jadx

BrownFineSecurity/jadx

Security

554

17 installs

About

SKILL.md

Jadx - Android APK Decompiler

You are helping the user decompile Android APK files using jadx to convert DEX bytecode into readable Java source code for security analysis, vulnerability discovery, and understanding app internals.

Tool Overview

Jadx is a dex to Java decompiler that produces clean, readable Java source code from Android APK files. Unlike apktool (which produces smali), jadx generates actual Java code that's much easier to read and analyze. It's essential for:

Converting DEX bytecode to readable Java source
Understanding app logic and control flow
Finding security vulnerabilities in code
Discovering hardcoded credentials, API keys, URLs
Analyzing encryption/authentication implementations
Searching through code with familiar Java syntax

Prerequisites

jadx (and optionally jadx-gui) must be installed
Java Runtime Environment (JRE) required
Sufficient disk space (decompiled output is typically 3-10x APK size)
Write permissions in output directory

GUI vs CLI

Jadx provides two interfaces:

CLI (jadx): Command-line interface

Best for automation and scripting
Batch processing multiple APKs
Integration with other tools
Headless server environments

GUI (jadx-gui): Graphical interface

Interactive code browsing
Built-in search functionality
Cross-references and navigation
Easier for manual analysis
Syntax highlighting

When to use each:

Use CLI for automated analysis, scripting, CI/CD pipelines
Use GUI for interactive exploration and deep-dive analysis

Instructions

1. Basic APK Decompilation (Most Common)

Standard decompile command:

jadx <apk-file> -d <output-directory>

Example:

jadx app.apk -d app-decompiled

With deobfuscation (recommended for obfuscated apps):

jadx --deobf app.apk -d app-decompiled

2. Understanding Output Structure

After decompilation, the output directory contains:

app-decompiled/
├── sources/                           # Java source code
│   └── com/company/app/              # Package structure
│       ├── MainActivity.java
│       ├── utils/
│       ├── network/
│       └── ...
└── resources/                         # Decoded resources
    ├── AndroidManifest.xml           # Readable manifest
    ├── res/                          # Resources
    │   ├── layout/                   # XML layouts
    │   ├── values/                   # Strings, colors
    │   ├── drawable/                 # Images
    │   └── ...
    └── assets/                       # App assets

3. Decompilation Options

A. Performance Options

Multi-threaded decompilation (faster):

jadx -j 4 app.apk -d output
# -j specifies number of threads (default: CPU cores)

Skip resources (code only, much faster):

jadx --no-res app.apk -d output

Skip source code (resources only):

jadx --no-src app.apk -d output

B. Deobfuscation Options

Enable deobfuscation:

jadx --deobf app.apk -d output

Renames obfuscated classes (a.b.c → meaningful names)
Attempts to recover original names
Makes code much more readable
Essential for obfuscated/minified apps

Deobfuscation map output:

jadx --deobf --deobf-rewrite-cfg --deobf-use-sourcename app.apk -d output

More aggressive deobfuscation
Uses source file names as hints
Rewrites control flow graphs

C. Output Control

Show inconsistent/bad code:

jadx --show-bad-code app.apk -d output

Shows code that couldn't be decompiled cleanly
Useful for finding obfuscation or anti-decompilation tricks
May contain syntax errors but reveals structure

Export as Gradle project:

jadx --export-gradle app.apk -d output

Creates buildable Gradle Android project
Useful for rebuilding/modifying app
Includes build.gradle files

Fallback mode (when decompilation fails):

jadx --fallback app.apk -d output

Uses alternative decompilation strategy
Produces less clean code but handles edge cases

4. Common Analysis Tasks

A. Searching for Sensitive Information

After decompilation, search for common security issues:

# Search for API keys
grep -r "api.*key\|apikey\|API_KEY" app-decompiled/sources/

# Search for passwords and credentials
grep -r "password\|credential\|secret" app-decompiled/sources/

# Search for hardcoded URLs
grep -rE "https?://[^\"]+" app-decompiled/sources/

# Search for encryption keys
grep -r "AES\|DES\|RSA\|encryption.*key" app-decompiled/sources/

# Search for tokens
grep -r "token\|auth.*token\|bearer" app-decompiled/sources/

# Search for database passwords
grep -r "jdbc\|database\|db.*password" app-decompiled/sources/

B. Finding Security Vulnerabilities

SQL Injection:

grep -r "SELECT.*FROM.*WHERE" app-decompiled/sources/ | grep -v "PreparedStatement"
grep -r "rawQuery\|execSQL" app-decompiled/sources/

Insecure Crypto:

grep -r "DES\|MD5\|SHA1" app-decompiled/sources/
grep -r "SecureRandom.*setSeed" app-decompiled/sources/
grep -r "Cipher.getInstance" app-decompiled/sources/ | grep -v "AES/GCM"

Insecure Storage:

grep -r "SharedPreferences" app-decompiled/sources/
grep -r "MODE_WORLD_READABLE\|MODE_WORLD_WRITABLE" app-decompiled/sources/
grep -r "openFileOutput" app-decompiled/sources/

WebView vulnerabilities:

grep -r "setJavaScriptEnabled.*true" app-decompiled/sources/
grep -r "addJavascriptInterface" app-decompiled/sources/
grep -r "WebView.*loadUrl" app-decompiled/sources/

Certificate pinning bypass:

grep -r "TrustManager\|HostnameVerifier" app-decompiled/sources/
grep -r "checkServerTrusted" app-decompiled/sources/

C. Understanding App Logic

Find entry points:

# Main activities
grep -r "extends Activity\|extends AppCompatActivity" app-decompiled/sources/

# Application class
grep -r "extends Application" app-decompiled/sources/

# Services
grep -r "extends Service" app-decompiled/sources/

# Broadcast receivers
grep -r "extends BroadcastReceiver" app-decompiled/sources/

Trace network communication:

# Find HTTP client usage
grep -r "HttpURLConnection\|OkHttpClient\|Retrofit" app-decompiled/sources/

# Find API endpoints
grep -r "@GET\|@POST\|@PUT\|@DELETE" app-decompiled/sources/

# Find base URLs
grep -r "baseUrl\|BASE_URL\|API_URL" app-decompiled/sources/

Find authentication logic:

grep -r "login\|Login\|authenticate\|Authorization" app-decompiled/sources/
grep -r "jwt\|JWT\|bearer\|Bearer" app-decompiled/sources/

D. Analyzing Specific Classes

After identifying interesting classes, read them directly:

# View specific class
cat app-decompiled/sources/com/example/app/LoginActivity.java

# Use less for pagination
less app-decompiled/sources/com/example/app/network/ApiClient.java

# Search within specific class
grep "password" app-decompiled/sources/com/example/app/LoginActivity.java

5. GUI Mode (Interactive Analysis)

Launch GUI:

jadx-gui app.apk

GUI features:

Full-text search: Ctrl+Shift+F (search all code)
Find usage: Right-click on class/method → "Find usage"
Go to declaration: Ctrl+Click on any class/method
Decompilation: Click any class to see Java code
Save decompiled code: File → Save all
Export options: File → Export as Gradle project

GUI workflow:

Open APK with jadx-gui
Browse package structure in left panel
Use search (Ctrl+Shift+F) to find keywords
Click results to view code in context
Follow cross-references with Ctrl+Click
Save interesting findings

6. Integration with Other Tools

Combine Jadx with Apktool

Both tools complement each other:

Jadx strengths:

Readable Java source code
Easy to understand logic
Fast searching through code

Apktool strengths:

Accurate resource extraction
Smali code (closer to original)
Can rebuild/repackage APKs

Recommended workflow:

# Use jadx for code analysis
jadx --deobf app.apk -d app-jadx

# Use apktool for resources and smali
apktool d app.apk -o app-apktool

# Analyze both outputs
grep -r "API_KEY" app-jadx/sources/
grep -r "api_key" app-apktool/res/

Common Workflows

Workflow 1: Security Assessment

# 1. Decompile with deobfuscation
jadx --deobf app.apk -d app-decompiled

# 2. Search for hardcoded secrets
echo "[+] Searching for API keys..."
grep -ri "api.*key\|apikey" app-decompiled/sources/ | tee findings-apikeys.txt

echo "[+] Searching for passwords..."
grep -ri "password\|passwd\|pwd" app-decompiled/sources/ | tee findings-passwords.txt

echo "[+] Searching for URLs..."
grep -rE "https?://[^\"]+" app-decompiled/sources/ | tee findings-urls.txt

# 3. Check crypto usage
echo "[+] Checking crypto implementations..."
grep -r "Cipher\|SecretKey\|KeyStore" app-decompiled/sources/ | tee findings-crypto.txt

# 4. Check for insecure storage
echo "[+] Checking storage mechanisms..."
grep -r "SharedPreferences\|SQLite\|openFileOutput" app-decompiled/sources/ | tee findings-storage.txt

# 5. Summary
echo "[+] Analysis complete. Check findings-*.txt files"

Workflow 2: IoT App Analysis

For IoT companion apps, find device communication:

# 1. Decompile
jadx --deobf iot-app.apk -d iot-app-decompiled

# 2. Find device communication
echo "[+] Finding device endpoints..."
grep -rE "https?://[^\"]+" iot-app-decompiled/sources/ | \
  grep -v "google\|android\|facebook" | \
  tee device-endpoints.txt

# 3. Find API structure
echo "[+] Finding API definitions..."
grep -r "@GET\|@POST\|@PUT" iot-app-decompiled/sources/ | tee api-endpoints.txt

# 4. Find authentication
echo "[+] Finding auth mechanisms..."
grep -r "Authorization\|authentication\|apiKey" iot-app-decompiled/sources/ | tee auth-methods.txt

# 5. Find device discovery
echo "[+] Finding device discovery..."
grep -r "discover\|scan\|broadcast\|mdns" iot-app-decompiled/sources/ | tee device-discovery.txt

# 6. Check for certificate pinning
echo "[+] Checking certificate pinning..."
grep -r "CertificatePinner\|TrustManager" iot-app-decompiled/sources/ | tee cert-pinning.txt

Workflow 3: Quick Credential Check

# Fast decompilation without resources
jadx --no-res --deobf app.apk -d app-code

# Search for common credential patterns
grep -r "username.*password\|user.*pass" app-code/sources/
grep -r "admin\|root\|default.*password" app-code/sources/
grep -r "hardcoded\|TODO.*password\|FIXME.*password" app-code/sources/

Workflow 4: API Endpoint Discovery

# Decompile
jadx app.apk -d app-decompiled

# Find Retrofit/REST API definitions
find app-decompiled/sources -name "*Api*.java" -o -name "*Service*.java" -o -name "*Client*.java"

# Extract all endpoints
grep -r "@GET\|@POST\|@PUT\|@DELETE\|@PATCH" app-decompiled/sources/ | \
  sed 's/.*@\(GET\|POST\|PUT\|DELETE\|PATCH\)("\([^"]*\)".*/\1 \2/' | \
  sort -u

# Find base URLs
grep -r "baseUrl\|BASE_URL\|API_BASE" app-decompiled/sources/

Workflow 5: Batch Processing Multiple APKs

# Decompile multiple APKs
for apk in *.apk; do
  name=$(basename "$apk" .apk)
  echo "[+] Processing $apk..."
  jadx --no-res --deobf "$apk" -d "decompiled-$name"

  # Quick search for secrets
  grep -r "api.*key\|password\|secret" "decompiled-$name/sources/" > "findings-$name.txt"
done

echo "[+] All APKs processed. Check findings-*.txt files"

Best Practices

1. Always Use Deobfuscation for Production Apps

# Most production apps are obfuscated
jadx --deobf app.apk -d output

Without --deobf, you'll see code like:

public class a {
    public void b(String c) { ... }
}

With --deobf, jadx attempts meaningful names:

public class NetworkClient {
    public void sendRequest(String url) { ... }
}

2. Use Multi-threading for Large Apps

# Faster decompilation
jadx -j 8 large-app.apk -d output

3. Skip Resources for Code-Only Analysis

# 3-5x faster when you only need code
jadx --no-res app.apk -d output

4. Search Systematically

Create a search checklist:

API keys and secrets
Hardcoded credentials
URLs and endpoints
Crypto implementations
Insecure storage
WebView vulnerabilities
Debug/logging code
Commented-out sensitive code

5. Use GUI for Deep Analysis

For complex apps:

Use CLI for initial decompilation
Search for interesting patterns
Open in GUI for detailed exploration
Use cross-references to trace code flow

6. Combine with Runtime Analysis

Static analysis (jadx) + dynamic analysis:

Use jadx to find API endpoints
Test endpoints with curl/burp
Use jadx to understand auth flow
Test auth with runtime instrumentation (Frida)

Troubleshooting

Problem: Decompilation fails with errors

Solution: Use fallback mode or show bad code:

jadx --fallback --show-bad-code app.apk -d output

Problem: Code is unreadable (obfuscated)

Solution: Enable deobfuscation:

jadx --deobf app.apk -d output

Problem: Out of memory error

Solution: Increase Java heap size:

export JAVA_OPTS="-Xmx4096m"
jadx app.apk -d output

Or use the built-in option:

jadx -Xmx4096m app.apk -d output

Problem: Decompilation is very slow

Solution: Skip resources or use more threads:

jadx --no-res -j 8 app.apk -d output

Problem: Some methods show "Can't load method"

Solution: Use --show-bad-code to see partial decompilation:

jadx --show-bad-code app.apk -d output

Problem: GUI won't open APK

Solution: Use CLI first to check for errors:

jadx app.apk -d test-output
# If successful, try GUI again

Advanced Features

Export as Gradle Project

jadx --export-gradle app.apk -d app-project
cd app-project
./gradlew build

Creates a buildable Android Studio project.

Generate Deobfuscation Map

jadx --deobf --deobf-use-sourcename app.apk -d output
# Check output/mapping.txt for name mappings

Custom Decompilation Options

# All options combined
jadx \
  --deobf \
  --deobf-use-sourcename \
  --show-bad-code \
  --no-imports \
  --no-inline-anonymous \
  --no-replace-consts \
  app.apk -d output

Integration with IoTHackBot Tools

Jadx fits into the IoTHackBot workflow:

APK → API Discovery:
- Decompile IoT app with jadx
- Extract API endpoints
- Test endpoints with network tools
APK → Credential Extraction:
- Find hardcoded credentials
- Test against IoT devices
- Use with onvifscan, telnetshell
APK → Protocol Analysis:
- Understand device communication protocol
- Capture traffic with iotnet
- Replay/modify with custom scripts
APK → Device Enumeration:
- Find device discovery mechanisms
- Use wsdiscovery for ONVIF devices
- Use nmap for network scanning

Quick Reference

# Basic decompilation
jadx <apk> -d <output-dir>

# With deobfuscation (recommended)
jadx --deobf <apk> -d <output-dir>

# Fast (no resources)
jadx --no-res <apk> -d <output-dir>

# Multi-threaded
jadx -j <threads> <apk> -d <output-dir>

# Show problematic code
jadx --show-bad-code <apk> -d <output-dir>

# Export as Gradle project
jadx --export-gradle <apk> -d <output-dir>

# GUI mode
jadx-gui <apk>

# Fallback mode
jadx --fallback <apk> -d <output-dir>

Security Analysis Checklist

Use this checklist when analyzing APKs with jadx:

Decompile with deobfuscation enabled
Search for hardcoded API keys
Search for hardcoded credentials
Find all HTTP/HTTPS URLs
Check crypto implementations (algorithms, key generation)
Check certificate pinning implementation
Find SharedPreferences usage (storage security)
Check WebView security settings
Find database operations (SQL injection)
Check for debug/logging code
Find exported components (from manifest)
Check authentication/authorization logic
Find file operations (path traversal)
Check for native library loading
Document all findings

Important Notes

Jadx produces Java source, which is approximate (not original)
Some optimizations/obfuscations may produce uncompilable code
Decompiled code may differ slightly from original source
Always cross-check findings with runtime analysis
Jadx works best with apps compiled with standard tools
Heavily obfuscated/protected apps may have limited decompilation
Some anti-tampering mechanisms detect decompilation

Security and Ethics

IMPORTANT: Only decompile APKs you own or have permission to analyze.

Respect intellectual property and licensing
Follow responsible disclosure for vulnerabilities
Don't distribute decompiled source code
Be aware of terms of service and EULAs
Use for authorized security testing and research only
Some jurisdictions have laws against reverse engineering

Success Criteria

A successful jadx analysis includes:

APK successfully decompiled to readable Java code
Deobfuscation applied (if app was obfuscated)
All source code searchable and readable
Security-relevant findings documented
API endpoints and URLs extracted
Crypto and authentication logic understood
Integration points with other systems identified
Findings verified with runtime testing when possible