When analysing an Android application, the minified and/or obfuscated code needs to be refactored in order for it to make sense. AndroidProjectCreator combines known open-source tools (JD-CMD, part of JD-GUI, Fernflower, JAD-X, CFR, Procyon, Dex2Jar and APKTool) together with the power the Android Studio IDE to allow the analyst to use the combined advantages. For those with a proper license, JEB3 Pro can also be used to decompile the APK.
One can download the JAR file from this Github repository.
How does AndroidProjectCreator work?
AndroidProjectCreator converts the APK to an Android Studio project. More details about this process can be found in this blog. Below, multiple advantages are given as well as some disadvantages in comparison to paid tools.
Written in Java 8, AndroidProjectCreator is cross platform and cross architecture. It has been tested on Windows 10, Ubuntu 18.04 and MacOS Mojave but should work on all recent versions of Windows, MacOS and Linux distributions.
The GUI is visualised within the IDE using the decoded XML file. This instantly provides valuable insight which is not present in paid tools.
Garbage code removal
Upon analysing a sample with lots of useless code, one can simply remove the unwanted code and save the Java files using the IDE. This way, a clean decompiled sample can be used.
Interactive usage of the manifest
Within the manifest, the declared classes can be instantly visited by jumping to the declaration of the class. This makes navigating based on the manifest’s declarations easier and faster.
All information in one place
The manifest, Java code, SMALI code, libraries, assets and resources are bundled within a single Android Studio project file. This way, all required files are quickly available during the analysis, without the need for tooling after the conversion has already taken place.
Fix decompiler mistakes
Code can be edited within Android Studio. This means that wrongly compiled code can manually be changed into the correct code. Comments can also be added in the way the analyst prefers, either using a comment block or a single line, as is shown below.
/** * This is a comment block */ //This is single line comment
Inspect Android’s code base
The value corresponding with an enumeration can easily be found by jumping to the declaration within Android’s code base.
Plug-ins can be used to execute custom scrips. Additionally, existing plug-ins can be used to perform certain actions.
Android Studio is being updated whenever the Android OS is updated, meaning that the IDE is never too old to handle new code (if it is updated).
Automated parallel conversion
AndroidProjectCreator’s temporary folder contains all files of all running instances. Each instance has its own directory which is equal to a GUID. This way, an unlimited amount of instances can be started as long as the system has disk space and RAM left.
Support for commercial tooling
Alas, the quality of the decompiled code is not always without mistakes. In general it works properly, but using a better decompiler would help with the analysis. In order to support those who have a JEB3 Pro license, AndroidProjectCreator can also use the JEB3 headless client with a customised script to decompile an APK into Java code.
Before installing AndroidProjectCreator, one should have installed the following tools:
- Java 8 Runtime Environment (open JRE works fine)
- Java 8 Development Kit (open JDK8 works fine)
- The JAVA_HOME variable should exist and point towards the Java 8 JDK folder
On Debian based systems, the following command installs all prerequisites:
sudo apt-get install openjdk-8-jre openjdk-8-jdk maven
To compile AndroidProjectCreator from the source files, one should use the following command in the terminal when the current working directory is within the root folder of the project:
mvn clean compile assembly:single
After the installation, the JAR can be found within the target folder, which is located in the root of the project folder.
To install AndroidProjectCreator, one must have a working internet connection. After that, simply run the JAR with the -install flag, an example is given below.
java -jar ./AndroidProjectCreator.jar -install
This will take a while, depending on the speed of both your internet and your machine. When the installation is done, the usage information is displayed.
Updating is done using the -update flag. For each tool, a pull request is made. After that, each tool is built again and the build output is copied into the library. Updating only takes a few minutes, depending on the speed of your machine.
Decompling APK files
To decompile, the -decompile flags has to be given, together with the decompiler which should be used. The currently included decompilers are Fernflower, CFR, Procyon, JD-CMD JAD-X and JEB3, if one possesses the pro license of said tool. Additionally, one should provide the path to the APK, as well as a path where the Android Studio project should be placed. If JEB3 is selected, the path to the application folder should also be provided.
Note that the current directory of the terminal/command prompt is used when a relative path is used, regardless where the JAR is placed on the system. This allows AndroidProjectCreator to be placed in a folder which is referenced in the ~/.bash_aliases or within the system variable PATH (depending on your operating system), whilst the output of the project is saved as ./output. An example is given below.
libra@laptop:~/Documents$ java -jar AndroidProjectCreator.jar -decompile fernflower ~/samples/sms-stealer/sample.apk ./sms-stealer-fernflower
Note that the decompiler flag is case insensitive but the file locations might be, based on your operating system.
How to configure Android Studio?
The IDE is not perfectly set-up by default to be used this way, hence the reason for a couple of adjustments before one should start the analysis. Not all of these are necessarily only for analysing an application, as some are also required during the development of an application.
If there is no matching version of the build-tools present for the Android API that is specified within the Android Manifest, an error will be given. Simply let Android Studio download the missing files and the problem is resolved.
To properly refactor code, one should alter the default refactor settings. Use the refactor hotkey twice on the same variable to open the settings screen. Twice on the same variable means to press the hotkey twice without doing anything else in between. Then, make sure only the only check boxes which are selected are Rename variables and Rename inheritors. Selecting other check boxes will result in incorrect results.
Errors during the Gradle build process are expected since Android Studio is dealing with decompiled code. Android Studio only needs to process the project in such a way, that the execution of plug-ins is possible, together with the ability to refactor code. An error during the Build -> Run Build -> Run Tasks part is common. Let the indexing of Android Studio finish and see if the functionality works. In case it does not, another decompiler can be used. If none of the decompilers works, the problem might be with the system Android Studio is running on instead of the program.
How to contribute to AndroidProjectCreator?
Using this Github repository, pull requests can be made. If you find an issue or have a suggestion, an issue can be filed. To contact me outside Github, please use any of the options that are given at the bottom of this page.
In the future, multiple additional features will be added to AndroidProjectCreator. The updates that are currently planned, are listed below in no apparent order.
- Support multiple DEX files within the APK
- Support to merge multiple DEX files
- Creating an UML diagram based on the code to speed up the analysis
- Refactor the internal code to use interfaces and an implementation per tool
- Embed AndroidProjectCreator in an API with a front-end for internal use
In the list below, all changes are kept together with the release date of the given version.
1.3-stable [9th of August 2019]
List of features
- Improved documentation in the code
- Multiple bugs are fixed, including one where the Fernflower decompiler had to be written with a specific casing in order to work. Thank those who reached out to me with bug reports. Do not hesitate to message me when you think you’ve found something!
- The JD-CMD repository has been changed to a mirror on my own Github account, which avoids the error that occurs when compiling the project from scratch, since the Maven repositories miss certain parts of this project.
- The CFR decompiler repository has been changed from the repository on my own Github account to the official repository. The build process has been made possible when using Java 8 by a change in the POM.xml.
1.2-stable [15th of March 2019]
List of features
- Improved documentation in the code
- Greatly improved user feedback when the wrong arguments are entered
- Wrong decompiler arguments now provide feedback to the user to improve the ease of use
- The cloned repositories are now preserved on the disk after the installation, causing the disk usage to increase from 45 megabytes to 520 megabytes. Note that the size now stays 520 megabyte whereas previously it was only required a few minutes during the installation of APC
- The repositories are now used in the update mechanism to avoid cloning the whole repository again. This improves the speed of updating and decreases the bandwidth usage.
- The native libraries and SMALI code are now written to the same folder as the Java code. This allows for easier navigation within Android Studio
- Internal code has been refactored in such a way that each class has only a single purpose. Future tools can now be implemented easier.
- JEB3 is now supported as a decompiler. An additional (fifth) parameter is then required: the location of the JEB3 folder.
- CFR 0.140 is now used, instead of CFR 0.138.
- Minor bugs have been fixed.
1.1-stable [4th of January 2019]
List of features
- Added the prebuilt CFR decompiler
- Added the prebuilt Procyon decompiler
- Added functionality to save and copy the SMALI files into the resources folder of the project
- Added functionality to save and copy assets of the APK into the resources folder of the project
- Improved feedback to the user upon handling incorrect parameters
- Improved code quality of the project
- Added an additional parameter to APKTool (“-k”) to also parse broken resources
1.0-stable [7th of December 2018]
List of features
- Multiple platform support for Windows, MacOS and Linux distributions
- Supports JD-CMD, JAD-X and Fernflower as decompilers
- Uses Dex2Jar and APKTool to convert the APK to the required formats
- Uses the empty project template version 1.0-stable, which is located here