Once in a while I find an Android app on the play store that I really think is cool. As an Android developer, I often analyze the technical aspects of the app I'm interested in. It might be just the way the UI works or some specific use of sensors and graphics rendering. I often also would like to know which frameworks or technologies the developer used to create that particular app.
There are already apps that can show you some of the frameworks the developer used, but I also wanted to figure this out my self. New frameworks appear all the time, so it might not be covered by these apps. Additionally, I thought that this could be a suitable feature for my Power APK app, which can be used to analyze apps installed on your device.
In this post I'll show some techniques I've used to analyze APKs, so that I could figure out what technologies and frameworks the developer used to build those apps. Luckily, Android makes it really easy to access and analyze APK files on the device.
Most of the time I just checked certain file names and grepped for strings because I wanted to make it quick and simple. That means that the results might not always be accurate, but it should still be fairly accurate most of the time.
Disclaimer: When you copy and analyze APK files, always make sure that you comply with developer's licenses and laws in you country.
The tools that I found useful for analyzing APK files were already part of Android SDK and NDK, so in my case I didn't need to install anything additional.
Android SDK contains ADB and tools for dumping dex files.
The NDK contains various tools from LLVM compiler toolchain, from which I've used nm utility to dump symbol names inside of native libraries.
Then I only needed some zip utility for unzipping APK files and a text editor, both of which were already preinstalled on my system.
Pulling APK File From Device
The first thing you need to do is to get the APK file from the Android device to your development machine. I've already wrote a more detailed post on how to pull APK files from Android device, so here I'll just summarize the main steps.
First you should find the package name of the app you want to pull from the device. You can use my Android app Power Apk to do this. An alternative way would be to go through each package and dump its manifest with the aapt2 tool which is also part of Android SDK. And of course, you can often deduce which package name belongs to a certain app just by looking at the package name after listing all package names with
adb shell pm list packages. But there are package names (including package names of my apps) where it's not completely obvious to which app they belong.
Once you have the package name, you can check the storage location of the APK file on the device with the following ADB command
adb shell pm path my.package.name
This is what I got when I dumped the path of my Bugjaeger app.
You can then use the path to pull the APK file from the device with ADB
adb pull /path/to/my.apk
Overview of APK File Structure
APK file is a regular ZIP archive with a certain file and folder structure. Which files and folders are present can vary a bit between applications. I'll try to mention the most important parts and the parts relevant to this post.
APK files contain one or more
classes.dex files. These files contain the compiled Java/Kotlin code in Dalvik executable format. You can use the
dexdump tool that is part of Android SDK to dump the content of .dex files. Even though you often find only one dex file per APK, there is a limit of maximum 65,536 methods per dex file that you can use in your app, so some apps need multiple dex files to work properly.
As the name suggests, this folder contains various assets that you can bundle within your app. The nice thing about this folder (in comparison to res folder that I mentioned bellow) is that as a developer you can use the AssetManager class to access the read-only files in a similar way to how you access regular file system. It can contain .html and .js files loaded by a WebView and therefore it can be used by frameworks like Apache Cordova or Ionic.
This folder can also contain various resources and assets, but it has a bit more rigorous structure than the assets folder. It contains drawables, layouts, menus, and other stuff that you often use within your view hierarchy in binary xml format. It usually also contains the app icon as a mipmap for various screen resolutions. One advantage of keeping some resources in this folder is that you can provide localized versions of resources for different languages and versions for different screen orientations, and the system handles the proper loading of resources automatically. Additionally, the resources can be statically referenced directly in your code through IDs.
This file contains the resource table in a binary format. It contains the type of resource (e.g. string, dimension,..), resource id, and resource name. The resources in the res folder can than be referenced through the ids listed in the table.
The lib folder contains native shared .so libraries in elf format. This is the C/C++ code compiled to machine code with tools from Android NDK. Because Android supports multiple architectures and CPUs, the folder is organized into subfolders for different ABIs (e.g. armeabi-v7a, x86,...).
This folder contains information related to application signing. It is used when signing the app with the JAR signing (V1) scheme. Newer Android versions (7.0+) also support v2/v3 schemes.
Android manifest contains important information about the app that is used by the development tools, Android system, and app stores. It contains app's package name, version information, declarations of app components, requested permissions, and other important things. It is serialized into a binary xml format. You can dump its content with the
appt tool or with my PowerApk app.
Finding Which Technologies/Frameworks Were Used
Once you have the APK file of the app you are interested in, you can view its content and extract it the same way as a regular zip file (renaming it and changing the file extension to
.zip should allow you to browse the file on Windows).
Looking for presence of specific files inside of our APK/ZIP file should already reveal the use of some of the frameworks. In some cases we might need to dump content of some files and grep for specific strings.
[Godot] is a cross-platform 3D game engine with it's own visual editor. It's packed with a lot of features and it's open source. For now I only experimented with it in my tiny free-time projects (a game & voice changer), but I would really like to use Godot for some bigger client projects.
Godot's build system generates libgodot_android.so that you will find in subdirectories inside of the
lib folder. There should be at least the
armeabi-v7a folder, or the
In the unlikely case when somebody would also name his own native C++ library
libgodot_android.so, you can additionally check symbol names inside of the library
arm-linux-androideabi-nm -D libgodot_android.so
Here I used the
nm tool located somewhere inside my NDK directory (
/toolchains/arm-linux-androideabi-4.9/prebuilt/windows-x86_64/bin) and dumped the dynamic symbols. You should be able to find multiple function names that correspond with the names in Godot's github repo.
Unity 3D is another cross-platform game engine. I've used it in several client projects. It allows you to program applications in C# by using Mono project.
App that uses Unity 3D usually contains the libunity.so file inside of
lib subfolders for each supported ABI. Additionally, the APK file will also contain either
libil2cpp.so. The former library is used when selecting the usual mono scripting backend. The latter library is build with Unity's IL2CPP technology, which allows to convert IL code to C++, before compiling it to native .so library.
App that uses Cordova should have
index.html inside of
Ionic is another hybrid mobile app framework that uses web technologies (HTML/CSS/JS) for creating apps. Ionic seems to be using Cordova under the hood together with Angular.js. That means it again uses a WebView to load HTML and JS from
When you check the content of
assets/www/index.html, you can see that there are XML elements prefixed with "ion-", e.g.
Cocos2d is an open source framework for building apps and games. It contains multiple branches, but I guess on Android the Cocos2d-x branch might be used more often.
classes.dex should reveal names of classes that are clearly part of the framework
dexdump classes.dex | grep "cocos"
Above I used the
dexdump tool which is part of Android SDK. You should be able to find it somewhere inside of the
sdk/build-tools/[version number]/ directory.
Grepping for "cocos" listed multiple Cocos2d-x classes, e.g.
How to Check This Stuff Quickly With an App
My Power APK Android app can be used to extract various details about apps installed on the phone. I've used the techniques I've described in this post to show some of the technologies used for creating an app. If you are interested in this stuff, you might find it useful. Additionally, it also allows you to extract Dalvik bytecode, so that you can get even more information about how a particullar app works internally.
Recently I have also created a simple online tool for analyzing APK files. You might want to check it out as well