apktool — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Reverse-engineering APKs — decompile, modify, repack Android applications. Read-only or rebuild for runtime patching.

Use case: MobileDifficulty: IntermediateHomepage: https://apktool.org

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (apt)

sudo apt install apktool

JAR (latest)

wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.10.0.jar -O /usr/local/bin/apktool.jar

macOS (brew)

brew install apktool

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Decompile APK to smali + resources

apktool d target.apk -o target_decoded

Modify and repack

apktool b target_decoded -o modified.apk

Sign rebuilt APK (required for install)

jarsigner -keystore my.keystore modified.apk mykey

Or use uber-apk-signer (handles modern v2/v3)

java -jar uber-apk-signer.jar -a modified.apk

Decompile to Java (with jadx)

jadx -d output target.apk

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Decompile + repack of typical 50MB APK: 15-30 sec. Larger APKs (200MB games) take 1-2 min.
  • --no-res skips resource decoding — 5× faster if you only need smali code.
  • --frame-path /tmp/apkframe caches framework files — avoids re-extracting on every decompile.
  • For modifying network security config: edit res/xml/network_security_config.xml, set cleartextTrafficPermitted="true", repack — defeats apps refusing HTTP debug traffic.
  • Pair with jadx for Java-source view — easier than reading smali for non-trivial logic.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • V2/V3 signed APKs (Android 7+) need uber-apk-signer or apksigner — jarsigner alone produces install errors.
  • Apps using SafetyNet/Play Integrity will detect repacking on first server check. Bypass requires Frida runtime patching, not apktool repack.
  • Resource compilation can fail on specific Android API levels — try --api 28 if rebuild errors.
  • Smali edits are easy to break — one wrong register reference = runtime VerifyError crash.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • jadx — APK to Java source (read-only).
  • JEB — commercial decompiler, handles obfuscation better.
  • Bytecode Viewer — multiple decompilers, GUI.

India context and engagement notes

For Indian-context: apktool + jadx is the entry-level mobile reverse-eng kit, free and sufficient for 80% of pen-tests. RASP-protected apps (Indian fintech, banking) require jumping to commercial tools (JEB, Hopper) — budget accordingly.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants