Reverse-engineering APKs — decompile, modify, repack Android applications. Read-only or rebuild for runtime patching.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Linux (apt)
sudo apt install apktool
JAR (latest)
wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.10.0.jar -O /usr/local/bin/apktool.jar
macOS (brew)
brew install apktool
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Decompile APK to smali + resources
apktool d target.apk -o target_decoded
Modify and repack
apktool b target_decoded -o modified.apk
Sign rebuilt APK (required for install)
jarsigner -keystore my.keystore modified.apk mykey
Or use uber-apk-signer (handles modern v2/v3)
java -jar uber-apk-signer.jar -a modified.apk
Decompile to Java (with jadx)
jadx -d output target.apk
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- Decompile + repack of typical 50MB APK: 15-30 sec. Larger APKs (200MB games) take 1-2 min.
--no-resskips resource decoding — 5× faster if you only need smali code.--frame-path /tmp/apkframecaches framework files — avoids re-extracting on every decompile.- For modifying network security config: edit
res/xml/network_security_config.xml, setcleartextTrafficPermitted="true", repack — defeats apps refusing HTTP debug traffic. - Pair with jadx for Java-source view — easier than reading smali for non-trivial logic.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- V2/V3 signed APKs (Android 7+) need uber-apk-signer or apksigner — jarsigner alone produces install errors.
- Apps using SafetyNet/Play Integrity will detect repacking on first server check. Bypass requires Frida runtime patching, not apktool repack.
- Resource compilation can fail on specific Android API levels — try
--api 28if rebuild errors. - Smali edits are easy to break — one wrong register reference = runtime VerifyError crash.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- jadx — APK to Java source (read-only).
- JEB — commercial decompiler, handles obfuscation better.
- Bytecode Viewer — multiple decompilers, GUI.
India context and engagement notes
For Indian-context: apktool + jadx is the entry-level mobile reverse-eng kit, free and sufficient for 80% of pen-tests. RASP-protected apps (Indian fintech, banking) require jumping to commercial tools (JEB, Hopper) — budget accordingly.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.