Android Reverse Engineering APK Step by Step

Android reverse engineering is the process of decompiling an APK to analyze how an app works internally. The main goal is to understand the logic behind the app, inspect the bytecode, and sometimes modify the behavior of the application.

Attackers often aim to change Dalvik bytecode instructions to force the app to behave in a way it wasn’t originally designed to. But in reality, reversing an APK is not just about changing a few lines-it involves decompiling, modifying, rebuilding, signing, and testing the application.

In this guide, we’ll walk through the core concepts of Android reverse engineering, step by step, using a real-world vulnerable APK example.

---

​

Challenge Overview: UnCrackable Level 1 🎯🔓​

UnCrackable Level 1 is an intentionally vulnerable Android app created by Bernhard Mueller and later maintained by the OWASP MSTG project.
This level focuses on:

• Root detection bypass
• Smali code analysis
• Hooking methods to extract secrets

The goal is to bypass root checks and extract a hidden encryption key.

---

​

Installing the Vulnerable APK ⚙️📦​

After downloading the APK and installing it using ADB on a Genymotion emulator, you’ll notice the app refuses to open.

Why? 🤔
Because Genymotion devices are rooted by default, and the app contains hardcoded root detection logic.

In real-world apps, developers add this logic to protect PII data and prevent tampering. However, poorly implemented checks are often easy to bypass.

There are multiple approaches:

• Runtime hooking
• Debugging and injection
• Reverse engineering (our method)

We’ll decompile the APK and remove the exit logic completely.

---

​

Understanding Android Decompilation 🔍📂​

Android apps are packaged as APK files, which are basically ZIP archives containing:

• classes.dex (Dalvik bytecode)
• AndroidManifest.xml
• Resources
• META-INF certificates

The DEX file is the compiled version of Java/Kotlin source code.
To decompile it, we’ll use apktool, which converts bytecode into Smali files.

---

​

Decompiling the APK 🧩​

Run the following command:

apktool d -f -r UnCrackable-Level1.apk

The -r option tells apktool to convert the DEX file directly into Smali code instead of resources only.
Now the app logic is readable and modifiable 🔥

---

​

Smali Files Explained 🧠⚙️​

Smali is to Android what Assembly is to Windows.
It’s a human-readable representation of Dalvik bytecode.
The tool responsible for this conversion is Baksmali.
You’ll notice folders filled with .smali files, each representing compiled classes.

---

​

Finding the Root Detection Logic 🚨​

Using tools like Bytecode Viewer, you can directly view decompiled Java-like code without chaining apktool + dex2jar.
While browsing the code, one class stands out: MainActivity$1.class
Due to ProGuard obfuscation, class and method names look confusing-but the logic is still readable.
Inside this class, we spot a System.exit() call triggered by a popup button.
This is exactly why the app closes on rooted devices.

---

​

Bypassing Root Detection 🪓​

Instead of removing the root check itself, we’ll take a simpler approach:
👉 Remove the exit logic completely

Open the corresponding Smali file and locate this line:

invoke-static {v0}, Ljava/lang/System;->exit(I)V

This instruction tells Android to terminate the app.

Now delete this line entirely and rely on: return-void
💥 Result:
Even if root is detected, the app no longer exits.

---

​

Rebuilding the Modified APK 🔄📱​

After editing the Smali file, rebuild the app:

apktool b UnCrackable-Level1 -o new_uncrackable.apk

APK rebuilt successfully ✅
But installing it will fail… why?

---

​

Why APK Signing Matters 🔑📜​

Android requires every APK to be digitally signed.
Since we modified the app, the original signature is invalid.
To fix this, we must:

• Create a Keystore
• Sign the APK with a new certificate

---

​

Creating a Keystore 🧷​

Run the following command:

keytool -genkey -v -keystore harshit_key.keystore -alias harsh_key -keyalg RSA -keysize 2048 -validity 10000

This generates:

• RSA 2048-bit key
• Self-signed certificate
• 10,000 days validity

---

​

Signing the APK ✍️​

Now sign the rebuilt APK:

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 \
-keystore harshit_key.keystore new_uncrackable.apk harsh_key

Once signed, install it again:

adb install new_uncrackable.apk

🎉 Success! The app now runs on a rooted device.

---

​

Solving the Challenge Using Frida 🧠🧪​

After bypassing root detection, the final step is extracting the secret string.
Further inspection shows that method a() returns the secret value directly-bad coding practice, but great for us 😄
We’ll hook this method using Frida.

---

​

Frida Hook Script 💉​

Java.perform(function () {
    var aes = Java.use("sg.vantagepoint.a.a");

    aes.a.implementation = function(var0, var1) {
        var decrypt = this.a(var0, var1);
        var flag = "";

        for (var i = 0; i < decrypt.length; i++) {
            flag += String.fromCharCode(decrypt[i]);
        }

        console.log(flag);
        return decrypt;
    };
});

Run it using:

frida -U -f owasp.mstg.uncrackable1 -l expl.js --no-pause

🎯 The secret string is dumped directly to the console.

---

​

Final Thoughts 🎉🔐​

You’ve successfully:

• Decompiled an Android APK
• Modified Smali code
• Rebuilt and signed the app
• Bypassed root detection
• Extracted secrets using Frida

This walkthrough covers core Android reverse engineering skills used in real-world pentesting and malware analysis.
Happy hacking 😎