14 comments

[ 2.3 ms ] story [ 44.2 ms ] thread
Many companies have built software products on top of this tool. I was heavily involved in enterprise apps for several years. It's a great tool
As a hobbyist Android geek that has done minor Android dev work, I can see the use of the tool. But I am very curious: who is building enterprise tools on top of it and why? I could see securiy analysts interested, but beyond that?

This is not meant to be dismissive, I am very curious. It sounds like there is cool stuff out there I could not even dream of!

I would bet that static analysis is going to be one of the top reasons. Being able to automate the process of analyzing code for leaked keys, outdated/vulnerable libraries, insecure storage, permissions, etc.

Here is an open-source tool I've used in the past to do quick static security checks on APKs: https://github.com/ajinabraham/Mobile-Security-Framework-Mob...

It also supports dynamic analysis, but I haven't used that portion of it yet.

I, too, am interested in the other enterprise tools that are built on top of this though.

There's a concept called 'app wrapping'. A generic app is decompiled, and then the manifest and code is changed to add in some 'wrapper' code around the app. The app can then be resigned with the enterprises certificate.
This tool is also great for verifying that you've built you APK correctly. I just used it for the past week diagnosing some issues with building an APK with Unity. It was invaluable.
Current maintainer here. Glad to see apktool has been of use for a good deal of businesses.

Happy to answer any questions anyone might have.

There are so many tools for apk decompilation and analysis out there - lots use apktool in the backend even. How do I as a beginner know what to use and what to trust?
That is a tough question. I would just stick with the popular known ones out there: smali, apktool, dex2jar, jeb, jad.
"Reverse engineering" makes it sound as if the .apk format is obfuscated or protected. It's just a zip file with files inside.

It's not a reverse engineering tool any more than unzip or tar are.

Not true. You can go unzip an apk and for one resources.arsc won't be decoded, classes.dex won't be disassembled and any xml file will be in its binary axml format.
The important part is not the unzip, it's the backsmaling (converting the .dex file in several Smali files), which is akin to .exe decompilation into C files.
Good to see this on HN. I know Guardian Project and F-Droid lean on it, as it's great for trying to sort out issue with deterministic builds

I also used it once to add log output into the resulting smali code (which was obfuscated and I couldn't walk through easily), and repackaging that back into an apk helped me understand the obfuscated code in the app

https://github.com/intrepidusgroup/IGLogger

I've been using Apktool for years. Great work. I had to do a double-take when I saw it on the front page though, given that it's been around for quite a while and I thought it was a pretty standard dev tool.