Introduced in Oreo (Android 8, API-26), you may notice new files when attempting to locate the Android application package. While the path to the data remains consistent: USERDATA/app, you will find several new files within the specific application folder.

  •  .vdex: Uncompressed DEX code and metadata files for verification.

  •  .odex: Ahead of Time (AOT) compiled code, used for reducing start time and improved application performance.

  •  .art (optional): Android Runtime (ART) for some strings and classes in the APK. ART replaced Dalvik as a way to translate Android bytecode instructions.¹

For the purposes of static analysis, we need to target the .vdex file. In order to review the source code, it must first be converted using a tool like the open-source vdexExtractor which is available at https://github.com/anestisb/vdexExtractor and is a “Command line tool to decompile and extract Android Dex bytecode from Vdex files that are generated along with Oat files when optimizing bytecode from dex2oat ART runtime compiler.”²

References:

[1] https://for585.com/vdexandroid

[2] https://github.com/anestisb/vdexExtractor