DeStringCare for extracting Android apk secrets

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for dgdev from gravatar.com dgdev

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Dainis Gorbunovs

Tags StringCare, destringcare, decrypt, apk, secrets

Classifiers

Project description

DeStringCare

What is it?

It is a tool for extracting StringCare obfuscated secrets in Android apk files. Some of these StringCare protected secrets may contain API addresses and API keys.

Warning: It is not recommended to store important API keys on the client-side, especially the keys to third party services. A better approach is to have your own API service, and create unique API keys for each app user. This allows to revoke API keys and banning user if necessary.

Installation

pip install DeStringCare

How to use it?

  1. First download a Android apk.

    • Use a website like https://apkpure.com/ (beware that the app may be tampered with, and so not recommended).
    • Use adb tool which pulls the apk from your Android device or emulator.
      1. Download the app via Google Play store to your Android device or emulator.
      2. List packages and find the app you want. 
        adb shell pm list packages
      3. Print path to the apk file. 
        adb shell pm path
      4. Pull the apk file. 
        adb pull /full/path/to/the.apk

  2. Decode the apk using apktool into apk directory.

    apktool d Appname_v1.0.2494.apk -o apk

  3. Find StringCare protected xml files. One place where it can be is in apk/res/values/strings.xml.

    It may contain a line like the following:

    <string name="mixpanel_api_key">367E864309B5E7E3E6642483AF380497...</string>

  4. Extract the StringCare secrets.

    destringcare Appname_v1.0.2494.apk apk/res/values/strings.xml

    You will get an output as JSON file:

    {
    "mixpanel_api_key": "7b23daa71cdbb9e6d07f29a36de960f3"
}

How to resign StringCare secrets?

destringcare --resign Appname_v1.0.2494.apk apk/res/values/strings.xml

It loads the first key from the keystore file ~/.android/debug.keystore.

Then it reencrypts the apk secrets in the xml file and saves it into resigned-strings.xml.

Resigning the StringCare secrets with your own key allows you to repackage the application and use it in your Android device. You would need to replace the original strings.xml with resigned-strings.xml file.

How to contribute?

If you have questions or enhancement ideas, open an issue.

If you have made improvements to the code, create a merge request.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for dgdev from gravatar.com dgdev

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: Dainis Gorbunovs

Tags StringCare, destringcare, decrypt, apk, secrets

Classifiers

Release history Release notifications | RSS feed

0.0.5

0.0.4

0.0.3

0.0.2

This version

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

DeStringCare-0.0.1.tar.gz (4.5 kB view hashes)

Uploaded Source

Built Distribution

DeStringCare-0.0.1-py3-none-any.whl (5.2 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page