jadx 安卓 APK 反编译器使用指南 - 逆向工程与安全分析工具

jadx by brownfinesecurity/iothackbot

105 周安装量

710 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/brownfinesecurity/iothackbot --skill jadx

逆向工程 Android 安全

🇨🇳中文介绍

Jadx - Android APK 反编译器

您正在帮助用户使用 jadx 反编译 Android APK 文件，将 DEX 字节码转换为可读的 Java 源代码，用于安全分析、漏洞发现和理解应用内部结构。

工具概述

Jadx 是一个将 dex 转换为 Java 的反编译器，能从 Android APK 文件生成清晰、可读的 Java 源代码。与 apktool（生成 smali 代码）不同，jadx 生成的是实际的 Java 代码，更易于阅读和分析。它对于以下方面至关重要：

将 DEX 字节码转换为可读的 Java 源代码
理解应用逻辑和控制流
在代码中发现安全漏洞
发现硬编码的凭据、API 密钥、URL
分析加密/认证实现
使用熟悉的 Java 语法搜索代码

先决条件

必须安装 jadx（可选安装 jadx-gui）
需要 Java 运行时环境 (JRE)
足够的磁盘空间（反编译输出通常是 APK 大小的 3-10 倍）
输出目录的写入权限

GUI 与 CLI

Jadx 提供两种界面：

CLI (jadx) : 命令行界面

最适合自动化和脚本编写
批量处理多个 APK
与其他工具集成
无头服务器环境

GUI (jadx-gui) : 图形界面

交互式代码浏览
内置搜索功能
交叉引用和导航
便于手动分析
语法高亮

何时使用每种界面：

使用 CLI 进行自动化分析、脚本编写、CI/CD 流水线
使用 GUI 进行交互式探索和深度分析

使用说明

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

1. 基本 APK 反编译（最常用）

标准反编译命令：

jadx <apk-file> -d <output-directory>

jadx app.apk -d app-decompiled

使用反混淆（推荐用于混淆过的应用）：

jadx --deobf app.apk -d app-decompiled

2. 理解输出结构

反编译后，输出目录包含：

app-decompiled/
├── sources/                           # Java 源代码
│   └── com/company/app/              # 包结构
│       ├── MainActivity.java
│       ├── utils/
│       ├── network/
│       └── ...
└── resources/                         # 解码后的资源
    ├── AndroidManifest.xml           # 可读的清单文件
    ├── res/                          # 资源
    │   ├── layout/                   # XML 布局
    │   ├── values/                   # 字符串、颜色
    │   ├── drawable/                 # 图片
    │   └── ...
    └── assets/                       # 应用资源文件

多线程反编译（更快）：

jadx -j 4 app.apk -d output
# -j 指定线程数（默认：CPU 核心数）

跳过资源（仅代码，快得多）：

jadx --no-res app.apk -d output

跳过源代码（仅资源）：

jadx --no-src app.apk -d output

启用反混淆：

jadx --deobf app.apk -d output

重命名混淆过的类（a.b.c → 有意义的名称）
尝试恢复原始名称
使代码更易读
对于混淆/压缩过的应用至关重要

反混淆映射输出：

jadx --deobf --deobf-rewrite-cfg --deobf-use-sourcename app.apk -d output

更激进的反混淆
使用源文件名作为提示
重写控制流图

显示不一致/错误的代码：

jadx --show-bad-code app.apk -d output

显示无法干净反编译的代码
有助于发现混淆或反反编译技巧
可能包含语法错误但能揭示结构

导出为 Gradle 项目：

jadx --export-gradle app.apk -d output

创建可构建的 Gradle Android 项目
用于重建/修改应用
包含 build.gradle 文件

回退模式（当反编译失败时）：

jadx --fallback app.apk -d output

使用替代反编译策略
生成不太干净的代码但能处理边缘情况

4. 常见分析任务

A. 搜索敏感信息

反编译后，搜索常见安全问题：

# 搜索 API 密钥
grep -r "api.*key\|apikey\|API_KEY" app-decompiled/sources/

# 搜索密码和凭据
grep -r "password\|credential\|secret" app-decompiled/sources/

# 搜索硬编码的 URL
grep -rE "https?://[^\"]+" app-decompiled/sources/

# 搜索加密密钥
grep -r "AES\|DES\|RSA\|encryption.*key" app-decompiled/sources/

# 搜索令牌
grep -r "token\|auth.*token\|bearer" app-decompiled/sources/

# 搜索数据库密码
grep -r "jdbc\|database\|db.*password" app-decompiled/sources/

B. 查找安全漏洞

grep -r "SELECT.*FROM.*WHERE" app-decompiled/sources/ | grep -v "PreparedStatement"
grep -r "rawQuery\|execSQL" app-decompiled/sources/

不安全的加密：

grep -r "DES\|MD5\|SHA1" app-decompiled/sources/
grep -r "SecureRandom.*setSeed" app-decompiled/sources/
grep -r "Cipher.getInstance" app-decompiled/sources/ | grep -v "AES/GCM"

不安全的存储：

grep -r "SharedPreferences" app-decompiled/sources/
grep -r "MODE_WORLD_READABLE\|MODE_WORLD_WRITABLE" app-decompiled/sources/
grep -r "openFileOutput" app-decompiled/sources/

WebView 漏洞：

grep -r "setJavaScriptEnabled.*true" app-decompiled/sources/
grep -r "addJavascriptInterface" app-decompiled/sources/
grep -r "WebView.*loadUrl" app-decompiled/sources/

证书固定绕过：

grep -r "TrustManager\|HostnameVerifier" app-decompiled/sources/
grep -r "checkServerTrusted" app-decompiled/sources/

C. 理解应用逻辑

查找入口点：

# 主活动
grep -r "extends Activity\|extends AppCompatActivity" app-decompiled/sources/

# Application 类
grep -r "extends Application" app-decompiled/sources/

# 服务
grep -r "extends Service" app-decompiled/sources/

# 广播接收器
grep -r "extends BroadcastReceiver" app-decompiled/sources/

追踪网络通信：

# 查找 HTTP 客户端使用
grep -r "HttpURLConnection\|OkHttpClient\|Retrofit" app-decompiled/sources/

# 查找 API 端点
grep -r "@GET\|@POST\|@PUT\|@DELETE" app-decompiled/sources/

# 查找基础 URL
grep -r "baseUrl\|BASE_URL\|API_URL" app-decompiled/sources/

查找认证逻辑：

grep -r "login\|Login\|authenticate\|Authorization" app-decompiled/sources/
grep -r "jwt\|JWT\|bearer\|Bearer" app-decompiled/sources/

识别出感兴趣的类后，直接读取它们：

# 查看特定类
cat app-decompiled/sources/com/example/app/LoginActivity.java

# 使用 less 进行分页
less app-decompiled/sources/com/example/app/network/ApiClient.java

# 在特定类中搜索
grep "password" app-decompiled/sources/com/example/app/LoginActivity.java

5. GUI 模式（交互式分析）

全文搜索 : Ctrl+Shift+F（搜索所有代码）
查找使用 : 右键点击类/方法 → "Find usage"
转到声明 : Ctrl+点击任意类/方法
反编译 : 点击任意类查看 Java 代码
保存反编译的代码 : 文件 → 全部保存
导出选项 : 文件 → 导出为 Gradle 项目

GUI 工作流程：

使用 jadx-gui 打开 APK
在左侧面板浏览包结构
使用搜索 (Ctrl+Shift+F) 查找关键词
点击结果在上下文中查看代码
使用 Ctrl+点击跟踪交叉引用
保存有趣的发现

6. 与其他工具集成

结合 Jadx 与 Apktool

两种工具互补：

可读的 Java 源代码
易于理解逻辑
快速搜索代码

Apktool 优势：

准确的资源提取
Smali 代码（更接近原始代码）
可以重建/重新打包 APK

推荐工作流程：

# 使用 jadx 进行代码分析
jadx --deobf app.apk -d app-jadx

# 使用 apktool 获取资源和 smali
apktool d app.apk -o app-apktool

# 分析两个输出
grep -r "API_KEY" app-jadx/sources/
grep -r "api_key" app-apktool/res/

工作流程 1：安全评估

# 1. 使用反混淆进行反编译
jadx --deobf app.apk -d app-decompiled

# 2. 搜索硬编码的秘密
echo "[+] 搜索 API 密钥..."
grep -ri "api.*key\|apikey" app-decompiled/sources/ | tee findings-apikeys.txt

echo "[+] 搜索密码..."
grep -ri "password\|passwd\|pwd" app-decompiled/sources/ | tee findings-passwords.txt

echo "[+] 搜索 URL..."
grep -rE "https?://[^\"]+" app-decompiled/sources/ | tee findings-urls.txt

# 3. 检查加密使用情况
echo "[+] 检查加密实现..."
grep -r "Cipher\|SecretKey\|KeyStore" app-decompiled/sources/ | tee findings-crypto.txt

# 4. 检查不安全的存储
echo "[+] 检查存储机制..."
grep -r "SharedPreferences\|SQLite\|openFileOutput" app-decompiled/sources/ | tee findings-storage.txt

# 5. 总结
echo "[+] 分析完成。检查 findings-*.txt 文件"

工作流程 2：物联网应用分析

对于物联网配套应用，查找设备通信：

# 1. 反编译
jadx --deobf iot-app.apk -d iot-app-decompiled

# 2. 查找设备端点
echo "[+] 查找设备端点..."
grep -rE "https?://[^\"]+" iot-app-decompiled/sources/ | \
  grep -v "google\|android\|facebook" | \
  tee device-endpoints.txt

# 3. 查找 API 结构
echo "[+] 查找 API 定义..."
grep -r "@GET\|@POST\|@PUT" iot-app-decompiled/sources/ | tee api-endpoints.txt

# 4. 查找认证
echo "[+] 查找认证机制..."
grep -r "Authorization\|authentication\|apiKey" iot-app-decompiled/sources/ | tee auth-methods.txt

# 5. 查找设备发现
echo "[+] 查找设备发现..."
grep -r "discover\|scan\|broadcast\|mdns" iot-app-decompiled/sources/ | tee device-discovery.txt

# 6. 检查证书固定
echo "[+] 检查证书固定..."
grep -r "CertificatePinner\|TrustManager" iot-app-decompiled/sources/ | tee cert-pinning.txt

工作流程 3：快速凭据检查

# 快速反编译（无资源）
jadx --no-res --deobf app.apk -d app-code

# 搜索常见凭据模式
grep -r "username.*password\|user.*pass" app-code/sources/
grep -r "admin\|root\|default.*password" app-code/sources/
grep -r "hardcoded\|TODO.*password\|FIXME.*password" app-code/sources/

工作流程 4：API 端点发现

# 反编译
jadx app.apk -d app-decompiled

# 查找 Retrofit/REST API 定义
find app-decompiled/sources -name "*Api*.java" -o -name "*Service*.java" -o -name "*Client*.java"

# 提取所有端点
grep -r "@GET\|@POST\|@PUT\|@DELETE\|@PATCH" app-decompiled/sources/ | \
  sed 's/.*@\(GET\|POST\|PUT\|DELETE\|PATCH\)("\([^"]*\)".*/\1 \2/' | \
  sort -u

# 查找基础 URL
grep -r "baseUrl\|BASE_URL\|API_BASE" app-decompiled/sources/

工作流程 5：批量处理多个 APK

# 反编译多个 APK
for apk in *.apk; do
  name=$(basename "$apk" .apk)
  echo "[+] 处理 $apk..."
  jadx --no-res --deobf "$apk" -d "decompiled-$name"

  # 快速搜索秘密
  grep -r "api.*key\|password\|secret" "decompiled-$name/sources/" > "findings-$name.txt"
done

echo "[+] 所有 APK 处理完成。检查 findings-*.txt 文件"

1. 始终对生产应用使用反混淆

# 大多数生产应用都经过混淆
jadx --deobf app.apk -d output

不使用 --deobf，您会看到类似这样的代码：

public class a {
    public void b(String c) { ... }
}

使用 --deobf，jadx 尝试生成有意义的名称：

public class NetworkClient {
    public void sendRequest(String url) { ... }
}

2. 对大型应用使用多线程

# 更快的反编译
jadx -j 8 large-app.apk -d output

3. 仅代码分析时跳过资源

# 当只需要代码时，速度快 3-5 倍
jadx --no-res app.apk -d output

4. 系统性地搜索

创建搜索清单：

API 密钥和秘密
硬编码的凭据
URL 和端点
加密实现
不安全的存储
WebView 漏洞
调试/日志代码
注释掉的敏感代码

5. 使用 GUI 进行深度分析

对于复杂的应用：

使用 CLI 进行初始反编译
搜索有趣的模式
在 GUI 中打开进行详细探索
使用交叉引用跟踪代码流

6. 结合运行时分析

静态分析 (jadx) + 动态分析：

使用 jadx 查找 API 端点
使用 curl/burp 测试端点
使用 jadx 理解认证流程
使用运行时插桩 (Frida) 测试认证

问题：反编译失败并报错

解决方案 : 使用回退模式或显示错误代码：

jadx --fallback --show-bad-code app.apk -d output

问题：代码不可读（混淆过）

解决方案 : 启用反混淆：

jadx --deobf app.apk -d output

问题：内存不足错误

解决方案 : 增加 Java 堆大小：

export JAVA_OPTS="-Xmx4096m"
jadx app.apk -d output

或使用内置选项：

jadx -Xmx4096m app.apk -d output

问题：反编译非常慢

解决方案 : 跳过资源或使用更多线程：

jadx --no-res -j 8 app.apk -d output

问题：某些方法显示 "Can't load method"

解决方案 : 使用 --show-bad-code 查看部分反编译结果：

jadx --show-bad-code app.apk -d output

问题：GUI 无法打开 APK

解决方案 : 首先使用 CLI 检查错误：

jadx app.apk -d test-output
# 如果成功，再尝试 GUI

导出为 Gradle 项目

jadx --export-gradle app.apk -d app-project
cd app-project
./gradlew build

创建一个可构建的 Android Studio 项目。

生成反混淆映射

jadx --deobf --deobf-use-sourcename app.apk -d output
# 检查 output/mapping.txt 获取名称映射

自定义反编译选项

# 所有选项组合
jadx \
  --deobf \
  --deobf-use-sourcename \
  --show-bad-code \
  --no-imports \
  --no-inline-anonymous \
  --no-replace-consts \
  app.apk -d output

与 IoTHackBot 工具集成

Jadx 适用于 IoTHackBot 工作流程：

APK → API 发现 :
- 使用 jadx 反编译物联网应用
- 提取 API 端点
- 使用网络工具测试端点
APK → 凭据提取 :
- 查找硬编码的凭据
- 针对物联网设备进行测试
- 与 onvifscan、telnetshell 结合使用
APK → 协议分析 :
- 理解设备通信协议
- 使用 iotnet 捕获流量
- 使用自定义脚本重放/修改
APK → 设备枚举 :
- 查找设备发现机制
- 对 ONVIF 设备使用 wsdiscovery
- 使用 nmap 进行网络扫描

# 基本反编译
jadx <apk> -d <output-dir>

# 使用反混淆（推荐）
jadx --deobf <apk> -d <output-dir>

# 快速（无资源）
jadx --no-res <apk> -d <output-dir>

# 多线程
jadx -j <threads> <apk> -d <output-dir>

# 显示有问题的代码
jadx --show-bad-code <apk> -d <output-dir>

# 导出为 Gradle 项目
jadx --export-gradle <apk> -d <output-dir>

# GUI 模式
jadx-gui <apk>

# 回退模式
jadx --fallback <apk> -d <output-dir>

使用此清单分析 APK 时：

启用反混淆进行反编译
搜索硬编码的 API 密钥
搜索硬编码的凭据
查找所有 HTTP/HTTPS URL
检查加密实现（算法、密钥生成）
检查证书固定实现
查找 SharedPreferences 使用情况（存储安全）
检查 WebView 安全设置
查找数据库操作（SQL 注入）
检查调试/日志代码
查找导出的组件（从清单中）
检查认证/授权逻辑
查找文件操作（路径遍历）
检查本地库加载
记录所有发现

Jadx 生成的 Java 源代码是近似的（非原始代码）
某些优化/混淆可能产生无法编译的代码
反编译的代码可能与原始源代码略有不同
始终使用运行时分析交叉检查发现
Jadx 最适合使用标准工具编译的应用
严重混淆/受保护的应用可能反编译有限
某些反篡改机制会检测反编译

重要 : 仅反编译您拥有或获得分析权限的 APK。

尊重知识产权和许可
遵循负责任的漏洞披露
不要分发反编译的源代码
注意服务条款和最终用户许可协议
仅用于授权的安全测试和研究
某些司法管辖区有禁止逆向工程的法律

成功的 jadx 分析包括：

APK 成功反编译为可读的 Java 代码
应用了反混淆（如果应用被混淆过）
所有源代码可搜索和可读
记录了与安全相关的发现
提取了 API 端点和 URL
理解了加密和认证逻辑
识别了与其他系统的集成点
在可能的情况下通过运行时测试验证了发现

2026 年 1 月 26 日

🇺🇸English

Jadx - Android APK Decompiler

You are helping the user decompile Android APK files using jadx to convert DEX bytecode into readable Java source code for security analysis, vulnerability discovery, and understanding app internals.

Tool Overview

Jadx is a dex to Java decompiler that produces clean, readable Java source code from Android APK files. Unlike apktool (which produces smali), jadx generates actual Java code that's much easier to read and analyze. It's essential for:

Converting DEX bytecode to readable Java source
Understanding app logic and control flow
Finding security vulnerabilities in code
Discovering hardcoded credentials, API keys, URLs
Analyzing encryption/authentication implementations
Searching through code with familiar Java syntax

Prerequisites

jadx (and optionally jadx-gui) must be installed
Java Runtime Environment (JRE) required
Sufficient disk space (decompiled output is typically 3-10x APK size)
Write permissions in output directory

GUI vs CLI

Jadx provides two interfaces:

CLI (jadx) : Command-line interface

Best for automation and scripting
Batch processing multiple APKs
Integration with other tools
Headless server environments

GUI (jadx-gui) : Graphical interface

Interactive code browsing
Built-in search functionality
Cross-references and navigation
Easier for manual analysis
Syntax highlighting

When to use each:

Use CLI for automated analysis, scripting, CI/CD pipelines
Use GUI for interactive exploration and deep-dive analysis

Instructions

1. Basic APK Decompilation (Most Common)

Standard decompile command:

jadx <apk-file> -d <output-directory>

Example:

jadx app.apk -d app-decompiled

With deobfuscation (recommended for obfuscated apps):

jadx --deobf app.apk -d app-decompiled

2. Understanding Output Structure

After decompilation, the output directory contains:

app-decompiled/
├── sources/                           # Java source code
│   └── com/company/app/              # Package structure
│       ├── MainActivity.java
│       ├── utils/
│       ├── network/
│       └── ...
└── resources/                         # Decoded resources
    ├── AndroidManifest.xml           # Readable manifest
    ├── res/                          # Resources
    │   ├── layout/                   # XML layouts
    │   ├── values/                   # Strings, colors
    │   ├── drawable/                 # Images
    │   └── ...
    └── assets/                       # App assets

3. Decompilation Options

A. Performance Options

Multi-threaded decompilation (faster):

jadx -j 4 app.apk -d output
# -j specifies number of threads (default: CPU cores)

Skip resources (code only, much faster):

jadx --no-res app.apk -d output

Skip source code (resources only):

jadx --no-src app.apk -d output

B. Deobfuscation Options

Enable deobfuscation:

jadx --deobf app.apk -d output

Renames obfuscated classes (a.b.c → meaningful names)
Attempts to recover original names
Makes code much more readable
Essential for obfuscated/minified apps

Deobfuscation map output:

jadx --deobf --deobf-rewrite-cfg --deobf-use-sourcename app.apk -d output

More aggressive deobfuscation
Uses source file names as hints
Rewrites control flow graphs

C. Output Control

Show inconsistent/bad code:

jadx --show-bad-code app.apk -d output

Shows code that couldn't be decompiled cleanly
Useful for finding obfuscation or anti-decompilation tricks
May contain syntax errors but reveals structure

Export as Gradle project:

jadx --export-gradle app.apk -d output

Creates buildable Gradle Android project
Useful for rebuilding/modifying app
Includes build.gradle files

Fallback mode (when decompilation fails):

jadx --fallback app.apk -d output

Uses alternative decompilation strategy
Produces less clean code but handles edge cases

4. Common Analysis Tasks

A. Searching for Sensitive Information

After decompilation, search for common security issues:

# Search for API keys
grep -r "api.*key\|apikey\|API_KEY" app-decompiled/sources/

# Search for passwords and credentials
grep -r "password\|credential\|secret" app-decompiled/sources/

# Search for hardcoded URLs
grep -rE "https?://[^\"]+" app-decompiled/sources/

# Search for encryption keys
grep -r "AES\|DES\|RSA\|encryption.*key" app-decompiled/sources/

# Search for tokens
grep -r "token\|auth.*token\|bearer" app-decompiled/sources/

# Search for database passwords
grep -r "jdbc\|database\|db.*password" app-decompiled/sources/

B. Finding Security Vulnerabilities

SQL Injection:

grep -r "SELECT.*FROM.*WHERE" app-decompiled/sources/ | grep -v "PreparedStatement"
grep -r "rawQuery\|execSQL" app-decompiled/sources/

Insecure Crypto:

grep -r "DES\|MD5\|SHA1" app-decompiled/sources/
grep -r "SecureRandom.*setSeed" app-decompiled/sources/
grep -r "Cipher.getInstance" app-decompiled/sources/ | grep -v "AES/GCM"

Insecure Storage:

grep -r "SharedPreferences" app-decompiled/sources/
grep -r "MODE_WORLD_READABLE\|MODE_WORLD_WRITABLE" app-decompiled/sources/
grep -r "openFileOutput" app-decompiled/sources/

WebView vulnerabilities:

grep -r "setJavaScriptEnabled.*true" app-decompiled/sources/
grep -r "addJavascriptInterface" app-decompiled/sources/
grep -r "WebView.*loadUrl" app-decompiled/sources/

Certificate pinning bypass:

grep -r "TrustManager\|HostnameVerifier" app-decompiled/sources/
grep -r "checkServerTrusted" app-decompiled/sources/

C. Understanding App Logic

Find entry points:

# Main activities
grep -r "extends Activity\|extends AppCompatActivity" app-decompiled/sources/

# Application class
grep -r "extends Application" app-decompiled/sources/

# Services
grep -r "extends Service" app-decompiled/sources/

# Broadcast receivers
grep -r "extends BroadcastReceiver" app-decompiled/sources/

Trace network communication:

# Find HTTP client usage
grep -r "HttpURLConnection\|OkHttpClient\|Retrofit" app-decompiled/sources/

# Find API endpoints
grep -r "@GET\|@POST\|@PUT\|@DELETE" app-decompiled/sources/

# Find base URLs
grep -r "baseUrl\|BASE_URL\|API_URL" app-decompiled/sources/

Find authentication logic:

grep -r "login\|Login\|authenticate\|Authorization" app-decompiled/sources/
grep -r "jwt\|JWT\|bearer\|Bearer" app-decompiled/sources/

D. Analyzing Specific Classes

After identifying interesting classes, read them directly:

# View specific class
cat app-decompiled/sources/com/example/app/LoginActivity.java

# Use less for pagination
less app-decompiled/sources/com/example/app/network/ApiClient.java

# Search within specific class
grep "password" app-decompiled/sources/com/example/app/LoginActivity.java

5. GUI Mode (Interactive Analysis)

Launch GUI:

jadx-gui app.apk

GUI features:

Full-text search : Ctrl+Shift+F (search all code)
Find usage : Right-click on class/method → "Find usage"
Go to declaration : Ctrl+Click on any class/method
Decompilation : Click any class to see Java code
Save decompiled code : File → Save all
Export options : File → Export as Gradle project

GUI workflow:

Open APK with jadx-gui
Browse package structure in left panel
Use search (Ctrl+Shift+F) to find keywords
Click results to view code in context
Follow cross-references with Ctrl+Click
Save interesting findings

6. Integration with Other Tools

Combine Jadx with Apktool

Both tools complement each other:

Jadx strengths:

Readable Java source code
Easy to understand logic
Fast searching through code

Apktool strengths:

Accurate resource extraction
Smali code (closer to original)
Can rebuild/repackage APKs

Recommended workflow:

# Use jadx for code analysis
jadx --deobf app.apk -d app-jadx

# Use apktool for resources and smali
apktool d app.apk -o app-apktool

# Analyze both outputs
grep -r "API_KEY" app-jadx/sources/
grep -r "api_key" app-apktool/res/

Common Workflows

Workflow 1: Security Assessment

# 1. Decompile with deobfuscation
jadx --deobf app.apk -d app-decompiled

# 2. Search for hardcoded secrets
echo "[+] Searching for API keys..."
grep -ri "api.*key\|apikey" app-decompiled/sources/ | tee findings-apikeys.txt

echo "[+] Searching for passwords..."
grep -ri "password\|passwd\|pwd" app-decompiled/sources/ | tee findings-passwords.txt

echo "[+] Searching for URLs..."
grep -rE "https?://[^\"]+" app-decompiled/sources/ | tee findings-urls.txt

# 3. Check crypto usage
echo "[+] Checking crypto implementations..."
grep -r "Cipher\|SecretKey\|KeyStore" app-decompiled/sources/ | tee findings-crypto.txt

# 4. Check for insecure storage
echo "[+] Checking storage mechanisms..."
grep -r "SharedPreferences\|SQLite\|openFileOutput" app-decompiled/sources/ | tee findings-storage.txt

# 5. Summary
echo "[+] Analysis complete. Check findings-*.txt files"

Workflow 2: IoT App Analysis

For IoT companion apps, find device communication:

# 1. Decompile
jadx --deobf iot-app.apk -d iot-app-decompiled

# 2. Find device communication
echo "[+] Finding device endpoints..."
grep -rE "https?://[^\"]+" iot-app-decompiled/sources/ | \
  grep -v "google\|android\|facebook" | \
  tee device-endpoints.txt

# 3. Find API structure
echo "[+] Finding API definitions..."
grep -r "@GET\|@POST\|@PUT" iot-app-decompiled/sources/ | tee api-endpoints.txt

# 4. Find authentication
echo "[+] Finding auth mechanisms..."
grep -r "Authorization\|authentication\|apiKey" iot-app-decompiled/sources/ | tee auth-methods.txt

# 5. Find device discovery
echo "[+] Finding device discovery..."
grep -r "discover\|scan\|broadcast\|mdns" iot-app-decompiled/sources/ | tee device-discovery.txt

# 6. Check for certificate pinning
echo "[+] Checking certificate pinning..."
grep -r "CertificatePinner\|TrustManager" iot-app-decompiled/sources/ | tee cert-pinning.txt

Workflow 3: Quick Credential Check

# Fast decompilation without resources
jadx --no-res --deobf app.apk -d app-code

# Search for common credential patterns
grep -r "username.*password\|user.*pass" app-code/sources/
grep -r "admin\|root\|default.*password" app-code/sources/
grep -r "hardcoded\|TODO.*password\|FIXME.*password" app-code/sources/

Workflow 4: API Endpoint Discovery

# Decompile
jadx app.apk -d app-decompiled

# Find Retrofit/REST API definitions
find app-decompiled/sources -name "*Api*.java" -o -name "*Service*.java" -o -name "*Client*.java"

# Extract all endpoints
grep -r "@GET\|@POST\|@PUT\|@DELETE\|@PATCH" app-decompiled/sources/ | \
  sed 's/.*@\(GET\|POST\|PUT\|DELETE\|PATCH\)("\([^"]*\)".*/\1 \2/' | \
  sort -u

# Find base URLs
grep -r "baseUrl\|BASE_URL\|API_BASE" app-decompiled/sources/

Workflow 5: Batch Processing Multiple APKs

# Decompile multiple APKs
for apk in *.apk; do
  name=$(basename "$apk" .apk)
  echo "[+] Processing $apk..."
  jadx --no-res --deobf "$apk" -d "decompiled-$name"

  # Quick search for secrets
  grep -r "api.*key\|password\|secret" "decompiled-$name/sources/" > "findings-$name.txt"
done

echo "[+] All APKs processed. Check findings-*.txt files"

Best Practices

1. Always Use Deobfuscation for Production Apps

# Most production apps are obfuscated
jadx --deobf app.apk -d output

Without --deobf, you'll see code like:

public class a {
    public void b(String c) { ... }
}

With --deobf, jadx attempts meaningful names:

public class NetworkClient {
    public void sendRequest(String url) { ... }
}

2. Use Multi-threading for Large Apps

# Faster decompilation
jadx -j 8 large-app.apk -d output

3. Skip Resources for Code-Only Analysis

# 3-5x faster when you only need code
jadx --no-res app.apk -d output

4. Search Systematically

Create a search checklist:

API keys and secrets
Hardcoded credentials
URLs and endpoints
Crypto implementations
Insecure storage
WebView vulnerabilities
Debug/logging code
Commented-out sensitive code

5. Use GUI for Deep Analysis

For complex apps:

Use CLI for initial decompilation
Search for interesting patterns
Open in GUI for detailed exploration
Use cross-references to trace code flow

6. Combine with Runtime Analysis

Static analysis (jadx) + dynamic analysis:

Use jadx to find API endpoints
Test endpoints with curl/burp
Use jadx to understand auth flow
Test auth with runtime instrumentation (Frida)

Troubleshooting

Problem: Decompilation fails with errors

Solution : Use fallback mode or show bad code:

jadx --fallback --show-bad-code app.apk -d output

Problem: Code is unreadable (obfuscated)

Solution : Enable deobfuscation:

jadx --deobf app.apk -d output

Problem: Out of memory error

Solution : Increase Java heap size:

export JAVA_OPTS="-Xmx4096m"
jadx app.apk -d output

Or use the built-in option:

jadx -Xmx4096m app.apk -d output

Problem: Decompilation is very slow

Solution : Skip resources or use more threads:

jadx --no-res -j 8 app.apk -d output

Problem: Some methods show "Can't load method"

Solution : Use --show-bad-code to see partial decompilation:

jadx --show-bad-code app.apk -d output

Problem: GUI won't open APK

Solution : Use CLI first to check for errors:

jadx app.apk -d test-output
# If successful, try GUI again

Advanced Features

Export as Gradle Project

jadx --export-gradle app.apk -d app-project
cd app-project
./gradlew build

Creates a buildable Android Studio project.

Generate Deobfuscation Map

jadx --deobf --deobf-use-sourcename app.apk -d output
# Check output/mapping.txt for name mappings

Custom Decompilation Options

# All options combined
jadx \
  --deobf \
  --deobf-use-sourcename \
  --show-bad-code \
  --no-imports \
  --no-inline-anonymous \
  --no-replace-consts \
  app.apk -d output

Integration with IoTHackBot Tools

Jadx fits into the IoTHackBot workflow:

APK → API Discovery :
- Decompile IoT app with jadx
- Extract API endpoints
- Test endpoints with network tools
APK → Credential Extraction :
- Find hardcoded credentials
- Test against IoT devices
- Use with onvifscan, telnetshell
APK → Protocol Analysis :
- Understand device communication protocol
- Capture traffic with iotnet
- Replay/modify with custom scripts
APK → Device Enumeration :
- Find device discovery mechanisms
- Use wsdiscovery for ONVIF devices
- Use nmap for network scanning

Quick Reference

# Basic decompilation
jadx <apk> -d <output-dir>

# With deobfuscation (recommended)
jadx --deobf <apk> -d <output-dir>

# Fast (no resources)
jadx --no-res <apk> -d <output-dir>

# Multi-threaded
jadx -j <threads> <apk> -d <output-dir>

# Show problematic code
jadx --show-bad-code <apk> -d <output-dir>

# Export as Gradle project
jadx --export-gradle <apk> -d <output-dir>

# GUI mode
jadx-gui <apk>

# Fallback mode
jadx --fallback <apk> -d <output-dir>

Security Analysis Checklist

Use this checklist when analyzing APKs with jadx:

Decompile with deobfuscation enabled
Search for hardcoded API keys
Search for hardcoded credentials
Find all HTTP/HTTPS URLs
Check crypto implementations (algorithms, key generation)
Check certificate pinning implementation
Find SharedPreferences usage (storage security)
Check WebView security settings
Find database operations (SQL injection)
Check for debug/logging code
Find exported components (from manifest)
Check authentication/authorization logic
Find file operations (path traversal)
Check for native library loading
Document all findings

Important Notes

Jadx produces Java source, which is approximate (not original)
Some optimizations/obfuscations may produce uncompilable code
Decompiled code may differ slightly from original source
Always cross-check findings with runtime analysis
Jadx works best with apps compiled with standard tools
Heavily obfuscated/protected apps may have limited decompilation
Some anti-tampering mechanisms detect decompilation

Security and Ethics

IMPORTANT : Only decompile APKs you own or have permission to analyze.

Respect intellectual property and licensing
Follow responsible disclosure for vulnerabilities
Don't distribute decompiled source code
Be aware of terms of service and EULAs
Use for authorized security testing and research only
Some jurisdictions have laws against reverse engineering

Success Criteria

A successful jadx analysis includes:

APK successfully decompiled to readable Java code
Deobfuscation applied (if app was obfuscated)
All source code searchable and readable
Security-relevant findings documented
API endpoints and URLs extracted
Crypto and authentication logic understood
Integration points with other systems identified
Findings verified with runtime testing when possible

Weekly Installs

Repository

brownfinesecuri…thackbot

GitHub Stars

680

First Seen

Jan 26, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode62

gemini-cli61

github-copilot58

codex58

cursor58

claude-code50

Azure PostgreSQL 无密码身份验证配置指南：Entra ID 迁移与访问管理

34,800 周安装