Android Software Reverse Engineering & Decompilation

Android NDK Reverse Engineering 101: A Practical Guide to Analyzing .so Files with Ghidra

By Antigravity Research Published May 29, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android NDK Reverse Engineering

The Android Native Development Kit (NDK) allows developers to implement parts of their applications using native code languages like C and C++. This native code is compiled into .so (shared object) libraries, which are then packaged within APKs. While native code offers performance benefits and allows reuse of existing C/C++ libraries, it also presents a significant challenge for reverse engineers. Unlike Java bytecode, which can be easily decompiled to readable source using tools like Jadx or Bytecode Viewer, native code requires a deeper dive into assembly and C/C++ pseudo-code. This guide will walk you through the fundamentals of analyzing Android .so files using Ghidra, a powerful and free reverse engineering tool.

Why Reverse Engineer Android .so Files?

Understanding the native components of an Android application can be crucial for several reasons:

  • Security Analysis: Identifying vulnerabilities, analyzing anti-tampering mechanisms, or understanding how sensitive data is handled in native libraries.
  • Malware Analysis: Deobfuscating malicious logic often hidden in native code to evade detection.
  • Interoperability: Understanding undocumented native APIs for integration or bypass purposes.
  • Intellectual Property Protection: Analyzing how core logic or algorithms are implemented natively.

Getting Started: Prerequisites and Tools

Before diving into Ghidra, ensure you have the following tools set up:

  • Ghidra: Download and install the latest version from the official NSA Ghidra repository.
  • Android SDK & NDK: Essential for obtaining `adb` (Android Debug Bridge) and understanding Android’s build environment.
  • Java Development Kit (JDK): Ghidra requires a JDK to run.
  • An APK File: A target Android application containing native libraries. For this tutorial, you can use any app that utilizes NDK, or even a sample NDK project you compile yourself.

Step 1: Obtaining the .so File

The first step is to extract the .so library from your target APK. APKs are essentially ZIP archives. You can rename the .apk file to .zip and extract its contents, or use an archive manager directly. Native libraries are typically found in the lib/ directory, organized by architecture (e.g., lib/arm64-v8a/, lib/armeabi-v7a/, lib/x86/, lib/x86_64/). Choose the architecture relevant to your analysis environment or the target device.

Alternatively, if the app is already installed on a rooted device or emulator, you can pull the library directly:

adb shell pm path com.your.packagename
adb pull /data/app/com.your.packagename-1/lib/arm64/libyourlib.so .

Step 2: Loading the .so File into Ghidra

Once you have your .so file, open Ghidra and follow these steps:

  1. Create a New Project: File > New Project. Choose ‘Non-Shared Project’.
  2. Import File: File > Import File. Navigate to your extracted .so file and select it.
  3. Analyze: Ghidra will prompt you to analyze the file. Click ‘Yes’.
  4. Select Analyzer Options: In the ‘Analyze Options’ dialog, ensure ‘ELF’ is selected, and choose relevant architecture-specific options (e.g., ‘ARM EABI’). For most modern Android apps, you’ll be dealing with ARM or AArch64. Make sure ‘Decompiler Parameter ID’ and ‘Stack’ options are enabled for better decompilation. Click ‘Analyze’.

Ghidra will now perform its initial analysis, which includes disassembling the code, identifying functions, and attempting to decompile them into pseudo-C code.

Step 3: Navigating the Ghidra Interface

Ghidra’s interface can be overwhelming at first, but mastering a few key windows is essential:

  • Program Trees/Symbol Tree: Located on the left, this panel lists all identified functions, labels, and symbols within the binary. This is your primary navigation tool.
  • Listing Window: The central window displaying the raw assembly code.
  • Decompiler Window: Usually on the right, this is where Ghidra attempts to translate the assembly into more readable C-like pseudo-code. This is incredibly valuable for understanding logic without deep assembly knowledge.
  • Function Graph Window: Provides a graphical representation of the control flow within a function.
  • Data Type Manager: Helps in defining custom structures and enums.

Step 4: Identifying JNI Functions

Java Native Interface (JNI) functions are the bridge between Java and native code. They follow specific naming conventions that make them easy to spot:

  • JNI_OnLoad: This function is called when the native library is loaded by the Java Virtual Machine. It’s often where native methods are registered, or anti-tampering checks are initialized.
  • Java_PackageName_ClassName_MethodName: These are the dynamically linked native methods. For example, a Java method native String myNativeMethod(String arg); in com.example.MyApp might have a corresponding native function named Java_com_example_MyApp_myNativeMethod.

To find these in Ghidra:

  1. Go to the ‘Symbol Tree’ window.
  2. Expand ‘Functions’.
  3. Search for JNI_OnLoad or Java_ using the filter box.

Let’s say you find a function like Java_com_example_app_NativeLib_stringFromJNI. Double-clicking it in the Symbol Tree will open it in the Listing and Decompiler windows.

Step 5: Analyzing Native Code Logic

The Decompiler Window is your best friend. Ghidra’s decompiler converts assembly into pseudo-C, making complex logic much easier to grasp. When analyzing a JNI function:

  1. Understand Parameters: JNI functions typically receive JNIEnv* env (a pointer to the JNI environment interface) and jobject thiz (a reference to the Java object the method was called on). Subsequent parameters correspond to the Java method’s arguments.
  2. Follow Data Flow: Identify where input parameters are used, what operations are performed on them, and what the return value is.
  3. Identify Key JNI Functions: Native code interacts with the JVM using functions provided by the JNIEnv pointer. Look for calls like (*env)->NewStringUTF(), (*env)->GetStringUTFChars(), (*env)->FindClass(), (*env)->GetMethodID(), etc. These calls indicate interaction with Java objects or the JVM itself.
  4. Look for Interesting Patterns:
    • String Manipulation: Functions like strcpy, strcmp, strlen.
    • Cryptographic Operations: Calls to common crypto libraries (OpenSSL, TinyAES) or custom implementations.
    • System Calls: Interaction with the underlying operating system.
    • Memory Allocation: malloc, free.
    • Anti-tampering/Anti-debugging: Checks for debugger presence, integrity checks of the application package, or timing attacks.

Example Decompiled Output Snippet:

Consider a simple native function that concatenates two strings:

// Original C/C++ pseudo-code
JNIEXPORT jstring JNICALL Java_com_example_app_MyNative_concatStrings(
    JNIEnv *env, jobject thiz, jstring str1, jstring str2) {
    const char *c_str1 = (*env)->GetStringUTFChars(env, str1, 0);
    const char *c_str2 = (*env)->GetStringUTFChars(env, str2, 0);
    char result_buffer[256];
    strcpy(result_buffer, c_str1);
    strcat(result_buffer, c_str2);
    (*env)->ReleaseStringUTFChars(env, str1, c_str1);
    (*env)->ReleaseStringUTFChars(env, str2, c_str2);
    return (*env)->NewStringUTF(env, result_buffer);
}

In Ghidra’s Decompiler, this might look something like this (variables renamed for clarity):

undefined8 Java_com_example_app_MyNative_concatStrings(
  _JNIEnv *param_1, undefined8 param_2, jstring str1, jstring str2)
{
  long lVar1;
  char *c_str1;
  char *c_str2;
  char local_118 [256]; // [sp+18h] 

  c_str1 = (**(code **)(param_1 + 0x1a8))(param_1, str1, 0);
  c_str2 = (**(code **)(param_1 + 0x1a8))(param_1, str2, 0);
  
  // Using strcpy and strcat - typical string manipulation
  strcpy(local_118, c_str1);
  strcat(local_118, c_str2);
  
  // Release string resources
  (**(code **)(param_1 + 0x1d0))(param_1, str1, c_str1);
  (**(code **)(param_1 + 0x1d0))(param_1, str2, c_str2);
  
  // Return new JNI string
  lVar1 = (**(code **)(param_1 + 0x1c8))(param_1, local_118);
  return lVar1;
}

You can see the calls to GetStringUTFChars (via an offset from param_1, representing JNIEnv*), strcpy, strcat, ReleaseStringUTFChars, and NewStringUTF. Ghidra helps bridge the gap between raw assembly and this readable pseudo-code.

Step 6: Enhancing Readability and Understanding

Ghidra offers several features to improve your analysis:

  • Renaming: Right-click on variables, functions, or labels and select ‘Rename’. Giving meaningful names (e.g., param_1 to jniEnv, local_118 to resultBuffer) significantly improves readability.
  • Creating Structs/Enums: If you identify recurring data structures, define them in the ‘Data Type Manager’. This can drastically clean up decompiler output, especially when dealing with complex objects or network protocols.
  • Cross-references: Right-click on a function or variable and select ‘References’ > ‘Show References to…’. This helps understand where a particular piece of code or data is used.
  • Comments: Add comments (; in assembly, // in decompiler) to document your findings and hypotheses.

Challenges and Advanced Tips

  • Obfuscation: Many commercial applications use obfuscation techniques (e.g., control flow flattening, string encryption, anti-debugging tricks) to hinder reverse engineering. Ghidra has some features to help, but often requires manual effort.
  • Anti-Tampering: Libraries often include checks to detect if the APK has been modified or if it’s running in an emulated/rooted environment. Look for calls to system properties, file integrity checks, or debugger checks.
  • Dynamic Analysis: For more complex scenarios, combine Ghidra’s static analysis with dynamic analysis tools like Frida. Frida allows you to hook into native functions at runtime, inspect arguments, modify return values, and trace execution paths, providing valuable insights that static analysis alone might miss.

Conclusion

Reverse engineering Android NDK .so files with Ghidra is a powerful skill for anyone involved in Android security, malware analysis, or technical research. While it requires patience and a foundational understanding of assembly and C/C++, Ghidra’s robust features, especially its decompiler, make the process significantly more accessible. By systematically extracting, loading, navigating, and analyzing native libraries, you can uncover hidden logic, identify vulnerabilities, and gain a deeper understanding of how Android applications truly operate at a low level.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android NDK #Ghidra #JNI #Native Libraries #Reverse Engineering

Related Technical Guides

Reverse Engineering Lab: Dissecting a Real-World Obfuscated Android NDK Library

May 29, 2026

Beyond the Mapping File: Advanced Techniques for R8 Deobfuscation Without Source

May 30, 2026

Reverse Engineering Lab: From APK to Patch – A Full Workflow for Android Customization

May 29, 2026