How to Decompile Android APK Files with JADX

Mar 26, 2026

Cowrie

Dev @ Bswen

I needed to analyze an Android app’s source code, but all I had was the compiled APK file. I tried opening it with a text editor, but got nothing but binary garbage.

The Problem with APK Files

Android Package (APK) files are essentially ZIP archives containing compiled code and resources. The main executable code lives in classes.dex files - Dalvik Executable format that Android’s runtime can understand, but humans can’t read directly.

I needed to reverse this compilation process to understand how the app worked.

Enter JADX

JADX (JADX is a DEX to Java decompiler) is an open-source tool that converts DEX files back to readable Java source code. It’s become my go-to tool for APK analysis.

First, I installed JADX on my Mac:

install-jadx.sh

brew install jadx

For other platforms, you can download the latest release from the GitHub repository.

Two Ways to Use JADX

JADX offers both a command-line interface and a graphical user interface.

Command Line Approach

The simplest way to decompile an APK:

decompile-cli.sh

jadx my-app.apk

This creates a my-app directory containing:

• sources/ - Decompiled Java source code
• resources/ - Extracted APK resources
• AndroidManifest.xml - The app’s manifest file

I could also specify output directory:

decompile-with-output.sh

jadx -d output-folder my-app.apk

GUI Approach

For interactive analysis, I prefer the GUI:

launch-gui.sh

jadx-gui

Then I simply opened the APK file through the GUI. The interface shows:

• Package structure on the left
• Source code in the main panel
• Resource files in a separate tab

Understanding What JADX Shows

When I decompiled my first APK, I noticed different types of classes in the output.

Developer-created classes: The actual source code written by the app’s developers. This is what I was looking for.

R classes: Auto-generated resource reference classes like R.id, R.string, R.layout. These map resource IDs to their values.

Synthetic classes: Generated by the compiler for things like inner class access.

Bridge methods: Added by the compiler for generic type erasure.

The GUI makes it easy to filter and search through these different class types.

Working with DEX Files Directly

Sometimes I wanted to inspect a specific classes.dex file without the full APK:

decompile-dex.sh

jadx classes.dex

This works the same way, just on the raw DEX file instead of the APK archive.

What You Can and Cannot Recover

JADX does an impressive job recovering Java source code, but it’s not perfect:

What works well:

• Method signatures and class structures
• Most logic flow
• String literals and constants
• Resource files and manifest

What might be problematic:

• Obfuscated code (classes named a, b, c)
• Some lambda expressions
• Complex generic types
• ProGuard/R8 optimized code

I found that even with obfuscated code, JADX gives enough structure to understand the app’s architecture.

Practical Use Cases

Since discovering JADX, I’ve used it for:

1. Security research - Analyzing potentially malicious apps
2. Legacy code recovery - When source code was lost but APK existed
3. Learning - Understanding how other apps implement features
4. Debugging - Checking what version of a library is bundled
5. API reverse engineering - Understanding undocumented APIs

Tips for Better Results

After decompiling many APKs, I’ve learned a few tricks:

Use the GUI for exploration - The search and navigation features make it easier to find specific code.

Export to Gradle project - JADX can export decompiled code as a Gradle project, making it easier to browse in an IDE.

export-gradle.sh

jadx -e -j 4 my-app.apk

The -j 4 flag uses 4 threads for faster decompilation on multi-core machines.

Be patient with large apps - Complex apps with many dependencies take longer to decompile and generate more output.

Legal and Ethical Considerations

I should mention that decompiling APKs raises legal questions. In my work, I only decompile:

• My own apps
• Apps where the license permits reverse engineering
• Apps for security research with proper authorization

Always check the app’s license and local laws before decompiling someone else’s work.

Final Words + More Resources

My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!

Comments

Tags:

• mobile
• security
• career

How Does a 3-Line Daily Work Summary Transform Your Engineering Career?

How to Decompile JAR Files Using JADX: Extract Full Java Applications