Sunday, January 29, 2017

Reverse Engineering Android APKs

Although I've never actually written any Android app, I've been playing around with its internals a bit. I own a phone that has CyanogenOS by default (that's already history), of course I've rooted it as well as bricking my previous phone during ROM changes.

I also tried reversing some android apps with various degrees of success. My main project was 'hacking' the Xiaomi YeeLight bedside lamp app to be able to control it programatically. Xiaomi did not provide any API but if I can modify the APK to accept commands, that's all I need.

Here are the slides for a talk I gave about basic reverse engineering in Codeaholics Hong Kong meeting. After that you can find some more details about the YeeLight case.


  • obfuscation (great against getting a general view but not if I'm targeting one specific thing)
  • anti-decompilers (can be always bypassed)
  • anti-debuggers (can also be bypassed)
  • time investment (can not be bypassed)

.apk contents

  • Java code compiled to smali register VM, saved all in classes.dex
  • AndroidManifest.xml in some kind of binary form
  • native machine libraries .so (ARM, x86, ..)
  • resources


  • Icelandic "assembler"
  • register based, as opposed to standard JVM stack-based
  • closer to the CPU, less work for JIT compiler
  • reasonably readable
    const-string v5, "UTF8"
    invoke-static {p0, v3, v4, v5}, Lcom/google/zxing/client/result/optional/NDEFURIResultParser;->bytesToString([BIILjava/lang/String;)Ljava/lang/String;
    move-result-object v2


  • no variable names (unless debug symbols)
  • try/catch blocks often broken
  • usually can't use Java compiler to put it back together
  • obfuscation -> all methods and classes are now named alphabetically (cd.i(a, b, c, d))

BCV front-end

  • Makes it easy to run decompilers on .dex or .jar
  • still not quite there for more in-depth analysis
  • so I use ... a text editor!
  • decompile everything to .java, put in git and write comments

Patching APKs

  • Example: YeeLight
  • write a new class in Android Studio (add YeeLight.jar to project)
  • compile to .smali
  • add the smali to already extracted apk folder/smali
  • modify .smali files to construct and invoke the new class

  • rebuild using apktool
  • sign
  • zipalign
  • Install on your device!

Working on the YeeLight app

This app is obfuscated and, quite honestly, contains a lot of code. It has a screen with a colour gradient where touching the colour would change the light color accordingly. I started by finding this Activity and trying to find the click handler. I planned to go deeper and eventually end up in the code that's sending Bluetooth commands but I got lost.

Then I tried to watch the logcat while using the app and found that the colour changes are being echoed in the log. One code search for this particular string got me into a class that was fully obfuscated but probably was somewhere on the way to sending the commands. Further reading the decompiled code revealed a consumer for these messages as well as conversion from a colour object to the Bluetooth message.

The next step was to write a network listener class in Java. It would run in its own thread and accept UDP packets sent to the broadcast address. Each colour change requires only 4 bytes of data so UDP is the simplest choice. Broadcast address is used to avoid needing any configuration - I can just send it out on my home network.

This Java code now needs to be converted to a .smali file. There are tools that should be able to convert it directly from a .class or a .jar but at that time, they did not work. So I ended up creating a dummy Android project in Android Studio to achieve the same result:

  1. Create a project in Android Studio.
  2. Convert classes.dex from the YeeLight apk into a YeeLight.jar using dex2jar.
  3. Add the YeeLight.jar to the project as dependency. This will allow you to call methods from the original APK.
  4. Build APK from the project.
  5. Use apktool to disassemble the result, obtaining a .smali file for your class.

Now you can add this new .smali file to the original APK. You also need to actually create an instance and call this new code in an appropriate place. That requires manually editing the existing .smali code of the app. If you can find where, it's not too difficult.

Finally, rebuild the APK using apktool, zip-align and sign it. This process is a bit more complicated than it should be so I have a little script for it right here: My Apk Scripts

Now you can install the app and try it out. If it works, you may want to disable updates for it otherwise the Play store will overwrite your efforts.

With a custom plugin for Kodi that sends the colour commands over UDP, the result is this:

List of resources and tools


  1. This comment has been removed by the author.

  2. This comment has been removed by the author.

  3. Yes i am totally agreed with article and i want to say that this article is very nice and very informative article.I will make sure to be reading your blog more.
    Kroger experience

  4. Friend, this web site be fabolous, i just like it.

  5. Positive site, where did u come up the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work.
    Kroger customer survey

  6. Its a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work.
    Tax preparer

  7. Absolutely posting! Lots of useful information and inspiration, both of which we all need!Relay appreciate your work.
    look these up

  8. thanks for the tips and information..i appreciate it..

  9. Thanks for taking the time to that, I feel strongly about this and so really like getting to know more on this kind of field. Do you mind updating your blog post with additional insight? It should be really useful for all of us.

  10. Thanks for sharing the post. . parents are worlds best person in each lives of individual..they need or must succeed to sustain needs of the family.
    seo tools


  11. Your work is very good and I you and hopping for some more informative posts. Thank you for sharing great information to us.

    survey monkey usa

  12. I’m not that much of a internet reader to be honest but your sites really nice, keep it up! I’ll go ahead and bookmark your website to come back later. All the best macbook mockup

  13. Excellent read, I just passed this onto a colleague who was doing a little research on that. And he actually bought me lunch because I found it for him smile So let me rephrase that. laptop mockup

  14. Wohh exactly what I was looking for, regards for posting . cell phone mockup