Skip to Content
Author's profile photo Carlos Roggan

How to modify a compiled Android application (.apk file)

Today I’d like to share with you my findings about how an existing .apk file can be modified.

An .apk file represents the mobile application as it is installed on a mobile device, like smartphone, tablet, wearable, etc.

Such an .apk file is a simple archive that can be opened with any packager like e.g. WinRAR

So you can easily open it and view the files – although viewing most of the files won’t make you happy, because you’ll realize that they’re compiled, in binary format, etc

… but this is a different story.

Anyways, you can open the archive and then modify any resource file and save the modification in the archive.

But if you afterwards try to install the .apk on the smartphone (or tablet or similar), you’ll get an error.

The following screenshot displays the error when installing the modified sample application myApp.apk on an Android device:

install_failure.JPG

The reason is that after the modification, the checksum and the signature are not valid anymore.

Thus, simply changing an .apk file is not possible.

However, there’s still the valid use case to modify or replace files inside an existing .apk.

For example:

– files which are placed in the assets folder

– property files containing configuration data

– images which can be replaced

– styling information resources

and similar.

My personal use case was:

I had created an Android application using SAP Netweaver Gateway Productivity Accelerator.

I had to deliver the application to my users as .apk file.

But there was the requirement that they wanted to modify the ready application (change configuration data).

So I had to figure out how to achieve that: modify the app without having access to the source code.

Below, I’m sharing the required steps with you.

The description is based on the following software and versions:

Android current API 19

Java 7

Windows 7

If you aren’t familiar with Android, but wish to be, you might want to check the documents [1] and [2]

All prerequisites for understanding this blog are explained there.

Note:

In order to execute the commands described below, you need to have Java on your PATH variable of your Windows system (see [1] for an explanation).

Overview

There are 3 steps that need to be followed in order to modify an existing .apk file:

1. Do the actual desired modifications inside the .apk file

2. Sign the .apk

3. Install the .apk on the device

1.  Change the resource in the .apk

Open the .apk file with WinRAR (if that doesn’t work, rename the file extension .apk to .zip)

Change the resource in the archive as desired (packager tools allow to change files without the need to extract the archive)

Once you’re done with your changes, you have to take care about the signature files that are part of the .apk:

Inside the archive, go to folder META-INF

Delete the existing *.RSA and *.SF files

The following screenshot displays the content of the META-INF folder in an .apk file:

delete_old_certs.JPG

Now the archive can be closed.

In case you had changed the file extension before, you now have to change it back to .apk

2. Sign the .apk

Android doesn’t allow to install an application (apk) that isn’t signed.

When developing an app in Eclipse, the ADT (“Android Developer Tools”, the extension to Eclipse that supports development for Android) takes care of signing the app with a default certificate, before installing in on the device.

That’s comfortable, but with the following description, everybody is able to sign an application.

Signing the .apk is done in 2 steps:

a) create the certificate

b) sign the .apk with the created certificate

Both steps are done with commands on the command line

a) Generate a certificate


If you’re working in a Java environment, you have the JDK on your file system.

The JDK comes with a tool to manage certificates: the keytool.

You can find it in the …/bin folder of your JDK installation.

Example:

On my machine it is here:

keytool.JPG

Now you can generate a certificate using below command.

However, before executing it, please check the notes below, in order to adapt the parameters

keytool.exe -genkey -v -keystore <myKeystore> -alias <myAlias> -sigalg MD5withRSA -keyalg RSA -keysize 2048 -validity 1000

Please note that you have to adapt some of the parameters of the above command to your personal needs:

keystore <myKeystore>

Here, you can provide an arbitrary name for your keystore.

The name that you provide here will be the name of the keystore-file that will be created.

The file will be created in the current directory.

(I haven’t tried it, but probably you can enter the name of an existing keystore file, in order to store the new certificate there)

alias <myAlias>

Here as well, you can provide an arbitrary name for the alias.

It is meant for you to recognize it.

The alias is the human readable name of the certificate which will be created and stored in the keystore.

validity 1000

This is the number of desired days.

You can enter any number you wish.

I think it should be high enough in order to avoid trouble with expiration.

Note that the parameters sigalg and keyalg are required by JDK 7, so it shouldn’t be necessary to add them if you’re using JDK 6

Example:

keytool.exe -genkey -v -keystore mykeystore -alias myAlias -sigalg MD5withRSA -keyalg RSA -keysize 2048 -validity 10000

When executing the command, you’ll get several prompts on the command line, asking for password, username, organization, city, etc

You can enter any arbitrary data here, you only have to make sure to remember the password.

After you’ve executed the command, you’ll see the generated keystore file on your file system in the current directory (from where you’ve executed the command)

Now you can proceed with signing the .apk using the newly created certificate.

b) Sign the apk

Before signing the .apk file, you have to make sure that there are no certificates available in the .apk.

This is described in step 1 above.

For signing an archive, we use the jarsigner tool, which is provided with JDK, and which can be found in the same location like the keytool.

The following  command is used for signing an apk.

jarsigner -verbose  -sigalg MD5withRSA -digestalg SHA1 -keystore <keystoreName> <appName> <alias>

Please note that you have to adapt some of the parameters of the above command to fit your personal needs:

keystore <keystoreName>

Here you have to enter the name that you have given in the previous step a)

In order to keep the command line short, I recommend to temporarily copy the keystore file to the same location where you’re executing the command.

<appName>

Here you have to enter the name of the apk file which you want to sign

In order to keep the command line short, I recommend to temporarily copy the .apk file to the same location where you’re executing the command.

<alias>

Here you have to enter the name of the alias that you’ve provided when generating the certificate

Note that the parameters sigalg and digestalg are required by JDK 7, so it shouldn’t be necessary to add them if you’re using JDK 6

Example:

jarsigner -verbose  -sigalg MD5withRSA -digestalg SHA1 -keystore mykeystore myApp.apk myAlias

After you’ve executed the command, you can check the result inside the .apk file:

Open the archive, go to the folder …/META-INF and check if the files CERT.RSA and CERT.SF have been created.

3. Install the apk on the device

Now that the .apk file is signed, you can install it on your device.

BTW: This procedure is also called side-load.

For Android applications the installation is done on the command line, using the adb command.

adb stands for Android Debug Bridge

adb.exe is a piece of software that connects the PC with the Android device.

It allows access to the device, allows to trigger operations, transfer files, etc.

In order to install the .apk on the device, you have to connect the device to your PC via USB cable,

then execute following command

adb install <appName>

In order to keep the command line short, you can temporarily copy the apk file to the same location where you’re executing the command.

Example:

adb install myApp.apk

The result should be “success” message on command prompt.

If not, any of the previous steps may have failed.

That’s it.

You can find the application in the apps folder of your smartphone.

This procedure worked for me on WIN7 and JDK 7.

It wasn’t required to rebuild the app, nor to generate new checksum or similar.

Links

Please refer to the following documents for lot of information for beginners.

They also contain lots of additional links for further reading.

[1] Getting started with GWPA: Prerequisites: http://scn.sap.com/docs/DOC-52235

[2] Getting started with GWPA: Android Preparation: http://scn.sap.com/docs/DOC-52371

The official docu can be found here: http://developer.android.com/tools/publishing/app-signing.html

Assigned Tags

      29 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks a lot carlos.

      I had the same requirement and was unable to install apk on sumsung device after repack apk.

      But your steps helped me to get through this problem.

      Thank you.

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      Thanks Vinay, good to know, and I'm glad that it helped you! 😉

      Author's profile photo Former Member
      Former Member

      Dear Sir,
      I try to it and gone some steps successfully but when  I go to open keytool.exe file, its open and close automatically so please guide me how i edit it.

      And I want to edit a video clip in android app. so guide me how i edit it.

      I am waiting your responce
       

      Author's profile photo Former Member
      Former Member

      Thank you for sharing this information . 

      Author's profile photo Yash sharma
      Yash sharma

      thanks for the info =)

      regards

      Author's profile photo Former Member
      Former Member

      Great information about apk android app.

      Thanks for Sharing ?

      Regards

      Author's profile photo Former Member
      Former Member

      this is great tutorial about modifying an apk file, it helped me

      thanks for sharing

      regards

       

      Author's profile photo Former Member
      Former Member

      Thank you, Carlos, for sharing this informative post with us as I am using google pixel though I was facing a problem with installation in a .apk file on my device with the help of your tutorial my problem is finally fixed.

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      glad that it helped you, John 😉

      Author's profile photo Former Member
      Former Member

      Thanks for sharing such a good information with us ..

       

       

      Author's profile photo Former Member
      Former Member

       

      This is a great tutorial about modifying an apk file, it helped me a lot, thanks for sharing.

       

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      Thanks for your comment, Former Member

      Author's profile photo Former Member
      Former Member

      Sir,

      I have an android project which is complete made on firebase. All of the code is written on the client side that is the app itself.

      What if someone decompiles my apk apk modify my code/logic and recompile it again? Will he be able to connect to my firebase project?

      Does the SHA1 fingerprint changes when anyone modifies the apk?

      Hope to get a reply soon.

      Thank you.

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      Hello Sir,

      I think you don't need to worry too much, there's not more danger than to any other compiled software.
      I mentioned above that the described procedure is only applicable for changing resource files, not code.
      Kind Regards,
      Carlos

      Author's profile photo Former Member
      Former Member

      Thanks!  But does the SHA1 fingerprint change when someone modifies the code?

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      I haven't tried it, I can only assume that yes

      Author's profile photo Maxime Doche
      Maxime Doche

      Thank you so much, it worked like a charm! 🙂

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      Great, Maxime, good to know that ! 😉

      Author's profile photo Bilal Nazeer
      Bilal Nazeer

       

      Hey

      thanks alot , this worked but i have a problem

      before editing my app it was linked to admob google ad service and adds were apparing on app but after editing my app (i only changed a source image file) the adds disappeared. How can i edit my app and keep the adds? . It will be a great help.

       

      Author's profile photo John Walkr
      John Walkr

      Hello Carlos, Thank you for the timely and interesting article… It will be helpful for the user who looking to modify a compiled Android application.  

      Author's profile photo Bryan Cowing
      Bryan Cowing

      Carlos, I am curious, could you follow this same process and upload the updated APK as an update to a publish app on the google developers console? I am trying to update my app and do not have access to my source code. This would be a great help, thank you!

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      Hi Bryan, this is a cool idea, but unfortunately I cannot try it.
      However, if you find the solution, would be nice to share it here, so others can benefit! Cheers!

      Author's profile photo Tech Slips
      Tech Slips

      Very informative article, I love it when someone bring out his or her time to educate others on tech issues. Nice one bro???

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      Hi Tech Slips , thanks so much for this nice feedback !!!

      Author's profile photo Cherry Wilson
      Cherry Wilson

      Hi Roggan..I am really impressed by your article. This is seem quite interesting, because i get to learn something from your effort. 

      Author's profile photo John Drue
      John Drue

      Hi Carlos,

      Nice article.. How if i need modify apk to force using some given http proxy not from android system proxy.
      Lets say i have 3 apk, apk1 force using proxy1, apk2 force using proxy2, and so apk3 force using proxy3.

      Thank..

      Author's profile photo shajeer AP
      shajeer AP

      Hi Carlos,

      I am beginner at apk development and design. Now i am working on modifying some of the features in voice call apk file of jio4gvoice app. This is the app that are developed by mobile network in india for making Non-VoLTE enabled smartphone VoLTE enabled. I found so many issues belong to this app and review from people on google play store. Now I am trying to fix one of the comment there one person posted.

       

      By reading your post, i have got a clear and exact procedure on how can i able to modify apk file. Now i will make each and every issues posted on the play store and will submit to the company, so i will get a job there.

       

      Thanks a Lot

      Shajeer

      Author's profile photo Carlos Roggan
      Carlos Roggan
      Blog Post Author

      Great, shajeer AP thanks for the feedback!
      Cheers, Carlos

      Author's profile photo James Morrison
      James Morrison

      Thanks a lot for this information. It was a pleasure to read this article!