DeStringCare for extracting Android apk secrets
Project description
DeStringCare
What is it?
It is a tool for extracting StringCare obfuscated secrets in Android apk files. Some of these StringCare protected secrets may contain API addresses and API keys.
Warning: It is not recommended to store important API keys on the client-side, especially the keys to third party services. A better approach is to have your own API service, and create unique API keys for each app user. This allows to revoke API keys and banning user if necessary.
Installation
pip install DeStringCare
How to use it?
-
First download a Android apk.
- Use a website like https://apkpure.com/ (beware that the app may be tampered with, and so not recommended).
- Use
adb
tool which pulls theapk
from your Android device or emulator.- Download the app via Google Play store to your Android device or emulator.
- List packages and find the app you want.
adb shell pm list packages
- Print path to the apk file.
adb shell pm path
- Pull the apk file.
adb pull /full/path/to/the.apk
-
Decode the apk using
apktool
intoapk
directory.apktool d Appname_v1.0.2494.apk -o apk
-
Find StringCare protected xml files. One place where it can be is in
apk/res/values/strings.xml
.It may contain a line like the following:
<string name="mixpanel_api_key">367E864309B5E7E3E6642483AF380497...</string>
-
Extract the StringCare secrets.
destringcare Appname_v1.0.2494.apk apk/res/values/strings.xml
You will get an output as JSON file:
{ "mixpanel_api_key": "7b23daa71cdbb9e6d07f29a36de960f3" }
How to resign StringCare secrets?
destringcare --resign Appname_v1.0.2494.apk apk/res/values/strings.xml
It loads the first key from the keystore file ~/.android/debug.keystore
.
Then it reencrypts the apk secrets in the xml file and saves it into resigned-strings.xml
.
Resigning the StringCare secrets with your own key allows you to repackage the application and use it in your Android device.
You would need to replace the original strings.xml
with resigned-strings.xml
file.
How to contribute?
If you have questions or enhancement ideas, open an issue.
If you have made improvements to the code, create a merge request.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for DeStringCare-0.0.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 6ec2938d80bcdfcbcf5f0d0e4c6b0424f3f337d8e8eb328cce1f8879c0c0dab2 |
|
MD5 | 0fdc489b6ae3901269ae594df4e13902 |
|
BLAKE2b-256 | d21bfb116870cbbdd3f9c0b785327a427bc36215c18b9aa7a1843bd993c295ba |