Decompling an android apk?-ThrowExceptions

Exception or error:

Possible Duplicate:
Android: Getting source code from an APK file

Is it possible for someone to de-compile my android apk file and see the public variables or constants declared in my packages?

My shared key that i have defined as public static constant will then get exposed…

How to solve:

When you deobfuscate code (here’s a video tutorial that might give insight: How to read obfuscated code), you will be able to see all hard-coded values such as

private String key = "Au8aujEWS(jol#9jSd9";

Except they won’t be seeing variable names:

private String a = "Au8aujEWS(jol#9jSd9";

By using tools like Sunny mentioned, you’ll be able to get all code to near it’s original state.

I’ll give an example; If you had the following original code:

public class MainActivity extends Activity { 
    private String key = "Au8aujEWS(jol#9jSd9";

    public void onCreate(Bundle savedInstance) {
        //Some code here

public class OtherActivity extends Activity { ... }

After being compiled, and decompiled back into java code, it would look something like this:

public class A extends B {
    private String a = "Au8aujEWS(jol#9jSd9";

    public void a (C b) {
        //Some code here
public class D extends B { ... }

and by using educated guesswork and refactoring tools, you’ll be able to deobfuscate code, so with enough dedication and hard work people will be able to see all your code.

I strongly recommend to not make your security entirely depending on things coded into the client applications. Of course it depends on how important it is for your situation to not give hackers the possibility to access the information you’re trying to secure.


Yes it is possible to decompile an apk .

Depending on obfuscation level it might take some time but a dedicated/bent person will eventually decompile it .

You can try tools like

Source :


Here are 2 more options for you:

suggested by @AndrewRukin


Another tool : jadx


Yes, it is possible, but it’s not so simple – someone truly must have a strong reason to do it.

Depending on how much security do you need, you can either construct your key at the runtime instead of saving it into final String, download it from the Internet (but this way must be secured even better, may be not worth it) or let some other external server do the work instead of your app – especially if you are talking about payments and storing your public key – in that case the key won’t be even embedded into your app.

Also, remember to make the hacker’s life harder by using mentioned obfuscation tools like ProGuard:


Yes, Android APKs can easily be decompiled. The public variables, constants and their values can be seen when decompiled even if the code is obfuscated.

When you obfuscate a code, your variable names are renamed. The value of your variables remains the same. Obfuscation is different from encryption. As such, your code is not encrypted when you obfuscate your code.

An example of a normal code:

String str = "This is a string.";

An example of an obfuscated code:

String a = "This is a string.";

As you can see above, The variable name was renamed from “str” to “a”, but its value remains the same. Obfuscation works by renaming the variable names to short non-logical names making the file size smaller and making the code harder to understand.

What I do is I obfuscate my whole code and then encrypt my key and decrypt it somewhere in my program. Although I understand that a determined and patient hacker can still crack my key, it will make things harder to him.

Leave a Reply

Your email address will not be published. Required fields are marked *