# APK Static Analysis Guide How to decompile Hevy's APK and extract API endpoints, storage paths, and workout state logic. ## Download APK ```bash # From APKPure (latest version) # Check current version at: https://apkpure.com/hevy-gym-log-workout-tracker/com.hevy # Package: com.hevy # Latest: 3.0.13 (May 2026) # Size: ~156 MB # Direct download (URL may change): wget -O hevy.apk "https://d.apkpure.com/b/APK/com.hevy?version=latest" # Or from APKMirror (more reliable): # https://www.apkmirror.com/apk/hevy-gym-workout-tracker/hevy-gym-log-workout-tracker/ # Verify file: file hevy.apk # Expected: Zip archive data (APK is a ZIP) ``` --- ## Step 1: Basic APK Info ```bash # Extract manifest for quick info unzip -p hevy.apk AndroidManifest.xml > AndroidManifest.xml # Convert binary XML to readable: # Use AXMLPrinter2 or similar # Better: use aapt (Android Asset Packaging Tool) aapt dump badging hevy.apk # Key info to extract: # - package: name='com.hevy' # - versionCode, versionName # - sdkVersion (min/target) # - MainActivity # - Permissions # - Features (Wear OS, etc.) ``` --- ## Step 2: Decompile with jadx ```bash # Install jadx sudo apt-get install -y jadx # Decompile (takes ~2-5 minutes for 156MB APK) jadx -d hevy_decompiled/ hevy.apk # Or use GUI (if X forwarding available): # jadx-gui hevy.apk # Expected output structure: hevy_decompiled/ ├── sources/ # Decompiled Java/Kotlin source │ ├── com/ │ │ ├── hevy/ # Main app code │ │ ├── facebook/ # React Native │ │ └── ... │ └── ... ├── resources/ # Resources │ ├── AndroidManifest.xml │ ├── res/ │ └── assets/ └── resources.arsc/ ``` --- ## Step 3: Extract React Native Bundle (MOST VALUABLE) ```bash # The JS bundle contains ALL API calls, endpoint URLs, and business logic cd hevy_decompiled/ # Find the bundle find . -name "index.android.bundle" -o -name "*.bundle" 2>/dev/null # Usually at: resources/assets/index.android.bundle # This is a minified JS file but searchable # Extract all URLs from bundle strings resources/assets/index.android.bundle | grep -oP 'https?://[^"'\''\s,\}\]\)]+' | sort -u > hevy_urls.txt # Filter to API endpoints grep "api.hevyapp.com" hevy_urls.txt > hevy_api_urls.txt cat hevy_api_urls.txt # Search for workout state related strings grep -i -E "workout|session|draft|active|live|exercise|set|routine" resources/assets/index.android.bundle > workout_refs.txt head -100 workout_refs.txt # Search for WebSocket URLs grep -i -E "wss?://|socket\.io|websocket|WebSocket" resources/assets/index.android.bundle # Search for MobX store names grep -oP '(store|Store)\.\w+' resources/assets/index.android.bundle | sort -u | head -50 # Search for API endpoint paths grep -oP '"/[\w/_-]+"' resources/assets/index.android.bundle | sort -u | head -100 # Search for x-api-key values grep -oP 'x-api-key["\s:=]+["\']?[^"'\s,}]+' resources/assets/index.android.bundle ``` --- ## Step 4: Analyze Java/Kotlin Source ```bash cd hevy_decompiled/sources/ # Find main Hevy package find . -path "*/com/hevy*" -type f | head -20 # Search for API-related code grep -r "api.hevyapp.com" --include="*.java" . grep -r "hevyapp" --include="*.java" . | head -30 # Search for network/HTTP client code grep -r -i "okhttp\|retrofit\|axios\|fetch\|HttpClient\|RequestBuilder" --include="*.java" . | head -20 # Search for persistence/storage grep -r -i "SharedPreferences\|AsyncStorage\|SQLite\|Room\|Realm\|MobX\|mst-persist" --include="*.java" . | head -20 # Search for WebSocket grep -r -i "WebSocket\|socket" --include="*.java" . | head -20 # Search for workout state grep -r -i "workout.*state\|activeWorkout\|liveWorkout\|WorkoutSession\|draftWorkout" --include="*.java" . | head -30 # Find Firebase/Firestore usage grep -r -i "firebase\|firestore" --include="*.java" . | head -20 ``` --- ## Step 5: Analyze Manifest ```bash # Extract readable manifest # Option 1: Use apktool apktool d hevy.apk -o hevy_apktool/ cat hevy_apktool/AndroidManifest.xml # Option 2: Use AXMLPrinter2 # Download AXMLPrinter2.jar and: java -jar AXMLPrinter2.jar AndroidManifest.xml > AndroidManifest_readable.xml # Key things to check: # - android:allowBackup (backup extraction possible?) # - android:debuggable (run-as works?) # - android:networkSecurityConfig (cert pinning config) # - Exported activities/services (potential entry points) # - Permissions (INTERNET, ACCESS_NETWORK_STATE, etc.) # - Wear OS features/services grep -i "allowBackup\|debuggable\|networkSecurity\|exported\|permission" AndroidManifest_readable.xml ``` --- ## Step 6: Search for Hardcoded Secrets ```bash cd hevy_decompiled/ # API keys grep -r -i "api[_-]?key\|x-api-key\|apiKey\|API_KEY" --include="*.java" --include="*.xml" --include="*.json" . # Client secrets grep -r -i "client[_-]?secret\|clientSecret\|CLIENT_SECRET" . # JWT secrets grep -r -i "jwt\|JSONWebToken" . # OAuth endpoints grep -r -i "oauth\|google\.com\|firebase" --include="*.java" . # Database names grep -r "\.db\|\.sqlite\|AsyncStorage\|RKStorage" --include="*.java" . ``` --- ## Step 7: Extract App Architecture Clues ```bash cd hevy_decompiled/ # Find navigation structure (React Navigation) grep -oP "RouteName\.\w+|navigation\.navigate\('[^']+'\)" resources/assets/index.android.bundle | sort -u # Find screens/pages grep -oP "'[A-Z][a-zA-Z]+Screen'|'[A-Z][a-zA-Z]+View'|'[A-Z][a-zA-Z]+Page'" resources/assets/index.android.bundle | sort -u # Find component names grep -oP "class [A-Z]\w+ extends (React\.)?(Component|PureComponent)" sources/ -r | head -30 # Find Redux/MobX action types grep -oP "(type|action)\.\w+" resources/assets/index.android.bundle | sort -u | head -50 ``` --- ## Step 8: Automated Analysis with MobSF (Optional) ```bash # Install Mobile Security Framework # Run in Docker: docker pull opensecurity/mobile-security-framework-mobsf docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf # Upload APK to MobSF web UI at http://localhost:8000 # Provides: # - API endpoints extraction # - Hardcoded secrets # - Security vulnerabilities # - Manifest analysis # - Source code browser ``` --- ## Step 9: Output Summary After analysis, compile: 1. **All API endpoints** found in bundle + source 2. **All WebSocket URLs** found 3. **Storage path references** (AsyncStorage keys, SQLite tables) 4. **Auth mechanisms** (headers, token storage) 5. **MobX store names** related to workout state 6. **Network libraries** (OkHttp, axios, fetch, Retrofit) 7. **Wear OS sync classes** (if separate module) --- ## Key Files to Save for Reference ```bash # Save the bundle for easy searching later cp resources/assets/index.android.bundle ~/hevy_bundle.js # Save extracted URLs grep -oP 'https?://[^"'\''\s,\}\]\)]+' ~/hevy_bundle.js | sort -u > ~/hevy_all_urls.txt # Save all API paths grep -oP '"/[\w/_-]+"' ~/hevy_bundle.js | sort -u > ~/hevy_api_paths.txt # Save storage key references grep -oP '(AsyncStorage\.setItem|AsyncStorage\.getItem|storage\.set|storage\.get)\s*\(["\''][^"'\'']+["\'']' ~/hevy_bundle.js | sort -u > ~/hevy_storage_keys.txt ```