Presentation: Exploring the Android APK


11:50am - 12:40pm



Key Takeaways

  • Learn about common vulnerabilities and mistakes developers make while developing Android applications. 
  • See first hand the vulnerabilities in a working android application.
  • Hear best practices on securing Android applications.


If you own an Android device, you’ve more than likely heard of an APK file. How easy are Android distributables to examine and extract information?

Some companies assume resources, APIs and more are private among the APK while others, aware of the risk, take part in a constant cat and mouse game of application security. A variety of tools have additionally emerged to make the extracting of contents from an APK much more difficult.

In this talk we will look at the Android package and examine how we can explore it in order to extract information while looking at some of the products and tools used by both sides.


Who is the main target audience of this talk?

I would say a developer. I want to really talk to the guys who are building the applications since they are making some of these mistakes.

For those that aren’t mobile developers but control a team (perhaps building the server side for a mobile team), the talk will give some insight into the mobile products at their company. Hopefully, it will prompt them to ask questions on the security of the company’s mobile apps or maybe spark the thought of what they may be exposing through their mobile applications.

What’s the motivation for your talk?

A lot of companies outsource their mobile applications, so they can get a product quickly. Doing that often exposes much more than they even thought was possible from their company. So I want to show people how easy it is to figure out how these applications work and then make my own requests against their system.

Are there any tricks or techniques besides obfuscation that you might recommend?

A lot of people have been moving towards moving core functions into the native files of their application using the Android NDK. If you do certificate pinning and all your network talk through a native library versus sitting at the Java level, then you have a lot more flexibility to prevent people from inspecting or modifying your requests. As modifying native files is a lot more difficult than changing a dex file.

What do you feel is the most disruptive tech in IT right now?

I hear so much about Cloud this, Cloud that, from upper management and they just don’t know what it means and are just throwing the words around. I guess that is not even a tech, but buzzwords are probably what I think is hurting the most.

Speaker: Connor Tumbleson

Developer @SourceToad & Apktool Maintainer

Connor has been messing with Android since the Nexus One breaking applications. He graduated from the University of Arkansas with a Bachelors in Computer Science and now works at Sourcetoad. Connor is a big supporter of open-source projects and maintains apktool, a popular Android reverse engineering tool in his free time.

Find Connor Tumbleson at



Monday Nov 7

Tuesday Nov 8

Wednesday Nov 9

Conference for Professional Software Developers