Back to Details

jadx

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Jadx - Android APK Decompiler

Jadx - Android APK反编译工具

You are helping the user decompile Android APK files using jadx to convert DEX bytecode into readable Java source code for security analysis, vulnerability discovery, and understanding app internals.
您将学习如何使用jadx反编译Android APK文件,将DEX字节码转换为可读的Java源代码,用于安全分析、漏洞发现和理解应用内部机制。

Tool Overview

工具概述

Jadx is a dex to Java decompiler that produces clean, readable Java source code from Android APK files. Unlike apktool (which produces smali), jadx generates actual Java code that's much easier to read and analyze. It's essential for:
  • Converting DEX bytecode to readable Java source
  • Understanding app logic and control flow
  • Finding security vulnerabilities in code
  • Discovering hardcoded credentials, API keys, URLs
  • Analyzing encryption/authentication implementations
  • Searching through code with familiar Java syntax
Jadx是一款将DEX转换为Java的反编译工具,能从Android APK文件生成清晰可读的Java源代码。与apktool(生成smali代码)不同,jadx生成的是真正的Java代码,更易于阅读和分析。它主要用于:
  • 将DEX字节码转换为可读的Java源代码
  • 理解应用逻辑和控制流
  • 查找代码中的安全漏洞
  • 发现硬编码凭据、API密钥和URL
  • 分析加密/认证实现
  • 使用熟悉的Java语法搜索代码

Prerequisites

前置条件

  • jadx (and optionally jadx-gui) must be installed
  • Java Runtime Environment (JRE) required
  • Sufficient disk space (decompiled output is typically 3-10x APK size)
  • Write permissions in output directory
  • jadx(可选安装jadx-gui)必须安装
  • 需要Java运行环境(JRE)
  • 足够的磁盘空间(反编译后的输出通常是APK大小的3-10倍)
  • 输出目录的写入权限

GUI vs CLI

GUI与CLI对比

Jadx provides two interfaces:
CLI (jadx): Command-line interface
  • Best for automation and scripting
  • Batch processing multiple APKs
  • Integration with other tools
  • Headless server environments
GUI (jadx-gui): Graphical interface
  • Interactive code browsing
  • Built-in search functionality
  • Cross-references and navigation
  • Easier for manual analysis
  • Syntax highlighting
When to use each:
  • Use CLI for automated analysis, scripting, CI/CD pipelines
  • Use GUI for interactive exploration and deep-dive analysis
Jadx提供两种界面:
CLI(jadx):命令行界面
  • 最适合自动化和脚本编写
  • 批量处理多个APK
  • 与其他工具集成
  • 无头服务器环境适用
GUI(jadx-gui):图形界面
  • 交互式代码浏览
  • 内置搜索功能
  • 交叉引用与导航
  • 更适合手动分析
  • 语法高亮
适用场景:
  • 使用CLI进行自动化分析、脚本编写、CI/CD流水线
  • 使用GUI进行交互式探索和深度分析

Instructions

使用说明

1. Basic APK Decompilation (Most Common)

1. 基础APK反编译(最常用)

Standard decompile command:
bash
jadx <apk-file> -d <output-directory>
Example:
bash
jadx app.apk -d app-decompiled
With deobfuscation (recommended for obfuscated apps):
bash
jadx --deobf app.apk -d app-decompiled
标准反编译命令:
bash
jadx <apk-file> -d <output-directory>
示例:
bash
jadx app.apk -d app-decompiled
启用反混淆(针对混淆应用推荐使用):
bash
jadx --deobf app.apk -d app-decompiled

2. Understanding Output Structure

2. 理解输出结构

After decompilation, the output directory contains:
app-decompiled/
├── sources/                           # Java source code
│   └── com/company/app/              # Package structure
│       ├── MainActivity.java
│       ├── utils/
│       ├── network/
│       └── ...
└── resources/                         # Decoded resources
    ├── AndroidManifest.xml           # Readable manifest
    ├── res/                          # Resources
    │   ├── layout/                   # XML layouts
    │   ├── values/                   # Strings, colors
    │   ├── drawable/                 # Images
    │   └── ...
    └── assets/                       # App assets
反编译完成后,输出目录包含以下内容:
app-decompiled/
├── sources/                           # Java源代码
│   └── com/company/app/              # 包结构
│       ├── MainActivity.java
│       ├── utils/
│       ├── network/
│       └── ...
└── resources/                         # 解码后的资源
    ├── AndroidManifest.xml           # 可读的清单文件
    ├── res/                          # 资源文件
    │   ├── layout/                   # XML布局
    │   ├── values/                   # 字符串、颜色
    │   ├── drawable/                 # 图片
    │   └── ...
    └── assets/                       # 应用资源

3. Decompilation Options

3. 反编译选项

A. Performance Options

A. 性能选项

Multi-threaded decompilation (faster):
bash
jadx -j 4 app.apk -d output
多线程反编译(速度更快):
bash
jadx -j 4 app.apk -d output

-j specifies number of threads (default: CPU cores)

-j 指定线程数(默认:CPU核心数)


**Skip resources (code only, much faster):**
```bash
jadx --no-res app.apk -d output
Skip source code (resources only):
bash
jadx --no-src app.apk -d output

**跳过资源(仅保留代码,速度快很多):**
```bash
jadx --no-res app.apk -d output
跳过源代码(仅保留资源):
bash
jadx --no-src app.apk -d output

B. Deobfuscation Options

B. 反混淆选项

Enable deobfuscation:
bash
jadx --deobf app.apk -d output
  • Renames obfuscated classes (a.b.c → meaningful names)
  • Attempts to recover original names
  • Makes code much more readable
  • Essential for obfuscated/minified apps
Deobfuscation map output:
bash
jadx --deobf --deobf-rewrite-cfg --deobf-use-sourcename app.apk -d output
  • More aggressive deobfuscation
  • Uses source file names as hints
  • Rewrites control flow graphs
启用反混淆:
bash
jadx --deobf app.apk -d output
  • 重命名混淆后的类(如a.b.c → 有意义的名称)
  • 尝试恢复原始名称
  • 使代码更易读
  • 对混淆/压缩后的应用必不可少
导出反混淆映射:
bash
jadx --deobf --deobf-rewrite-cfg --deobf-use-sourcename app.apk -d output
  • 更激进的反混淆策略
  • 使用源文件名作为提示
  • 重写控制流图

C. Output Control

C. 输出控制

Show inconsistent/bad code:
bash
jadx --show-bad-code app.apk -d output
  • Shows code that couldn't be decompiled cleanly
  • Useful for finding obfuscation or anti-decompilation tricks
  • May contain syntax errors but reveals structure
Export as Gradle project:
bash
jadx --export-gradle app.apk -d output
  • Creates buildable Gradle Android project
  • Useful for rebuilding/modifying app
  • Includes build.gradle files
Fallback mode (when decompilation fails):
bash
jadx --fallback app.apk -d output
  • Uses alternative decompilation strategy
  • Produces less clean code but handles edge cases
显示不完整/有问题的代码:
bash
jadx --show-bad-code app.apk -d output
  • 显示无法干净反编译的代码
  • 有助于发现混淆或反反编译技巧
  • 可能包含语法错误,但能揭示结构
导出为Gradle项目:
bash
jadx --export-gradle app.apk -d output
  • 创建可构建的Gradle Android项目
  • 适用于重建/修改应用
  • 包含build.gradle文件
Fallback模式(反编译失败时使用):
bash
jadx --fallback app.apk -d output
  • 使用替代反编译策略
  • 生成的代码不够整洁,但能处理边缘情况

4. Common Analysis Tasks

4. 常见分析任务

A. Searching for Sensitive Information

A. 搜索敏感信息

After decompilation, search for common security issues:
bash
undefined
反编译完成后,搜索常见安全问题:
bash
undefined

Search for API keys

搜索API密钥

grep -r "api.*key|apikey|API_KEY" app-decompiled/sources/
grep -r "api.*key|apikey|API_KEY" app-decompiled/sources/

Search for passwords and credentials

搜索密码和凭据

grep -r "password|credential|secret" app-decompiled/sources/
grep -r "password|credential|secret" app-decompiled/sources/

Search for hardcoded URLs

搜索硬编码URL

grep -rE "https?://[^"]+" app-decompiled/sources/
grep -rE "https?://[^"]+" app-decompiled/sources/

Search for encryption keys

搜索加密密钥

grep -r "AES|DES|RSA|encryption.*key" app-decompiled/sources/
grep -r "AES|DES|RSA|encryption.*key" app-decompiled/sources/

Search for tokens

搜索令牌

grep -r "token|auth.*token|bearer" app-decompiled/sources/
grep -r "token|auth.*token|bearer" app-decompiled/sources/

Search for database passwords

搜索数据库密码

grep -r "jdbc|database|db.*password" app-decompiled/sources/
undefined
grep -r "jdbc|database|db.*password" app-decompiled/sources/
undefined

B. Finding Security Vulnerabilities

B. 查找安全漏洞

SQL Injection:
bash
grep -r "SELECT.*FROM.*WHERE" app-decompiled/sources/ | grep -v "PreparedStatement"
grep -r "rawQuery\|execSQL" app-decompiled/sources/
Insecure Crypto:
bash
grep -r "DES\|MD5\|SHA1" app-decompiled/sources/
grep -r "SecureRandom.*setSeed" app-decompiled/sources/
grep -r "Cipher.getInstance" app-decompiled/sources/ | grep -v "AES/GCM"
Insecure Storage:
bash
grep -r "SharedPreferences" app-decompiled/sources/
grep -r "MODE_WORLD_READABLE\|MODE_WORLD_WRITABLE" app-decompiled/sources/
grep -r "openFileOutput" app-decompiled/sources/
WebView vulnerabilities:
bash
grep -r "setJavaScriptEnabled.*true" app-decompiled/sources/
grep -r "addJavascriptInterface" app-decompiled/sources/
grep -r "WebView.*loadUrl" app-decompiled/sources/
Certificate pinning bypass:
bash
grep -r "TrustManager\|HostnameVerifier" app-decompiled/sources/
grep -r "checkServerTrusted" app-decompiled/sources/
SQL注入:
bash
grep -r "SELECT.*FROM.*WHERE" app-decompiled/sources/ | grep -v "PreparedStatement"
grep -r "rawQuery\|execSQL" app-decompiled/sources/
不安全的加密:
bash
grep -r "DES\|MD5\|SHA1" app-decompiled/sources/
grep -r "SecureRandom.*setSeed" app-decompiled/sources/
grep -r "Cipher.getInstance" app-decompiled/sources/ | grep -v "AES/GCM"
不安全的存储:
bash
grep -r "SharedPreferences" app-decompiled/sources/
grep -r "MODE_WORLD_READABLE\|MODE_WORLD_WRITABLE" app-decompiled/sources/
grep -r "openFileOutput" app-decompiled/sources/
WebView漏洞:
bash
grep -r "setJavaScriptEnabled.*true" app-decompiled/sources/
grep -r "addJavascriptInterface" app-decompiled/sources/
grep -r "WebView.*loadUrl" app-decompiled/sources/
证书固定绕过:
bash
grep -r "TrustManager\|HostnameVerifier" app-decompiled/sources/
grep -r "checkServerTrusted" app-decompiled/sources/

C. Understanding App Logic

C. 理解应用逻辑

Find entry points:
bash
undefined
查找入口点:
bash
undefined

Main activities

主Activity

grep -r "extends Activity|extends AppCompatActivity" app-decompiled/sources/
grep -r "extends Activity|extends AppCompatActivity" app-decompiled/sources/

Application class

Application类

grep -r "extends Application" app-decompiled/sources/
grep -r "extends Application" app-decompiled/sources/

Services

服务

grep -r "extends Service" app-decompiled/sources/
grep -r "extends Service" app-decompiled/sources/

Broadcast receivers

广播接收器

grep -r "extends BroadcastReceiver" app-decompiled/sources/

**Trace network communication:**
```bash
grep -r "extends BroadcastReceiver" app-decompiled/sources/

**追踪网络通信:**
```bash

Find HTTP client usage

查找HTTP客户端使用情况

grep -r "HttpURLConnection|OkHttpClient|Retrofit" app-decompiled/sources/
grep -r "HttpURLConnection|OkHttpClient|Retrofit" app-decompiled/sources/

Find API endpoints

查找API端点

grep -r "@GET|@POST|@PUT|@DELETE" app-decompiled/sources/
grep -r "@GET|@POST|@PUT|@DELETE" app-decompiled/sources/

Find base URLs

查找基础URL

grep -r "baseUrl|BASE_URL|API_URL" app-decompiled/sources/

**Find authentication logic:**
```bash
grep -r "login\|Login\|authenticate\|Authorization" app-decompiled/sources/
grep -r "jwt\|JWT\|bearer\|Bearer" app-decompiled/sources/
grep -r "baseUrl|BASE_URL|API_URL" app-decompiled/sources/

**查找认证逻辑:**
```bash
grep -r "login\|Login\|authenticate\|Authorization" app-decompiled/sources/
grep -r "jwt\|JWT\|bearer\|Bearer" app-decompiled/sources/

D. Analyzing Specific Classes

D. 分析特定类

After identifying interesting classes, read them directly:
bash
undefined
识别出感兴趣的类后,直接查看:
bash
undefined

View specific class

查看特定类

cat app-decompiled/sources/com/example/app/LoginActivity.java
cat app-decompiled/sources/com/example/app/LoginActivity.java

Use less for pagination

使用less分页查看

less app-decompiled/sources/com/example/app/network/ApiClient.java
less app-decompiled/sources/com/example/app/network/ApiClient.java

Search within specific class

在特定类中搜索

grep "password" app-decompiled/sources/com/example/app/LoginActivity.java
undefined
grep "password" app-decompiled/sources/com/example/app/LoginActivity.java
undefined

5. GUI Mode (Interactive Analysis)

5. GUI模式(交互式分析)

Launch GUI:
bash
jadx-gui app.apk
GUI features:
  • Full-text search: Ctrl+Shift+F (search all code)
  • Find usage: Right-click on class/method → "Find usage"
  • Go to declaration: Ctrl+Click on any class/method
  • Decompilation: Click any class to see Java code
  • Save decompiled code: File → Save all
  • Export options: File → Export as Gradle project
GUI workflow:
  1. Open APK with jadx-gui
  2. Browse package structure in left panel
  3. Use search (Ctrl+Shift+F) to find keywords
  4. Click results to view code in context
  5. Follow cross-references with Ctrl+Click
  6. Save interesting findings
启动GUI:
bash
jadx-gui app.apk
GUI功能:
  • 全文搜索:Ctrl+Shift+F(搜索所有代码)
  • 查找引用:右键点击类/方法 → "Find usage"
  • 跳转到定义:Ctrl+点击任意类/方法
  • 反编译:点击任意类查看Java代码
  • 保存反编译代码:文件 → 全部保存
  • 导出选项:文件 → 导出为Gradle项目
GUI工作流程:
  1. 使用jadx-gui打开APK
  2. 在左侧面板浏览包结构
  3. 使用搜索(Ctrl+Shift+F)查找关键字
  4. 点击结果查看上下文代码
  5. 使用Ctrl+点击追踪交叉引用
  6. 保存有价值的发现

6. Integration with Other Tools

6. 与其他工具集成

Combine Jadx with Apktool

Jadx与Apktool结合使用

Both tools complement each other:
Jadx strengths:
  • Readable Java source code
  • Easy to understand logic
  • Fast searching through code
Apktool strengths:
  • Accurate resource extraction
  • Smali code (closer to original)
  • Can rebuild/repackage APKs
Recommended workflow:
bash
undefined
两个工具可以互补:
Jadx优势:
  • 可读的Java源代码
  • 易于理解逻辑
  • 快速搜索代码
Apktool优势:
  • 准确提取资源
  • Smali代码(更接近原始代码)
  • 可重建/重新打包APK
推荐工作流程:
bash
undefined

Use jadx for code analysis

使用jadx进行代码分析

jadx --deobf app.apk -d app-jadx
jadx --deobf app.apk -d app-jadx

Use apktool for resources and smali

使用apktool处理资源和smali代码

apktool d app.apk -o app-apktool
apktool d app.apk -o app-apktool

Analyze both outputs

分析两个输出结果

grep -r "API_KEY" app-jadx/sources/ grep -r "api_key" app-apktool/res/
undefined
grep -r "API_KEY" app-jadx/sources/ grep -r "api_key" app-apktool/res/
undefined

Common Workflows

常见工作流程

Workflow 1: Security Assessment

工作流程1:安全评估

bash
undefined
bash
undefined

1. Decompile with deobfuscation

1. 启用反混淆进行反编译

jadx --deobf app.apk -d app-decompiled
jadx --deobf app.apk -d app-decompiled

2. Search for hardcoded secrets

2. 搜索硬编码机密

echo "[+] Searching for API keys..." grep -ri "api.*key|apikey" app-decompiled/sources/ | tee findings-apikeys.txt
echo "[+] Searching for passwords..." grep -ri "password|passwd|pwd" app-decompiled/sources/ | tee findings-passwords.txt
echo "[+] Searching for URLs..." grep -rE "https?://[^"]+" app-decompiled/sources/ | tee findings-urls.txt
echo "[+] 搜索API密钥..." grep -ri "api.*key|apikey" app-decompiled/sources/ | tee findings-apikeys.txt
echo "[+] 搜索密码..." grep -ri "password|passwd|pwd" app-decompiled/sources/ | tee findings-passwords.txt
echo "[+] 搜索URL..." grep -rE "https?://[^"]+" app-decompiled/sources/ | tee findings-urls.txt

3. Check crypto usage

3. 检查加密使用情况

echo "[+] Checking crypto implementations..." grep -r "Cipher|SecretKey|KeyStore" app-decompiled/sources/ | tee findings-crypto.txt
echo "[+] 检查加密实现..." grep -r "Cipher|SecretKey|KeyStore" app-decompiled/sources/ | tee findings-crypto.txt

4. Check for insecure storage

4. 检查不安全存储

echo "[+] Checking storage mechanisms..." grep -r "SharedPreferences|SQLite|openFileOutput" app-decompiled/sources/ | tee findings-storage.txt
echo "[+] 检查存储机制..." grep -r "SharedPreferences|SQLite|openFileOutput" app-decompiled/sources/ | tee findings-storage.txt

5. Summary

5. 总结

echo "[+] Analysis complete. Check findings-*.txt files"
undefined
echo "[+] 分析完成,请查看findings-*.txt文件"
undefined

Workflow 2: IoT App Analysis

工作流程2:IoT应用分析

For IoT companion apps, find device communication:
bash
undefined
针对IoT配套应用,查找设备通信相关内容:
bash
undefined

1. Decompile

1. 反编译

jadx --deobf iot-app.apk -d iot-app-decompiled
jadx --deobf iot-app.apk -d iot-app-decompiled

2. Find device communication

2. 查找设备端点

echo "[+] Finding device endpoints..." grep -rE "https?://[^"]+" iot-app-decompiled/sources/ |
grep -v "google|android|facebook" |
tee device-endpoints.txt
echo "[+] 查找设备端点..." grep -rE "https?://[^"]+" iot-app-decompiled/sources/ |
grep -v "google|android|facebook" |
tee device-endpoints.txt

3. Find API structure

3. 查找API结构

echo "[+] Finding API definitions..." grep -r "@GET|@POST|@PUT" iot-app-decompiled/sources/ | tee api-endpoints.txt
echo "[+] 查找API定义..." grep -r "@GET|@POST|@PUT" iot-app-decompiled/sources/ | tee api-endpoints.txt

4. Find authentication

4. 查找认证机制

echo "[+] Finding auth mechanisms..." grep -r "Authorization|authentication|apiKey" iot-app-decompiled/sources/ | tee auth-methods.txt
echo "[+] 查找认证机制..." grep -r "Authorization|authentication|apiKey" iot-app-decompiled/sources/ | tee auth-methods.txt

5. Find device discovery

5. 查找设备发现

echo "[+] Finding device discovery..." grep -r "discover|scan|broadcast|mdns" iot-app-decompiled/sources/ | tee device-discovery.txt
echo "[+] 查找设备发现机制..." grep -r "discover|scan|broadcast|mdns" iot-app-decompiled/sources/ | tee device-discovery.txt

6. Check for certificate pinning

6. 检查证书固定

echo "[+] Checking certificate pinning..." grep -r "CertificatePinner|TrustManager" iot-app-decompiled/sources/ | tee cert-pinning.txt
undefined
echo "[+] 检查证书固定..." grep -r "CertificatePinner|TrustManager" iot-app-decompiled/sources/ | tee cert-pinning.txt
undefined

Workflow 3: Quick Credential Check

工作流程3:快速凭据检查

bash
undefined
bash
undefined

Fast decompilation without resources

不处理资源的快速反编译

jadx --no-res --deobf app.apk -d app-code
jadx --no-res --deobf app.apk -d app-code

Search for common credential patterns

搜索常见凭据模式

grep -r "username.*password|user.*pass" app-code/sources/ grep -r "admin|root|default.*password" app-code/sources/ grep -r "hardcoded|TODO.*password|FIXME.*password" app-code/sources/
undefined
grep -r "username.*password|user.*pass" app-code/sources/ grep -r "admin|root|default.*password" app-code/sources/ grep -r "hardcoded|TODO.*password|FIXME.*password" app-code/sources/
undefined

Workflow 4: API Endpoint Discovery

工作流程4:API端点发现

bash
undefined
bash
undefined

Decompile

反编译

jadx app.apk -d app-decompiled
jadx app.apk -d app-decompiled

Find Retrofit/REST API definitions

查找Retrofit/REST API定义

find app-decompiled/sources -name "Api.java" -o -name "Service.java" -o -name "Client.java"
find app-decompiled/sources -name "Api.java" -o -name "Service.java" -o -name "Client.java"

Extract all endpoints

提取所有端点

grep -r "@GET|@POST|@PUT|@DELETE|@PATCH" app-decompiled/sources/ |
sed 's/.@(GET|POST|PUT|DELETE|PATCH)("([^"])".*/\1 \2/' |
sort -u
grep -r "@GET|@POST|@PUT|@DELETE|@PATCH" app-decompiled/sources/ |
sed 's/.@(GET|POST|PUT|DELETE|PATCH)("([^"])".*/\1 \2/' |
sort -u

Find base URLs

查找基础URL

grep -r "baseUrl|BASE_URL|API_BASE" app-decompiled/sources/
undefined
grep -r "baseUrl|BASE_URL|API_BASE" app-decompiled/sources/
undefined

Workflow 5: Batch Processing Multiple APKs

工作流程5:批量处理多个APK

bash
undefined
bash
undefined

Decompile multiple APKs

反编译多个APK

for apk in *.apk; do name=$(basename "$apk" .apk) echo "[+] Processing $apk..." jadx --no-res --deobf "$apk" -d "decompiled-$name"

Quick search for secrets

grep -r "api.*key|password|secret" "decompiled-$name/sources/" > "findings-$name.txt" done
echo "[+] All APKs processed. Check findings-*.txt files"
undefined
for apk in *.apk; do name=$(basename "$apk" .apk) echo "[+] 处理$apk..." jadx --no-res --deobf "$apk" -d "decompiled-$name"

快速搜索机密

grep -r "api.*key|password|secret" "decompiled-$name/sources/" > "findings-$name.txt" done
echo "[+] 所有APK处理完成,请查看findings-*.txt文件"
undefined

Best Practices

最佳实践

1. Always Use Deobfuscation for Production Apps

1. 生产应用务必启用反混淆

bash
undefined
bash
undefined

Most production apps are obfuscated

大多数生产应用都经过混淆

jadx --deobf app.apk -d output

Without `--deobf`, you'll see code like:
```java
public class a {
    public void b(String c) { ... }
}
With 
--deobf
, jadx attempts meaningful names:
java
public class NetworkClient {
    public void sendRequest(String url) { ... }
}
jadx --deobf app.apk -d output

不使用`--deobf`,您会看到如下代码:
```java
public class a {
    public void b(String c) { ... }
}
使用
--deobf
后,jadx会尝试赋予有意义的名称:
java
public class NetworkClient {
    public void sendRequest(String url) { ... }
}

2. Use Multi-threading for Large Apps

2. 大型应用使用多线程

bash
undefined
bash
undefined

Faster decompilation

更快的反编译速度

jadx -j 8 large-app.apk -d output
undefined
jadx -j 8 large-app.apk -d output
undefined

3. Skip Resources for Code-Only Analysis

3. 仅分析代码时跳过资源

bash
undefined
bash
undefined

3-5x faster when you only need code

速度提升3-5倍,适用于仅需代码的场景

jadx --no-res app.apk -d output
undefined
jadx --no-res app.apk -d output
undefined

4. Search Systematically

4. 系统化搜索

Create a search checklist:
  • API keys and secrets
  • Hardcoded credentials
  • URLs and endpoints
  • Crypto implementations
  • Insecure storage
  • WebView vulnerabilities
  • Debug/logging code
  • Commented-out sensitive code
创建搜索清单:
  • API密钥和机密
  • 硬编码凭据
  • URL和端点
  • 加密实现
  • 不安全存储
  • WebView漏洞
  • 调试/日志代码
  • 注释掉的敏感代码

5. Use GUI for Deep Analysis

5. 深度分析使用GUI

For complex apps:
  1. Use CLI for initial decompilation
  2. Search for interesting patterns
  3. Open in GUI for detailed exploration
  4. Use cross-references to trace code flow
针对复杂应用:
  1. 使用CLI进行初始反编译
  2. 搜索感兴趣的模式
  3. 用GUI打开进行详细探索
  4. 使用交叉引用追踪代码流

6. Combine with Runtime Analysis

6. 结合运行时分析

Static analysis (jadx) + dynamic analysis:
  • Use jadx to find API endpoints
  • Test endpoints with curl/burp
  • Use jadx to understand auth flow
  • Test auth with runtime instrumentation (Frida)
静态分析(jadx)+ 动态分析:
  • 使用jadx查找API端点
  • 使用curl/burp测试端点
  • 使用jadx理解认证流程
  • 使用运行时插桩(Frida)测试认证

Troubleshooting

故障排除

Problem: Decompilation fails with errors

问题:反编译失败并报错

Solution: Use fallback mode or show bad code:
bash
jadx --fallback --show-bad-code app.apk -d output
解决方案:使用fallback模式或显示有问题的代码:
bash
jadx --fallback --show-bad-code app.apk -d output

Problem: Code is unreadable (obfuscated)

问题:代码无法阅读(已混淆)

Solution: Enable deobfuscation:
bash
jadx --deobf app.apk -d output
解决方案:启用反混淆:
bash
jadx --deobf app.apk -d output

Problem: Out of memory error

问题:内存不足错误

Solution: Increase Java heap size:
bash
export JAVA_OPTS="-Xmx4096m"
jadx app.apk -d output
Or use the built-in option:
bash
jadx -Xmx4096m app.apk -d output
解决方案:增加Java堆内存:
bash
export JAVA_OPTS="-Xmx4096m"
jadx app.apk -d output
或使用内置选项:
bash
jadx -Xmx4096m app.apk -d output

Problem: Decompilation is very slow

问题:反编译速度极慢

Solution: Skip resources or use more threads:
bash
jadx --no-res -j 8 app.apk -d output
解决方案:跳过资源或使用更多线程:
bash
jadx --no-res -j 8 app.apk -d output

Problem: Some methods show "Can't load method"

问题:部分方法显示"Can't load method"

Solution: Use 
--show-bad-code
to see partial decompilation:
bash
jadx --show-bad-code app.apk -d output
解决方案:使用
--show-bad-code
查看部分反编译结果:
bash
jadx --show-bad-code app.apk -d output

Problem: GUI won't open APK

问题:GUI无法打开APK

Solution: Use CLI first to check for errors:
bash
jadx app.apk -d test-output
解决方案:先使用CLI检查错误:
bash
jadx app.apk -d test-output

If successful, try GUI again

若成功,再尝试打开GUI

undefined
undefined

Advanced Features

高级功能

Export as Gradle Project

导出为Gradle项目

bash
jadx --export-gradle app.apk -d app-project
cd app-project
./gradlew build
Creates a buildable Android Studio project.
bash
jadx --export-gradle app.apk -d app-project
cd app-project
./gradlew build
创建可构建的Android Studio项目。

Generate Deobfuscation Map

生成反混淆映射

bash
jadx --deobf --deobf-use-sourcename app.apk -d output
bash
jadx --deobf --deobf-use-sourcename app.apk -d output

Check output/mapping.txt for name mappings

查看output/mapping.txt获取名称映射

undefined
undefined

Custom Decompilation Options

自定义反编译选项

bash
undefined
bash
undefined

All options combined

组合所有选项

jadx
--deobf
--deobf-use-sourcename
--show-bad-code
--no-imports
--no-inline-anonymous
--no-replace-consts
app.apk -d output
undefined
jadx
--deobf
--deobf-use-sourcename
--show-bad-code
--no-imports
--no-inline-anonymous
--no-replace-consts
app.apk -d output
undefined

Integration with IoTHackBot Tools

与IoTHackBot工具集成

Jadx fits into the IoTHackBot workflow:
  1. APK → API Discovery:
    • Decompile IoT app with jadx
    • Extract API endpoints
    • Test endpoints with network tools
  2. APK → Credential Extraction:
    • Find hardcoded credentials
    • Test against IoT devices
    • Use with onvifscan, telnetshell
  3. APK → Protocol Analysis:
    • Understand device communication protocol
    • Capture traffic with iotnet
    • Replay/modify with custom scripts
  4. APK → Device Enumeration:
    • Find device discovery mechanisms
    • Use wsdiscovery for ONVIF devices
    • Use nmap for network scanning
Jadx可融入IoTHackBot工作流程:
  1. APK → API发现
    • 使用jadx反编译IoT应用
    • 提取API端点
    • 使用网络工具测试端点
  2. APK → 凭据提取
    • 查找硬编码凭据
    • 针对IoT设备测试
    • 与onvifscan、telnetshell配合使用
  3. APK → 协议分析
    • 理解设备通信协议
    • 使用iotnet捕获流量
    • 使用自定义脚本重放/修改流量
  4. APK → 设备枚举
    • 查找设备发现机制
    • 使用wsdiscovery扫描ONVIF设备
    • 使用nmap进行网络扫描

Quick Reference

快速参考

bash
undefined
bash
undefined

Basic decompilation

基础反编译

jadx <apk> -d <output-dir>
jadx <apk> -d <output-dir>

With deobfuscation (recommended)

启用反混淆(推荐)

jadx --deobf <apk> -d <output-dir>
jadx --deobf <apk> -d <output-dir>

Fast (no resources)

快速模式(不处理资源)

jadx --no-res <apk> -d <output-dir>
jadx --no-res <apk> -d <output-dir>

Multi-threaded

多线程反编译

jadx -j <threads> <apk> -d <output-dir>
jadx -j <threads> <apk> -d <output-dir>

Show problematic code

显示有问题的代码

jadx --show-bad-code <apk> -d <output-dir>
jadx --show-bad-code <apk> -d <output-dir>

Export as Gradle project

导出为Gradle项目

jadx --export-gradle <apk> -d <output-dir>
jadx --export-gradle <apk> -d <output-dir>

GUI mode

GUI模式

jadx-gui <apk>
jadx-gui <apk>

Fallback mode

Fallback模式

jadx --fallback <apk> -d <output-dir>
undefined
jadx --fallback <apk> -d <output-dir>
undefined

Security Analysis Checklist

安全分析清单

Use this checklist when analyzing APKs with jadx:
  • Decompile with deobfuscation enabled
  • Search for hardcoded API keys
  • Search for hardcoded credentials
  • Find all HTTP/HTTPS URLs
  • Check crypto implementations (algorithms, key generation)
  • Check certificate pinning implementation
  • Find SharedPreferences usage (storage security)
  • Check WebView security settings
  • Find database operations (SQL injection)
  • Check for debug/logging code
  • Find exported components (from manifest)
  • Check authentication/authorization logic
  • Find file operations (path traversal)
  • Check for native library loading
  • Document all findings
使用jadx分析APK时,可参考以下清单:
  • 启用反混淆进行反编译
  • 搜索硬编码API密钥
  • 搜索硬编码凭据
  • 查找所有HTTP/HTTPS URL
  • 检查加密实现(算法、密钥生成)
  • 检查证书固定实现
  • 查找SharedPreferences使用情况(存储安全性)
  • 检查WebView安全设置
  • 查找数据库操作(SQL注入风险)
  • 检查调试/日志代码
  • 查找导出组件(从清单文件)
  • 检查认证/授权逻辑
  • 查找文件操作(路径遍历风险)
  • 检查原生库加载
  • 记录所有发现

Important Notes

重要说明

  • Jadx produces Java source, which is approximate (not original)
  • Some optimizations/obfuscations may produce uncompilable code
  • Decompiled code may differ slightly from original source
  • Always cross-check findings with runtime analysis
  • Jadx works best with apps compiled with standard tools
  • Heavily obfuscated/protected apps may have limited decompilation
  • Some anti-tampering mechanisms detect decompilation
  • Jadx生成的Java源代码是近似值(非原始代码)
  • 部分优化/混淆可能导致代码无法编译
  • 反编译代码可能与原始源代码略有差异
  • 务必结合运行时分析交叉验证发现
  • Jadx对使用标准工具编译的应用效果最佳
  • 重度混淆/保护的应用反编译效果可能有限
  • 部分反篡改机制会检测反编译行为

Security and Ethics

安全与伦理

IMPORTANT: Only decompile APKs you own or have permission to analyze.
  • Respect intellectual property and licensing
  • Follow responsible disclosure for vulnerabilities
  • Don't distribute decompiled source code
  • Be aware of terms of service and EULAs
  • Use for authorized security testing and research only
  • Some jurisdictions have laws against reverse engineering
重要提示:仅反编译您拥有或获得分析许可的APK。
  • 尊重知识产权和许可协议
  • 遵循漏洞负责任披露原则
  • 不要分发反编译后的源代码
  • 注意服务条款和最终用户许可协议(EULA)
  • 仅用于授权的安全测试和研究
  • 部分司法管辖区禁止逆向工程

Success Criteria

成功标准

A successful jadx analysis includes:
  • APK successfully decompiled to readable Java code
  • Deobfuscation applied (if app was obfuscated)
  • All source code searchable and readable
  • Security-relevant findings documented
  • API endpoints and URLs extracted
  • Crypto and authentication logic understood
  • Integration points with other systems identified
  • Findings verified with runtime testing when possible
一次成功的jadx分析应包含:
  • APK成功反编译为可读的Java代码
  • 已应用反混淆(若应用已混淆)
  • 所有源代码可搜索、可读
  • 安全相关发现已记录
  • API端点和URL已提取
  • 加密和认证逻辑已理解
  • 与其他系统的集成点已识别
  • 尽可能结合运行时测试验证发现