4. Reversing & Repatching .APK to pen-testing on Non-Rooted/Rooted phone to bypass OS Security

As seen in previous post about Reverse engineering Android .apk file into Smali code, this article will explain how to 1) Decompile an .apk file – 2) Modify a part of it – 3) Recompile it again to obtain new unsigned .apk file – 4) Sign it & install on any device.

In majority apps debug flag is set to false, hence we would need Rooted phone/tablet in order to analyze Local storage (app sandbox containing SQLiteDB, SharedPrefs, other sensitive files), ADB privileged commands, etc. Without having rooted device you wont be able to perform any of above test-cases. Adding android:debuggable=”true” inside Manifest XML file, would help in performing Local storage analysis, ADB privileged commands additionally Runtime analysis also. Android OS allows to perform above mentioned analysis for any debuggable app, using run-as command on non-rooted phone which helps us bypass OS security.


Lets take any sample app and target to add debug flag in it, to make it work for pentest over any device. Assuming configuration of Apktool is done properly in your machine or refer the Documentation. (Linux/MAC)Assign execute permission to apktool files using chmod 777 or chmod +x. Copy .APK which is to be Repatched where you have apktool files.


Step:1 Decompiling .APK file into Smali using Apktool

java -jar apktool  d  APPNAME.apk


java -jar apktool.jar  d  APPNAME.apk

On completion of the above command, a folder having name similar to APK would be created, containing Manifest XML file, smali files, resources & many other files.


Step:2 Adding debuggable flag in Manifest XML

Open Android Manifest XML file in editor and add android:debuggable=”true” within <application> tag & save that file. (You can add it anywhere within application tag, just check you are not disturbing existing attributes of application tag). Refer below snippet of Manifest File Line No:8.

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.nestedif.android">

    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />


        <!-- Splash screen -->
        <activity android:name=".SplashActivity"
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
        <activity android:name=".MainActivity"
            android:theme="@style/AppTheme.NoActionBar" />
        <service android:name=".DownloaderService"
            android:exported="false" />



Step:3 Recompiling with above change to modified APK using ApkTool



java -jar apktool.jar  b  <REPLACEYOURFOLDERNAME>  -o  MODIFIEDAPPNAME.apk

e.g. java -jar apktool.jar b app-release -o appWithDebug.apk

b is to build New APK file followed by Folder name which contains the modified ManifestFile and other source file we made in step1&2, -o is to specify output APK file name what we want.  On completion of the above command, a new APK file would be created within same folder, containing debug flag set to true.

Remember if you try installing this apk, it will give error saying it is not signed with proper certificate. As we need one more step before installation, i.e. app signing (since modification in APK breaks its integrity).


Step:4 Signing modified APK

The apk file generated above could be signed in multiple ways like using Jarsigned-keytool or easiest way using apk-signer Android app. You can install apk-signer from playstore.

Next you need to copy the Modified APK (appWithDebug.apk) to the mobile – either use USB & Copy it to /sdcard/Download   OR  Copy Modified APK to directory where ADB is present & from there use the following command:

adb push appWithDebug.apk   /sdcard/Download/

From mobile device launch apk-signer & tap on button at bottom right to create new signed apk. Choose path where we copied appWithDebug.apk (i.e. /sdcard/Download/) & then choose any path where you want to save Signed APK.

Once APK is signed using any fileexplorer on your device  OR  (Marshmallow onwards) default fileexplorer from Settings>storage>InternalSharedStorage navigate to location where signe apk is present. Tap on it & Accept prompt to install (since app is outside PlayStore).


Step:5 Run-as 

Find Package Name of the app from Manifest XML file (from location where we extracted in step1). Now from ADB directory run

//Take Shell Access of device
ADB shell

//Check which user you are logged in, it can be any name

//Run-as command to access sandbox of app we recompiled with debug flag

//Now you can see all file-folders of sandbox using ls -la command
ls -la
//Open any file using cat command


So at this point you would be able to access local storage for that file without having Rooted phone also, moreover you would also be able to perform Run-time analysis, where you can see values of variables on-the-go as well as modify them.



  • A Big note, Apktool depends upon framework.apk (used internally by the tool). In case if you update older by download new version of Apktool, then make sure that you delete the older auto generated framework, otherwise you would get errors with failure in decompilation/recompilation.(Refer documentation OR Stackoverflow answer)

Report Errors + Bugs & Become Insider for Nestedif.com

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to insider@nestedif.com you could help other peers.