Last Friday, I had a meeting with a possible client who had made an app with a freelance developer using Appcelerator Titanium. Now he wished to make upgrades to the app, but he realized he didn’t have the source code for it, and the original developer was nowhere to be found.

I’ve heard these types of stories a lot of times before. Still, I thought as I’m creating compilers that currently generate Titanium code, I wonder: how recoverable is the source code of a Titanium app from an existing APK? I found it a nice challenge, so I started digging, and this was my experience.

Almost any Android developer knows that there are tools to unpack and decompile the assets and class files inside an APK. It’s essentially a zip file that contains a resources.arsc, classes.dex and a binary manifest.xml. Using apktool you can extract the assets (images, sounds, fonts, raw objects, xml layouts, and decrypt the manifest) from almost any APK, and using dex2jar you can transform the classes.dex file into a normal ‘jar’ file, which you can then decompile using any class2java tool (example JD or JADx).

Now for this task or any like it, the first step is to get the resources, so I made my own one-step tool called APK_unpack to do that job easier using NodeJS and a java-bridge. This small step was a challenge but solved quickly (I had never made before a NodeJS app that consumed Java classes directly).

Well, Titanium promotes itself as that it is javascript compiled as native, so it was no surprise that the JS files were not on the resources folder (as an ionic app could have – well, they are there if the APK was compiled as developer mode). But, I found a particular SlideShare on google telling that the Titanium code for the apps was actually on the main package directory on a file called AssetCryptImpl. I follow the directions on it and created my javascript NodeJS version of an unpacker for that file (if you wish to see what I wrote, you can watch it on my github.com account, project ti_unpack).

Surprisingly I was able to get the source code for the entire app! (at least into memory)

After playing a bit with the extracted code, I found that some versions of Titanium minify the JS compiled code in different ways, so I thought it would be nicer if I could restore the original structure for the app instead of just having the compiled resources (very much readable by the way). For this, I made another NodeJS program called ti_recover, which uses all the packages made before and creates an output dir trying to restore the structure of a real Ti app. I’m creating this for solving the requirement of my client but thought it may be of use for other Titanium developers that have lost their code (which I have seen several times on quora).

To tell you the truth this frightened me because I’ve made and published more than a dozen Titanium apps, but it helps me understand how can I better protect my code, and the ones of my clients. And don’t misunderstand me, I love Titanium, I find it a very good product, but sometimes happens you need to do get your source back, and now I know you actually can.