// Android APK unpacking and resource extraction tool for reverse engineering. Use when you need to decode APK files, extract resources, examine AndroidManifest.xml, analyze smali code, or repackage modified APKs.
Analyze digital and analog captures from Saleae Logic MSO devices. Decode protocols like UART, SPI, I2C from exported binary files. Use when analyzing logic analyzer captures for CTF challenges, hardware reverse engineering, or protocol decoding.
Use picocom to interact with IoT device UART consoles for pentesting operations including device enumeration, vulnerability discovery, bootloader manipulation, and gaining root shells. Use when the user needs to interact with embedded devices, IoT hardware, or serial consoles.
Network flow extractor that analyzes pcap/pcapng files to identify outbound connections with automatic DNS hostname resolution. Use when you need to enumerate network destinations, identify what hosts a device communicates with, or map IP addresses to hostnames from packet captures.
Static analysis of UEFI/BIOS firmware dumps using Intel's chipsec framework. Decode firmware structure, detect known malware and rootkits (LoJax, ThinkPwn, HackingTeam, MosaicRegressor), generate EFI executable inventories with hashes, extract NVRAM variables, and parse SPI flash descriptors. Use when analyzing firmware .bin/.rom/.fd/.cap files offline without requiring hardware access.
Advanced file finder with type detection and filesystem extraction for analyzing firmware and extracting embedded filesystems. Use when you need to analyze firmware files, identify file types, or extract ext2/3/4 or F2FS filesystems.
IoT network traffic analyzer for detecting IoT protocols and identifying security vulnerabilities in network communications. Use when you need to analyze network traffic, identify IoT protocols, or assess network security of IoT devices.
| name | apktool |
| description | Android APK unpacking and resource extraction tool for reverse engineering. Use when you need to decode APK files, extract resources, examine AndroidManifest.xml, analyze smali code, or repackage modified APKs. |
You are helping the user reverse engineer Android APK files using apktool for security analysis, vulnerability discovery, and understanding app internals.
Apktool is a tool for reverse engineering Android APK files. It can decode resources to nearly original form and rebuild them after modifications. It's essential for:
When the user asks to unpack, decode, or analyze an APK:
Standard decode command:
apktool d <apk-file> -o <output-directory>
Example:
apktool d app.apk -o app-unpacked
With force overwrite (if directory exists):
apktool d app.apk -o app-unpacked -f
After unpacking, the output directory contains:
app-unpacked/
├── AndroidManifest.xml # Readable manifest (permissions, components)
├── apktool.yml # Apktool metadata (version info, SDK levels)
├── original/ # Original META-INF certificates
│ └── META-INF/
├── res/ # Decoded resources
│ ├── layout/ # XML layouts
│ ├── values/ # Strings, colors, dimensions
│ ├── drawable/ # Images and drawables
│ └── ...
├── smali/ # Disassembled DEX code (smali format)
│ └── com/company/app/ # Package structure
├── assets/ # App assets (if present)
├── lib/ # Native libraries (if present)
│ ├── arm64-v8a/
│ ├── armeabi-v7a/
│ └── ...
└── unknown/ # Files apktool couldn't classify
Skip resources (code analysis only):
apktool d app.apk -o app-code-only -r
# or
apktool d app.apk -o app-code-only --no-res
Skip source code (resource analysis only):
apktool d app.apk -o app-resources-only -s
# or
apktool d app.apk -o app-resources-only --no-src
The manifest reveals critical security information:
# After unpacking
cat app-unpacked/AndroidManifest.xml
Look for:
android:allowBackup="true" (security risk)android:debuggable="true" (major security issue)Example analysis commands:
# Find all permissions
grep "uses-permission" app-unpacked/AndroidManifest.xml
# Find exported components
grep "exported=\"true\"" app-unpacked/AndroidManifest.xml
# Check if debuggable
grep "debuggable" app-unpacked/AndroidManifest.xml
# Find all activities
grep "android:name.*Activity" app-unpacked/AndroidManifest.xml
# View all string resources
cat app-unpacked/res/values/strings.xml
# Search for API keys, URLs, credentials
grep -r "api" app-unpacked/res/values/
grep -r "http" app-unpacked/res/values/
grep -r "password\|secret\|key\|token" app-unpacked/res/values/
# Find hardcoded URLs in resources
grep -rE "https?://" app-unpacked/res/
Smali is the disassembled Dalvik bytecode format:
# Find specific class
find app-unpacked/smali -name "*Login*.smali"
find app-unpacked/smali -name "*Auth*.smali"
# Search for security-relevant code
grep -r "crypto\|encrypt\|decrypt" app-unpacked/smali/
grep -r "http\|https\|url" app-unpacked/smali/
grep -r "password\|credential\|token" app-unpacked/smali/
# Find native library usage
grep -r "System.loadLibrary" app-unpacked/smali/
# Find file operations
grep -r "openFileOutput\|openFileInput" app-unpacked/smali/
Note: Smali is harder to read than Java source. Consider using jadx for Java decompilation for easier analysis.
# List native libraries
ls -lah app-unpacked/lib/
# Check architectures supported
ls app-unpacked/lib/
# Identify library types
file app-unpacked/lib/arm64-v8a/*.so
# Search for interesting strings in libraries
strings app-unpacked/lib/arm64-v8a/libnative.so | grep -i "http\|key\|password"
After modifying resources or smali code:
apktool b app-unpacked -o app-modified.apk
Important: Rebuilt APKs must be signed before installation:
# Generate keystore (one-time setup)
keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-key-alias
# Sign APK
jarsigner -verbose -keystore my-release-key.jks app-modified.apk my-key-alias
# Verify signature
jarsigner -verify app-modified.apk
# Zipalign (optimization)
zipalign -v 4 app-modified.apk app-modified-aligned.apk
For system apps or apps dependent on device manufacturer frameworks:
# Install framework
apktool if framework-res.apk
# List installed frameworks
apktool list-frameworks
# Decode with specific framework
apktool d -t <tag> app.apk
# 1. Unpack APK
apktool d target.apk -o target-unpacked
# 2. Examine manifest for security issues
cat target-unpacked/AndroidManifest.xml
# 3. Search for hardcoded credentials
grep -r "password\|api_key\|secret\|token" target-unpacked/res/
# 4. Check for debuggable flag
grep "debuggable" target-unpacked/AndroidManifest.xml
# 5. Find exported components
grep "exported=\"true\"" target-unpacked/AndroidManifest.xml
# 6. Examine network security config
cat target-unpacked/res/xml/network_security_config.xml 2>/dev/null
For IoT companion apps, find device communication details:
# 1. Unpack APK
apktool d iot-app.apk -o iot-app-unpacked
# 2. Search for device endpoints
grep -rE "https?://[^\"']+" iot-app-unpacked/res/ | grep -v "google\|android"
# 3. Find API keys
grep -r "api\|key" iot-app-unpacked/res/values/strings.xml
# 4. Locate device communication code
find iot-app-unpacked/smali -name "*Device*.smali"
find iot-app-unpacked/smali -name "*Network*.smali"
find iot-app-unpacked/smali -name "*Api*.smali"
# 5. Check for certificate pinning
grep -r "certificatePinner\|TrustManager" iot-app-unpacked/smali/
# Fast resource-only extraction
apktool d app.apk -o app-resources -s
# Extract app icon
cp app-resources/res/mipmap-xxxhdpi/ic_launcher.png ./
# Extract strings for localization
cat app-resources/res/values*/strings.xml
# Extract layouts for UI analysis
ls app-resources/res/layout/
# Fast code-only extraction
apktool d app.apk -o app-code -r
# Analyze smali quickly
grep -r "http" app-code/smali/ | head -20
grep -r "password" app-code/smali/
Apktool doesn't have built-in output format options, but you can structure your analysis:
For human-readable reports:
# Generate analysis report
{
echo "=== APK Analysis Report ==="
echo "APK: app.apk"
echo "Date: $(date)"
echo ""
echo "=== Permissions ==="
grep "uses-permission" app-unpacked/AndroidManifest.xml
echo ""
echo "=== Exported Components ==="
grep "exported=\"true\"" app-unpacked/AndroidManifest.xml
echo ""
echo "=== Package Info ==="
grep "package=" app-unpacked/AndroidManifest.xml
} > apk-analysis-report.txt
Apktool works well with other analysis workflows:
APK → Network Analysis:
APK → Credential Discovery:
APK → Code Analysis:
apktool d app.apk -o app-unpacked
cat app-unpacked/AndroidManifest.xml | less
The manifest provides the roadmap for further analysis.
-r flag-s flag# Create analysis script
cat > analyze.sh << 'EOF'
#!/bin/bash
APK_DIR="$1"
echo "[+] Searching for URLs..."
grep -rE "https?://" "$APK_DIR/res/" | grep -v "schema\|google\|android"
echo "[+] Searching for API keys..."
grep -ri "api.*key\|apikey" "$APK_DIR/res/"
echo "[+] Searching for secrets..."
grep -ri "secret\|password\|credential" "$APK_DIR/res/"
EOF
chmod +x analyze.sh
./analyze.sh app-unpacked
Keep notes on:
Use both tools together:
Solution: Install framework resources:
apktool if <framework-res.apk>
Solution: Use --keep-broken-res flag:
apktool d app.apk -o output --keep-broken-res
Solution: Check file path and permissions:
ls -l app.apk
file app.apk # Should show "Zip archive data"
Solution: Increase Java heap size:
export _JAVA_OPTIONS="-Xmx2048m"
apktool d large-app.apk
Solution: Validate your smali/XML syntax:
# Check for syntax errors
apktool b app-unpacked -o test.apk --use-aapt2
Solution: Sign the APK:
jarsigner -verbose -keystore debug.keystore rebuilt.apk androiddebugkey
IMPORTANT: Only analyze APKs you own or have permission to analyze.
# Complete analysis workflow
TARGET="myapp.apk"
OUTPUT="myapp-analysis"
# 1. Unpack
echo "[+] Unpacking APK..."
apktool d "$TARGET" -o "$OUTPUT"
# 2. Basic info
echo "[+] Package info:"
grep "package=" "$OUTPUT/AndroidManifest.xml"
# 3. Permissions
echo "[+] Permissions:"
grep "uses-permission" "$OUTPUT/AndroidManifest.xml"
# 4. Exported components
echo "[+] Exported components:"
grep "exported=\"true\"" "$OUTPUT/AndroidManifest.xml"
# 5. Search for secrets
echo "[+] Searching for hardcoded secrets..."
grep -r "api.*key\|password\|secret" "$OUTPUT/res/" | grep -v "^Binary"
# 6. Find URLs
echo "[+] Finding URLs..."
grep -rE "https?://[^\"']+" "$OUTPUT/res/" | grep -v "schema\|xmlns"
# 7. Check debuggable
echo "[+] Debug status:"
grep "debuggable" "$OUTPUT/AndroidManifest.xml" || echo "Not debuggable (good)"
# 8. Summary
echo "[+] Analysis complete. Output in: $OUTPUT/"
A successful apktool analysis includes:
# Decode (unpack)
apktool d <apk> -o <output-dir>
# Decode with force overwrite
apktool d <apk> -o <output-dir> -f
# Decode without resources (faster)
apktool d <apk> -o <output-dir> -r
# Decode without source (faster)
apktool d <apk> -o <output-dir> -s
# Build (repack)
apktool b <unpacked-dir> -o <output-apk>
# Install framework
apktool if <framework.apk>
# Empty framework cache
apktool empty-framework-dir