Decompiling Android Applications


Smartphone applications are frequently incompletely vetted, poorly isolated, and installed by users without restraint. Such behavior is fraught with peril: applications containing malicious logic or critical vulnerabilities are likely to be identified only after substantial damage has already occurred. Unfortunately, the limitations of application markets make them a poor agent for certifying that applications are secure.

ded is a project which aims at decompiling Android applications. The ded tool retargets Android applications in .dex format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techniques developed for traditional Java applications.

Note: ded has now been replaced with Dare, a more powerful and more precise retargeting tool. Please visit the Dare page for more information.

A Study of Decompiled Android Applications

The first application of our decompilation techniques was in a large scale analysis of Android applications. We decompiled the 1,100 most popular applications using ded. The decompiled code was then analyzed. While this analysis did not reveal any malware, we found that phone identifiers and other personally identifiable information were widely used by Android applications. More information is available in our USENIX Security paper available on the publications page.

This study is a first step in the analysis of decompiled Android applications. In order to enable the analysis of decompiled Android code by other researchers, we are making ded available for download. Please see the installation page for downloads and installation instructions.

This research was supported by the National Science Foundation Grant No. CNS-0905447, CNS-0721579 and CNS-0643907.


Please post any questions related to installation or usage of ded to the ded support mailing list.