BiTree
  • Search For Lessons
  • Curriculum
  • Pricing
  • For Educators
  • Become a Tutor
  • About
  • Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
BiTree

Live coding lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Search For Lessons
  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Become a Tutor
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 BiTree. All rights reserved.
Curriculum/Cybersecurity/Mobile Security/Static Analysis of Mobile Apps
50 minIntermediate

Static Analysis of Mobile Apps

After this lesson, you will be able to: Decompile an Android APK with jadx, read the manifest and decompiled code, and find hardcoded secrets and insecure storage.

Static analysis examines an app without running it. This lesson covers the APK format, decompiling with jadx, reading the manifest, and hunting for hardcoded secrets and insecure storage, with a lab against a deliberately vulnerable app.

Prerequisites:OWASP Mobile Top 10

💡 Authorization first

Decompile only apps you are authorized to analyze: training apps like InjuredAndroid or your own builds. This lab uses InjuredAndroid.

What is inside an APK

An APK is a ZIP archive. Inside: AndroidManifest.xml (permissions, components, configuration), classes.dex (the compiled Dalvik bytecode), resources, assets, and the signature. Because it is just a packaged archive of bytecode plus resources, tools can unpack and decompile it back to readable Java-like code. An IPA (iOS) is similarly a package, though decompiling iOS binaries is harder.

Decompiling with jadx

jadx converts an APK's DEX bytecode back into readable Java source. jadx-gui gives a browsable tree of the decompiled classes plus the manifest and resources. You read the code to understand the app's logic, find where it stores data, and spot anything sensitive shipped in the binary. apktool is a companion for decoding resources and the manifest and for repackaging.

Lab: find secrets and insecure storage in InjuredAndroid

Decompile, read, and hunt.

  1. 1

    1. Download the InjuredAndroid APK (a deliberately vulnerable training app).

  2. 2

    2. Open it in jadx-gui.

  3. 3

    3. Read AndroidManifest.xml: note permissions and any exported activities.

  4. 4

    4. Search the decompiled code (jadx has a search) for strings like 'key', 'password', 'secret', 'token', and base64-looking literals.

  5. 5

    5. Look at how the app stores data: SharedPreferences and SQLite usage. Identify sensitive values stored in plaintext.

  6. 6

    6. Document at least three findings (a hardcoded secret, an insecure storage location, an exported component) and the fix for each.

Quick Check

Why can you recover a 'hidden' API key from a released Android app?

Pick one.

Common mistakes only experienced reviewers catch

Stopping at the manifest and not reading the code. Missing base64 or hex-encoded secrets because you only searched for the word 'password.' Ignoring third-party SDKs bundled in the app (supply chain). Assuming obfuscated code hides secrets (strings often survive). Not checking how data is stored, where the juicy insecure-storage findings live. Repackaging or running apps you are not authorized to test.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←OWASP Mobile Top 10
Back to Mobile Security
Dynamic Analysis and Traffic Interception→