2016-07-12

On analyzing Android class and package dependencies

Recently I had to analyze the class and package dependencies of an Android app. Jens Schauder maintains an awesome tool called Degraph. Its purpose is to test, visualize and manage dependencies of classes and packages in JVM byte code. So, I asked myself, why not use it?

Although the Google toolchain used to rely on standard Java byte code as an intermediate step, this may no longer be the case in the future. Its final artifact (the end of the toolchain if you like) consists of one or more Dalvik executables. If you take a look at an Android application package (.apk), you will find a file named classes.dex. Depending on the size of the app, there may be other, similarly named ones, too. As application classes as well as any dependent library are put there, I decided to use the .dex files for my dependency analysis.

The Android SDK contains a tool called dexdump. Its purpose is to provide a (nicely) readable representation of .dex files. Hence, all I needed to do was to bake a small tool that interprets dexdump output. You can find this tool here. It is written from scratch and is completely unrelated to Degraph. Still, I feel the need to credit Jens, especially for his idea to visualize the output of his tool using yEd.


You can extract classes.dex using tar xf. The screenshot shows a small portion of a dexdump output. To use it with my tool, you should create a text file as follows:

dexdump -l plain -f classes.dex > classes.txt

Let's see what DexAnalyzer can make out of it.


As you can see, by default analysis is based upon packages. The following screenshot shows how to distinguish classes and produce a file that can be opened in yEd.



I am going into more detail later. For now I encourage you to play with my tool. Please keep in mind that it is in its infancy. If you encounter any misbehavior, please feel free to let me know. Passing command line arguments seems to not work as expected if options appear after filenames. Also, please note that checked exceptions currently do not count as dependencies. I plan to add this later.

No comments:

Post a Comment