory
Instructions
1. Basic APK Unpacking (Most Common)
When the user asks to unpack, decode, or analyze an APK:
Standard decode command:
apktool d <apk-file> -o <output-directory>
Example:
apktool d app.apk -o app-unpacked
With force overwrite (if directory exists):
apktool d app.apk -o app-unpacked -f
2. Understanding Output Structure
After unpacking, the output directory contains:
app-unpacked/
βββ AndroidManifest.xml # Readable manifest (permissions, components)
βββ apktool.yml # Apktool metadata (version info, SDK levels)
βββ original/ # Original META-INF certificates
β βββ META-INF/
βββ res/ # Decoded resources
β βββ layout/ # XML layouts
β βββ values/ # Strings, colors, dimensions
β βββ drawable/ # Images and drawables
β βββ ...
βββ smali/ # Disassembled DEX code (smali format)
β βββ com/company/app/ # Package structure
βββ assets/ # App assets (if present)
βββ lib/ # Native libraries (if present)
β βββ arm64-v8a/
β βββ armeabi-v7a/
β βββ ...
βββ unknown/ # Files apktool couldn't classify
3. Selective Decoding (Performance Optimization)
Skip resources (code analysis only):
apktool d app.apk -o app-code-only -r
apktool d app.apk -o app-code-only --no-res
- Faster processing
- Only extracts smali code and manifest
- Use when you only need to analyze code logic
Skip source code (resource analysis only):
apktool d app.apk -o app-resources-only -s
apktool d app.apk -o app-resources-only --no-src
- Faster processing
- Only extracts resources and manifest
- Use when you only need resources, strings, layouts
4. Common Analysis Tasks
A. Examining AndroidManifest.xml
The manifest reveals critical security information:
cat app-unpacked/AndroidManifest.xml
Look for:
- Permissions: What device features/data the app accesses
- Exported components: Activities, services, receivers accessible from other apps
- Intent filters: How the app responds to system/app intents
- Backup settings:
android:allowBackup="true" (security risk)
- Debuggable flag:
android:debuggable="true" (major security issue)
- Network security config: Custom certificate pinning, cleartext traffic
- Min/Target SDK versions: Outdated versions may have vulnerabilities
Example analysis commands:
grep "uses-permission" app-unpacked/AndroidManifest.xml
grep "exported=\"true\"" app-unpacked/AndroidManifest.xml
grep "debuggable" app-unpacked/AndroidManifest.xml
grep "android:name.*Activity" app-unpacked/AndroidManifest.xml
B. Extracting Strings and Resources
cat app-unpacked/res/values/strings.xml
grep -r "api" app-unpacked/res/values/
grep -r "http" app-unpacked/res/values/
grep -r "password\|secret\|key\|token" app-unpacked/res/values/
grep -rE "https?://" app-unpacked/res/
C. Analyzing Smali Code
Smali is the disassembled Dalvik bytecode format:
find app-unpacked/smali -name "*Login*.smali"
find app-unpacked/smali -name "*Auth*.smali"
grep -r "crypto\|encrypt\|decrypt" app-unpacked/smali/
grep -r "http\|https\|url" app-unpacked/smali/
grep -r "password\|credential\|token" app-unpacked/smali/
grep -r "System.loadLibrary" app-unpacked/smali/
grep -r "openFileOutput\|openFileInput" app-unpacked/smali/
Note: Smali is harder to read than Java source. Consider using jadx for Java decompilation for easier analysis.
D. Examining Native Libraries
ls -lah app-unpacked/lib/
ls app-unpacked/lib/
file app-unpacked/lib/arm64-v8a/*.so
strings app-unpacked/lib/arm64-v8a/libnative.so | grep -i "http\|key\|password"
5. Repackaging APK (Build)
After modifying resources or smali code:
apktool b app-unpacked -o app-modified.apk
Important: Rebuilt APKs must be signed before installation:
keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-key-alias
jarsigner -verbose -keystore my-release-key.jks app-modified.apk my-key-alias
jarsigner -verify app-modified.apk
zipalign -v 4 app-modified.apk app-modified-aligned.apk
6. Framework Management
For system apps or apps dependent on device manufacturer frameworks:
apktool if framework-res.apk
apktool list-frameworks
apktool d -t <tag> app.apk
Common Workflows
Workflow 1: Security Analysis
apktool d target.apk -o target-unpacked
cat target-unpacked/AndroidManifest.xml
grep -r "password\|api_key\|secret\|token" target-unpacked/res/
grep "debuggable" target-unpacked/AndroidManifest.xml
grep "exported=\"true\"" target-unpacked/AndroidManifest.xml
cat target-unpacked/res/xml/network_security_config.xml 2>/dev/null
Workflow 2: IoT App Analysis
For IoT companion apps, find device communication details:
apktool d iot-app.apk -o iot-app-unpacked
grep -rE "https?://[^\"']+" iot-app-unpacked/res/ | grep -v "google\|android"
grep -r "api\|key" iot-app-unpacked/res/values/strings.xml
find iot-app-unpacked/smali -name "*Device*.smali"
find iot-app-unpacked/smali -name "*Network*.smali"
find iot-app-unpacked/smali -name "*Api*.smali"
grep -r "certificatePinner\|TrustManager" iot-app-unpacked/smali/
Workflow 3: Resource Extraction Only
apktool d app.apk -o app-resources -s
cp app-resources/res/mipmap-xxxhdpi/ic_launcher.png ./
cat app-resources/res/values*/strings.xml
ls app-resources/res/layout/
Workflow 4: Quick Code Check (No Resources)
apktool d app.apk -o app-code -r
grep -r "http" app-code/smali/ | head -20
grep -r "password" app-code/smali/
Output Formats
Apktool doesn't have built-in output format options, but you can structure your analysis:
For human-readable reports:
{
echo "=== APK Analysis Report ==="
echo "APK: app.apk"
echo "Date: $(date)"
echo ""
echo "=== Permissions ==="
grep "uses-permission" app-unpacked/AndroidManifest.xml
echo ""
echo "=== Exported Components ==="
grep "exported=\"true\"" app-unpacked/AndroidManifest.xml
echo ""
echo "=== Package Info ==="
grep "package=" app-unpacked/AndroidManifest.xml
} > apk-analysis-report.txt
Integration with IoTHackBot Tools
Apktool works well with other analysis workflows:
-
APK β Network Analysis:
