Skip to main content

How to: Decompile Android APKs and enable in-development features in some apps

If you’ve followed us (or our friends at a couple of Android blogs), you’re probably aware of a little thing we do called APK Teardowns. Basically, we reverse engineer Google’s apps — like Allo, Duo, the Google Phone app, and others — and show you bits and pieces of code (in most cases, strings from a file called strings.xml) from within that might hint at features that are coming in the future. Lately, we’ve also found methods for enabling unreleased features in a select few apps.

But how exactly these things are done hasn’t been well publicized up to this point, and you might be surprised to learn that it’s actually a fairly straightforward process…

Decompile APKs to find strings in strings.xml

Download APK Tool

The first and most simple tool you need for doing app teardowns is APK Tool, a free little app that lets you quickly and easily reverse engineer Android APK files. You can use it on just about any Android app, including those not from Google proper. You can find the download for APK Tool here, and you can click the “Current Version” link at the top-right of the page to download the latest version.

Note: If you have any development experience, you’ll probably catch that this is a .jar file, and combined with the documentation for the app on its website, you’ll know how to use it. If that’s you, you can skip below to the section on enabling unreleased features in Google apps. If not, keep reading.

How to use APK Tool

There are lots of routes you can take to make use of this .jar file to decompile Android apps, but I’m going to run you through what I think is the simplest method for those that don’t have any prior programming or development experience.

1. Install Java

For those just getting into development and tinkering with Android apps, it’s probably a good idea to install the Java Runtime Environment and the Java SE Development Kit. You’re going to want to make sure you install the correct versions for your operating system. For this tutorial, we’ll be using a macOS device.

2. Set up your environment

This step is simply to make things easier to explain, and isn’t necessary if you know what you’re doing.

Create a folder on your desktop called “teardowns” (or something else that fits your fancy). Drag the APK Tool .jar file (it should be named something like apktool_2.2.4.jar) into that folder. Rename the APK Tool .jar file to something simple like “apktool.jar” for easier command entry (later).

3. Download the APK you want to decompile

Download the APK you want to teardown from APKMirror. Rename this to something easier to handle like “allov9.apk” (also not necessary, but will hopefully make things a bit less confusing when you’re entering the command to run APK Tool later). Drag the .apk file for the app to the same folder as the apktool.jar file. Once you have everything in place, it should look like this:

4. Run APK Tool

On a Mac or Linux machine, open up the Terminal app (you can use Spotlight to find it quickly).

Navigate to the directory that contains both of the above files. On Mac, you can use the “ls” command (enter “ls” and then press enter) to view the files in the current directory and the “cd” command to change to a folder that is in the current directory.

For example, if your “teardowns” folder (or whatever you decided to call it in step 2 above) is on your desktop, you’re probably going to need to open Terminal, type “cd desktop” (enter), followed by “cd teardowns” (enter). Then you should see that you’re in the right directory.

(On a PC, you’re going to need to use the “dir” command to view the current directory, and the same “cd” command to change directory to the folder that has your APK Tool .jar file.)

From here, you can type the command to decompile the app. That basic command for decompiling an Android APK is as follows, and you can find variations of this on the APK Tool website:

java -jar apktool.jar d allo.apk

Once you’ve done this, you should see a new folder that contains the decompiled app.

5. Navigate to strings.xml

Most of the juiciest bits of information can be found in a file called strings.xml. And the way we know what’s new is by comparing the strings.xml file of a newly-released build of an app to previously-released strings.xml files. You can find strings.xml in the /res/values/ directory.

Enable unreleased features

In some apps that are structured in certain ways, there are also methods of enabling features that are currently in development. Of course the fact that there is code to enable them and that they are in development does not mean that they’ll eventually become full-fledged user-facing features, but it’s interesting to see these features in the works regardless.

1. Root your device

The first thing you need to do before you can enable in-development features is root your device. There’s not enough space in this quick guide to cover how to root all devices (of course), so you’ll have to look that up yourself. But it goes without saying that achieving root is going to be far easier if you own a development-friendly device like the Nexus 6P or the Google Pixel.

2. Install a file browser app such as Solid Explorer

After you’ve achieved root on your device, you need to install a file explorer app. We prefer to use Solid Explorer File Manager, which can be found on the Play Store for free. It does cost a bit to keep the full features after a trial period, though.

3. Navigate to data/data/

From root, you’ll use Solid Explorer (or whichever file manager you chose) to navigate from the root to data/data. From there, you’ll see a list of installed applications, and you need to chose the one that you want to enable features for. In this case, we’re going to use the example of the Phone app and enabling the floating bubble that we told you about last week. So we’re going to navigate to com.google.android.dialer, which is the Google Phone app.

4. Navigate to shared_prefs & modify values

From here, navigate to shared_prefs and search through the XML files within to find features that might be worth enabling. As you can see below, we’ve navigated to the file called dialer_phenotype_flags.xml and found a boolean relating to a return_to_call_bubble. All we did to enable the feature was change the boolean from “false” to “true” and saved the file.

5. Force relaunch app

After you’ve navigated through the files in shared_prefs and enabled the features you want to enable (note that some of the values other types; it’s not always going to be a false/true boolean), all you have to do is save the file and head back to your launcher and force quit the app (remove it from multitasking). Just relaunch the app, and you might find that a new feature is enabled. Of course, this requires a lot of work and  trial and error, and that’s why we’ll keep doing it for you.

Conclusion

Doing app teardowns to find strings hinting at future features, and now actually going in and enabling some of those features to see them in action, is a fairly trivial process from a technical standpoint. All you need is access to the new version of an app to see strings, and a rooted phone to enable some of the in-development features. But it’s not a trivial amount of patience and skill that goes into testing out dozens of features to see what they do, and interpreting what they might mean.

Stay tuned at 9to5Google as we keep striving to be the first to let you know. To check out the latest teardowns, head over to the Teardown featured tag.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Stephen Hall Stephen Hall

Stephen is Growth Director at 9to5. If you want to get in touch, follow me on Twitter. Or, email at stephen (at) 9to5mac (dot) com, or an encrypted email at hallstephenj (at) protonmail (dot) com.