apktool

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Apktool - Android APK Unpacking and Resource Extraction

Apktool - Android APK解包与资源提取

You are helping the user reverse engineer Android APK files using apktool for security analysis, vulnerability discovery, and understanding app internals.

你将协助用户使用Apktool对Android APK文件进行逆向工程，用于安全分析、漏洞发现以及了解应用内部机制。

Tool Overview

工具概述

Apktool is a tool for reverse engineering Android APK files. It can decode resources to nearly original form and rebuild them after modifications. It's essential for:

Extracting readable AndroidManifest.xml
Decoding resources (XML layouts, strings, images)
Disassembling DEX to smali code
Analyzing app structure and permissions
Repackaging modified APKs

Apktool是一款用于逆向工程Android APK文件的工具。它可以将资源解码为近乎原始的形式，并在修改后重新构建。它是以下操作的必备工具：

提取可读的AndroidManifest.xml
解码资源（XML布局、字符串、图片）
将DEX反编译为smali代码
分析应用结构与权限
重新打包修改后的APK

Prerequisites

前置条件

apktool must be installed on the system
Java Runtime Environment (JRE) required
Sufficient disk space (unpacked APK is typically 2-5x original size)
Write permissions in output directory

系统中必须安装apktool
需要Java运行环境（JRE）
足够的磁盘空间（解包后的APK通常是原大小的2-5倍）
输出目录的写入权限

Instructions

使用说明

1. Basic APK Unpacking (Most Common)

1. 基础APK解包（最常用）

When the user asks to unpack, decode, or analyze an APK:

Standard decode command:

bash

apktool d <apk-file> -o <output-directory>

Example:

bash

apktool d app.apk -o app-unpacked

With force overwrite (if directory exists):

bash

apktool d app.apk -o app-unpacked -f

当用户要求解包、解码或分析APK时：

标准解码命令：

bash

apktool d <apk-file> -o <output-directory>

示例：

bash

apktool d app.apk -o app-unpacked

强制覆盖（若目录已存在）：

bash

apktool d app.apk -o app-unpacked -f

2. Understanding Output Structure

2. 理解输出结构

After unpacking, the output directory contains:

app-unpacked/
├── AndroidManifest.xml          # Readable manifest (permissions, components)
├── apktool.yml                  # Apktool metadata (version info, SDK levels)
├── original/                    # Original META-INF certificates
│   └── META-INF/
├── res/                         # Decoded resources
│   ├── layout/                  # XML layouts
│   ├── values/                  # Strings, colors, dimensions
│   ├── drawable/                # Images and drawables
│   └── ...
├── smali/                       # Disassembled DEX code (smali format)
│   └── com/company/app/        # Package structure
├── assets/                      # App assets (if present)
├── lib/                         # Native libraries (if present)
│   ├── arm64-v8a/
│   ├── armeabi-v7a/
│   └── ...
└── unknown/                     # Files apktool couldn't classify

解包后，输出目录包含以下内容：

app-unpacked/
├── AndroidManifest.xml          # 可读的清单文件（权限、组件）
├── apktool.yml                  # Apktool元数据（版本信息、SDK级别）
├── original/                    # 原始META-INF证书
│   └── META-INF/
├── res/                         # 解码后的资源
│   ├── layout/                  # XML布局
│   ├── values/                  # 字符串、颜色、尺寸
│   ├── drawable/                # 图片与Drawable资源
│   └── ...
├── smali/                       # 反编译后的DEX代码（smali格式）
│   └── com/company/app/        # 包结构
├── assets/                      # 应用资源（如果存在）
├── lib/                         # 原生库（如果存在）
│   ├── arm64-v8a/
│   ├── armeabi-v7a/
│   └── ...
└── unknown/                     # Apktool无法分类的文件

3. Selective Decoding (Performance Optimization)

3. 选择性解码（性能优化）

Skip resources (code analysis only):

bash

apktool d app.apk -o app-code-only -r

跳过资源（仅分析代码）：

bash

apktool d app.apk -o app-code-only -r

or

或

apktool d app.apk -o app-code-only --no-res

- Faster processing
- Only extracts smali code and manifest
- Use when you only need to analyze code logic

**Skip source code (resource analysis only):**
```bash
apktool d app.apk -o app-resources-only -s

apktool d app.apk -o app-code-only --no-res

- 处理速度更快
- 仅提取smali代码与清单文件
- 仅需分析代码逻辑时使用

**跳过源代码（仅分析资源）：**
```bash
apktool d app.apk -o app-resources-only -s

or

或

apktool d app.apk -o app-resources-only --no-src

- Faster processing
- Only extracts resources and manifest
- Use when you only need resources, strings, layouts

apktool d app.apk -o app-resources-only --no-src

- 处理速度更快
- 仅提取资源与清单文件
- 仅需资源、字符串、布局时使用

4. Common Analysis Tasks

4. 常见分析任务

A. Examining AndroidManifest.xml

A. 查看AndroidManifest.xml

The manifest reveals critical security information:

bash

undefined

清单文件包含关键的安全信息：

bash

undefined

After unpacking

解包后执行

cat app-unpacked/AndroidManifest.xml


**Look for:**
- **Permissions**: What device features/data the app accesses
- **Exported components**: Activities, services, receivers accessible from other apps
- **Intent filters**: How the app responds to system/app intents
- **Backup settings**: `android:allowBackup="true"` (security risk)
- **Debuggable flag**: `android:debuggable="true"` (major security issue)
- **Network security config**: Custom certificate pinning, cleartext traffic
- **Min/Target SDK versions**: Outdated versions may have vulnerabilities

**Example analysis commands:**
```bash

cat app-unpacked/AndroidManifest.xml


**重点关注：**
- **权限**：应用访问的设备功能/数据
- **可导出组件**：可被其他应用访问的Activity、服务、接收器
- **Intent过滤器**：应用如何响应系统/应用Intent
- **备份设置**：`android:allowBackup="true"`（安全风险）
- **可调试标记**：`android:debuggable="true"`（严重安全问题）
- **网络安全配置**：自定义证书固定、明文流量
- **最低/目标SDK版本**：过时版本可能存在漏洞

**示例分析命令：**
```bash

Find all permissions

查找所有权限

grep "uses-permission" app-unpacked/AndroidManifest.xml

Find exported components

查找可导出组件

grep "exported="true"" app-unpacked/AndroidManifest.xml

Check if debuggable

检查是否可调试

grep "debuggable" app-unpacked/AndroidManifest.xml

Find all activities

查找所有Activity

grep "android:name.*Activity" app-unpacked/AndroidManifest.xml

undefined

grep "android:name.*Activity" app-unpacked/AndroidManifest.xml

undefined

B. Extracting Strings and Resources

B. 提取字符串与资源

bash

undefined

bash

undefined

View all string resources

查看所有字符串资源

cat app-unpacked/res/values/strings.xml

Search for API keys, URLs, credentials

搜索API密钥、URL、凭证

grep -r "api" app-unpacked/res/values/ grep -r "http" app-unpacked/res/values/ grep -r "password|secret|key|token" app-unpacked/res/values/

Find hardcoded URLs in resources

在资源中查找硬编码URL

grep -rE "https?://" app-unpacked/res/

undefined

grep -rE "https?://" app-unpacked/res/

undefined

C. Analyzing Smali Code

C. 分析Smali代码

Smali is the disassembled Dalvik bytecode format:

bash

undefined

Smali是反编译后的Dalvik字节码格式：

bash

undefined

Find specific class

查找特定类

find app-unpacked/smali -name "Login.smali" find app-unpacked/smali -name "Auth.smali"

Search for security-relevant code

搜索与安全相关的代码

Find native library usage

查找原生库使用情况

grep -r "System.loadLibrary" app-unpacked/smali/

Find file operations

查找文件操作

grep -r "openFileOutput|openFileInput" app-unpacked/smali/


**Note**: Smali is harder to read than Java source. Consider using jadx for Java decompilation for easier analysis.

grep -r "openFileOutput|openFileInput" app-unpacked/smali/


**注意**：Smali比Java源代码更难阅读。可以考虑使用jadx进行Java反编译，以便更轻松地分析。

D. Examining Native Libraries

D. 检查原生库

bash

undefined

bash

undefined

List native libraries

列出原生库

ls -lah app-unpacked/lib/

Check architectures supported

检查支持的架构

ls app-unpacked/lib/

Identify library types

识别库类型

file app-unpacked/lib/arm64-v8a/*.so

Search for interesting strings in libraries

在库中搜索有趣的字符串

strings app-unpacked/lib/arm64-v8a/libnative.so | grep -i "http|key|password"

undefined

strings app-unpacked/lib/arm64-v8a/libnative.so | grep -i "http|key|password"

undefined

5. Repackaging APK (Build)

5. 重新打包APK（构建）

After modifying resources or smali code:

bash

apktool b app-unpacked -o app-modified.apk

Important: Rebuilt APKs must be signed before installation:

bash

undefined

修改资源或Smali代码后：

bash

apktool b app-unpacked -o app-modified.apk

重要提示：重建的APK必须签名后才能安装：

bash

undefined

Generate keystore (one-time setup)

生成密钥库（一次性设置）

keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-key-alias

Sign APK

为APK签名

jarsigner -verbose -keystore my-release-key.jks app-modified.apk my-key-alias

Verify signature

验证签名

jarsigner -verify app-modified.apk

Zipalign (optimization)

Zipalign（优化）

zipalign -v 4 app-modified.apk app-modified-aligned.apk

undefined

zipalign -v 4 app-modified.apk app-modified-aligned.apk

undefined

6. Framework Management

6. 框架管理

For system apps or apps dependent on device manufacturer frameworks:

bash

undefined

对于系统应用或依赖设备制造商框架的应用：

bash

undefined

Install framework

安装框架

apktool if framework-res.apk

List installed frameworks

列出已安装的框架

apktool list-frameworks

Decode with specific framework

使用特定框架解码

apktool d -t <tag> app.apk

undefined

apktool d -t <tag> app.apk

undefined

Common Workflows

常见工作流

Workflow 1: Security Analysis

工作流1：安全分析

bash

undefined

bash

undefined

1. Unpack APK

1. 解包APK

apktool d target.apk -o target-unpacked

2. Examine manifest for security issues

2. 检查清单文件中的安全问题

cat target-unpacked/AndroidManifest.xml

3. Search for hardcoded credentials

3. 搜索硬编码凭证

grep -r "password|api_key|secret|token" target-unpacked/res/

4. Check for debuggable flag

4. 检查可调试标记

grep "debuggable" target-unpacked/AndroidManifest.xml

5. Find exported components

5. 查找可导出组件

grep "exported="true"" target-unpacked/AndroidManifest.xml

6. Examine network security config

6. 检查网络安全配置

cat target-unpacked/res/xml/network_security_config.xml 2>/dev/null

undefined

cat target-unpacked/res/xml/network_security_config.xml 2>/dev/null

undefined

Workflow 2: IoT App Analysis

工作流2：IoT应用分析

For IoT companion apps, find device communication details:

bash

undefined

对于IoT配套应用，查找设备通信细节：

bash

undefined

1. Unpack APK

1. 解包APK

apktool d iot-app.apk -o iot-app-unpacked

2. Search for device endpoints

2. 搜索设备端点

grep -rE "https?://[^"']+" iot-app-unpacked/res/ | grep -v "google|android"

3. Find API keys

3. 查找API密钥

grep -r "api|key" iot-app-unpacked/res/values/strings.xml

4. Locate device communication code

4. 定位设备通信代码

find iot-app-unpacked/smali -name "Device.smali" find iot-app-unpacked/smali -name "Network.smali" find iot-app-unpacked/smali -name "Api.smali"

5. Check for certificate pinning

5. 检查证书固定

grep -r "certificatePinner|TrustManager" iot-app-unpacked/smali/

undefined

grep -r "certificatePinner|TrustManager" iot-app-unpacked/smali/

undefined

Workflow 3: Resource Extraction Only

工作流3：仅提取资源

bash

undefined

bash

undefined

Fast resource-only extraction

快速仅提取资源

apktool d app.apk -o app-resources -s

Extract app icon

提取应用图标

cp app-resources/res/mipmap-xxxhdpi/ic_launcher.png ./

Extract strings for localization

提取字符串用于本地化

cat app-resources/res/values*/strings.xml

Extract layouts for UI analysis

提取布局用于UI分析

ls app-resources/res/layout/

undefined

ls app-resources/res/layout/

undefined

Workflow 4: Quick Code Check (No Resources)

工作流4：快速代码检查（无资源）

bash

undefined

bash

undefined

Fast code-only extraction

快速仅提取代码

apktool d app.apk -o app-code -r

Analyze smali quickly

快速分析Smali代码

grep -r "http" app-code/smali/ | head -20 grep -r "password" app-code/smali/

undefined

grep -r "http" app-code/smali/ | head -20 grep -r "password" app-code/smali/

undefined

Output Formats

输出格式

Apktool doesn't have built-in output format options, but you can structure your analysis:

For human-readable reports:

bash

undefined

Apktool没有内置的输出格式选项，但你可以结构化你的分析结果：

用于人类可读的报告：

bash

undefined

Generate analysis report

生成分析报告

{ echo "=== APK Analysis Report ===" echo "APK: app.apk" echo "Date: $(date)" echo "" echo "=== Permissions ===" grep "uses-permission" app-unpacked/AndroidManifest.xml echo "" echo "=== Exported Components ===" grep "exported="true"" app-unpacked/AndroidManifest.xml echo "" echo "=== Package Info ===" grep "package=" app-unpacked/AndroidManifest.xml } > apk-analysis-report.txt

undefined

{ echo "=== APK分析报告 ===" echo "APK: app.apk" echo "日期: $(date)" echo "" echo "=== 权限 ===" grep "uses-permission" app-unpacked/AndroidManifest.xml echo "" echo "=== 可导出组件 ===" grep "exported="true"" app-unpacked/AndroidManifest.xml echo "" echo "=== 包信息 ===" grep "package=" app-unpacked/AndroidManifest.xml } > apk-analysis-report.txt

undefined

Integration with IoTHackBot Tools

与IoTHackBot工具集成

Apktool works well with other analysis workflows:

APK → Network Analysis:
- Extract API endpoints from resources
- Use extracted URLs with curl/wget for testing
- Feed endpoints to network testing tools
APK → Credential Discovery:
- Find hardcoded credentials in resources
- Test credentials against IoT devices
- Use with onvifscan or other device testing tools
APK → Code Analysis:
- Extract smali code with apktool
- Decompile to Java with jadx for easier reading
- Cross-reference findings between both tools

Apktool可与其他分析工作流良好配合：

APK → 网络分析:
- 从资源中提取API端点
- 使用提取的URL配合curl/wget进行测试
- 将端点提供给网络测试工具
APK → 凭证发现:
- 在资源中查找硬编码凭证
- 针对IoT设备测试凭证
- 与onvifscan或其他设备测试工具配合使用
APK → 代码分析:
- 使用Apktool提取Smali代码
- 使用jadx反编译为Java以便阅读
- 在两个工具之间交叉引用发现的内容

Best Practices

最佳实践

1. Always Examine the Manifest First

1. 始终先检查清单文件

bash

apktool d app.apk -o app-unpacked
cat app-unpacked/AndroidManifest.xml | less

The manifest provides the roadmap for further analysis.

bash

apktool d app.apk -o app-unpacked
cat app-unpacked/AndroidManifest.xml | less

清单文件为进一步分析提供了路线图。

2. Use Selective Decoding for Speed

2. 使用选择性解码提高速度

Code only:
```
-r
```
flag
Resources only:
```
-s
```
flag
Full decode: No flags (default)

仅代码：
```
-r
```
标记
仅资源：
```
-s
```
标记
完整解码：无标记（默认）

3. Search Systematically

3. 系统化搜索

bash

undefined

bash

undefined

Create analysis script

创建分析脚本

cat > analyze.sh << 'EOF' #!/bin/bash APK_DIR="$1" echo "[+] Searching for URLs..." grep -rE "https?://" "$APK_DIR/res/" | grep -v "schema|google|android" echo "[+] Searching for API keys..." grep -ri "api.*key|apikey" "$APK_DIR/res/" echo "[+] Searching for secrets..." grep -ri "secret|password|credential" "$APK_DIR/res/" EOF chmod +x analyze.sh ./analyze.sh app-unpacked

undefined

cat > analyze.sh << 'EOF' #!/bin/bash APK_DIR="$1" echo "[+] 搜索URL..." grep -rE "https?://" "$APK_DIR/res/" | grep -v "schema|google|android" echo "[+] 搜索API密钥..." grep -ri "api.*key|apikey" "$APK_DIR/res/" echo "[+] 搜索机密信息..." grep -ri "secret|password|credential" "$APK_DIR/res/" EOF chmod +x analyze.sh ./analyze.sh app-unpacked

undefined

4. Document Your Findings

4. 记录你的发现

Keep notes on:

APK package name and version
Interesting permissions
Hardcoded credentials/URLs
Exported components
Security misconfigurations

记录以下内容：

APK包名与版本
有趣的权限
硬编码凭证/URL
可导出组件
安全配置错误

5. Combine with Jadx

5. 与Jadx配合使用

Use both tools together:

Apktool: For resources, manifest, and detailed smali
Jadx: For readable Java source code

同时使用这两个工具：

Apktool：用于资源、清单文件和详细的Smali代码
Jadx：用于可读的Java源代码

Troubleshooting

故障排除

Problem: "brut.directory.DirectoryException: Framework"

问题："brut.directory.DirectoryException: Framework"

Solution: Install framework resources:

bash

apktool if <framework-res.apk>

解决方案：安装框架资源：

bash

apktool if <framework-res.apk>

Problem: Decoding fails with resource errors

问题：解码时出现资源错误

Solution: Use

--keep-broken-res

flag:

bash

apktool d app.apk -o output --keep-broken-res

解决方案：使用

--keep-broken-res

标记：

bash

apktool d app.apk -o output --keep-broken-res

Problem: "Input file was not found or was not readable"

问题："Input file was not found or was not readable"

Solution: Check file path and permissions:

bash

ls -l app.apk
file app.apk  # Should show "Zip archive data"

解决方案：检查文件路径与权限：

bash

ls -l app.apk
file app.apk  # 应显示"Zip archive data"

Problem: Out of memory error

问题：内存不足错误

Solution: Increase Java heap size:

bash

export _JAVA_OPTIONS="-Xmx2048m"
apktool d large-app.apk

解决方案：增加Java堆大小：

bash

export _JAVA_OPTIONS="-Xmx2048m"
apktool d large-app.apk

Problem: Build fails after modifications

问题：修改后构建失败

Solution: Validate your smali/XML syntax:

bash

undefined

解决方案：验证你的Smali/XML语法：

bash

undefined

Check for syntax errors

检查语法错误

apktool b app-unpacked -o test.apk --use-aapt2

undefined

apktool b app-unpacked -o test.apk --use-aapt2

undefined

Problem: APK won't install after repackaging

问题：重新打包后APK无法安装

Solution: Sign the APK:

bash

jarsigner -verbose -keystore debug.keystore rebuilt.apk androiddebugkey

解决方案：为APK签名：

bash

jarsigner -verbose -keystore debug.keystore rebuilt.apk androiddebugkey

Important Notes

重要说明

Apktool requires Java Runtime Environment (JRE)
Decoded APKs are typically 2-5x larger than original
Smali code is more verbose than Java source (use jadx for Java)
Always work on copies of APK files, never originals
Repackaging requires signing before installation
Some obfuscated apps may have unreadable class/method names
System apps may require framework installation

Apktool需要Java运行环境（JRE）
解码后的APK通常比原文件大2-5倍
Smali代码比Java源代码更冗长（使用jadx查看Java代码）
始终处理APK的副本，而非原始文件
重新打包需要签名后才能安装
某些混淆后的应用可能有不可读的类/方法名
系统应用可能需要安装框架

Security and Ethics

安全与伦理

IMPORTANT: Only analyze APKs you own or have permission to analyze.

Respect intellectual property and licensing
Follow responsible disclosure for vulnerabilities
Don't distribute modified APKs without authorization
Be aware of terms of service and EULAs
Use for authorized security testing and research only

重要提示：仅分析你拥有或获得授权的APK。

尊重知识产权与许可协议
遵循漏洞的负责任披露原则
未经授权不得分发修改后的APK
注意服务条款与最终用户许可协议
仅用于授权的安全测试与研究

Example Analysis Session

示例分析会话

bash

undefined

bash

undefined

Complete analysis workflow

完整分析工作流

TARGET="myapp.apk" OUTPUT="myapp-analysis"

1. Unpack

1. 解包

echo "[+] Unpacking APK..." apktool d "$TARGET" -o "$OUTPUT"

echo "[+] 正在解包APK..." apktool d "$TARGET" -o "$OUTPUT"

2. Basic info

2. 基础信息

echo "[+] Package info:" grep "package=" "$OUTPUT/AndroidManifest.xml"

echo "[+] 包信息:" grep "package=" "$OUTPUT/AndroidManifest.xml"

3. Permissions

3. 权限

echo "[+] Permissions:" grep "uses-permission" "$OUTPUT/AndroidManifest.xml"

echo "[+] 权限:" grep "uses-permission" "$OUTPUT/AndroidManifest.xml"

4. Exported components

4. 可导出组件

echo "[+] Exported components:" grep "exported="true"" "$OUTPUT/AndroidManifest.xml"

echo "[+] 可导出组件:" grep "exported="true"" "$OUTPUT/AndroidManifest.xml"

5. Search for secrets

5. 搜索机密信息

echo "[+] Searching for hardcoded secrets..." grep -r "api.*key|password|secret" "$OUTPUT/res/" | grep -v "^Binary"

echo "[+] 正在搜索硬编码机密信息..." grep -r "api.*key|password|secret" "$OUTPUT/res/" | grep -v "^Binary"

6. Find URLs

6. 查找URL

echo "[+] Finding URLs..." grep -rE "https?://[^"']+" "$OUTPUT/res/" | grep -v "schema|xmlns"

echo "[+] 正在查找URL..." grep -rE "https?://[^"']+" "$OUTPUT/res/" | grep -v "schema|xmlns"

7. Check debuggable

7. 检查可调试状态

echo "[+] Debug status:" grep "debuggable" "$OUTPUT/AndroidManifest.xml" || echo "Not debuggable (good)"

echo "[+] 调试状态:" grep "debuggable" "$OUTPUT/AndroidManifest.xml" || echo "不可调试（安全）"

8. Summary

8. 总结

echo "[+] Analysis complete. Output in: $OUTPUT/"

undefined

echo "[+] 分析完成。输出目录: $OUTPUT/"

undefined

Success Criteria

成功标准

A successful apktool analysis includes:

APK successfully decoded without errors
AndroidManifest.xml is readable and analyzed
Resources extracted and searchable
Smali code available for inspection
Security-relevant findings documented
Output organized in clear directory structure
Any modifications can be repackaged if needed

一次成功的Apktool分析应包括：

APK成功解码且无错误
AndroidManifest.xml可读并已分析
资源已提取且可搜索
Smali代码可供检查
与安全相关的发现已记录
输出组织在清晰的目录结构中
若需要，修改后的内容可重新打包

Quick Reference

快速参考

bash

undefined

bash

undefined

Decode (unpack)

解码（解包）

apktool d <apk> -o <output-dir>

Decode with force overwrite

强制覆盖解码

apktool d <apk> -o <output-dir> -f

Decode without resources (faster)

不解码资源（更快）

apktool d <apk> -o <output-dir> -r

Decode without source (faster)

不解码源代码（更快）

apktool d <apk> -o <output-dir> -s

Build (repack)

构建（重新打包）

apktool b <unpacked-dir> -o <output-apk>

Install framework

安装框架

apktool if <framework.apk>

Empty framework cache

清空框架缓存

apktool empty-framework-dir

undefined

apktool empty-framework-dir

undefined