All about Android Decompilation Testing

Android applications can be downloaded directly from the Google Play, which is the official app store for the Android OS. Google allows the Android users to browse and download applications developed with the Android SDK. However, the users can also use the Android application package (APK) file format to install application software.  In the APK file format, codes are compiled and are packaged into one file. In addition to the program code, an APK file contains resources, certificates, assets, and more.

A group of classes and resources form an archived APK file. The compiled executable code can be found in the classes.dex file. This file can be converted from a machine readable format to a JAR file format through various available tools. The converted file is easily readable.

The organized file structure of an APK file is given below.

  • Assets
  • Com
  • META-INF
  • Res
  • AndroidManifest
  • dex
  • arsc

Note: The com folder contains 3rd party SDKs and other related files.

Manifest File

The “AndroidManifest.xml” file must be present in the root folder of the APK. The permissions required to install an application on the device are included in this file. You can also view the manifest file of the respective app using different Android apps.

Dex (Dalvik Executable)

Dalvik Virtual Machine (DVK) is especially built for Android OS to execute the Android apps, which are initially written in Java. The transformed byte codes are then stored as .dex and .odex files. These are the operations associated with the Dalvik byte code. Once the JVM byte codes are produced, .class files are deleted by the Dalvik compiler.

JAR Decompilation

 You can use the JAVA compiler to view the content of the JAR file. The programmers then use the decompiled content and pack them. Though this does not include all the content, it gives visibility into methods and classes. With the hints that are provided for respective business logic and the source codes, testers can easily identify the tests to be performed.

Note: Code obfuscation is a must and can be performed using tools like ProGuard and DexGuard.

There are a few key points that must be performed on a decompiled JAR file.

  • Organizations use the obfuscation process to mask source codes. This helps in protecting them from unauthentic viewing and copying. Hence, code obfuscation is must.
  • Manifest files must be encrypted using some powerful algorithms, as it includes permission needed for the app.
  • You must not access any images after the APK de-compilation process.

Note: JAR Decompilation is different from Security testing. With Decompilation you can learn more about the app, including its functionality, performance, etc.