Scanning APK file for URIs, endpoints & secrets.
Project description
APKLeaks
Scanning APK file for URIs, endpoints & secrets.
Installation
It's fairly simple to install APKLeaks:
from PyPi
$ pip3 install apkleaks
from Source
Clone repository and install requirements:
$ git clone https://github.com/dwisiswant0/apkleaks
$ cd apkleaks/
$ pip3 install -r requirements.txt
from Docker
Pull the Docker image by running:
$ docker pull dwisiswant0/apkleaks:latest
Dependencies
APKLeaks using jadx disassembler to decompile APK file. If it doesn't exist in your environment, it'll ask you to download or nah.
Usage
Simply,
$ apkleaks -f ~/path/to/file.apk
# from Source
$ python3 apkleaks.py -f ~/path/to/file.apk
# or with Docker
$ docker run -it --rm -v /tmp:/tmp apkleaks:latest -f /tmp/diva.apk
Options
$ apkleaks -h
usage: apkleaks [-h] -f FILE [-o OUTPUT] [-p PATTERN] [--json]
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE APK file to scanning
-o OUTPUT, --output OUTPUT
Write to file results (random if not set)
-p PATTERN, --pattern PATTERN
Path to custom patterns JSON
--json Save as JSON format
In general, if you don't provide -o
argument, then it will generate results file automatically.
Custom patterns can be added with the following flag --pattern /path/to/rules.json
to provide sensitive search rules in the JSON file format. If not set, it'll use default patterns from regexes.json file.
Example patterns file:
// rules.json
{
"Amazon AWS Access Key ID": "AKIA[0-9A-Z]{16}",
...
}
$ apkleaks -f /path/to/file.apk -p rules.json -o ~/Documents/apkleaks-results.txt
Legal
apkleaks
is distributed under Apache 2.
Acknowledments
Since this tool includes some contributions, and I'm not an asshole, I'll publically thank the following users for their helps and resources:
- @ndelphit - for his inspiring
apkurlgrep
, that's why this tool was made. - @dxa4481 and y'all who contribute to
truffleHogRegexes
. - @GerbenJavado & @Bankde - for awesome pattern to discover URLs, endpoints & their parameters from
LinkFinder
. - @tomnomnom - a
gf
patterns. - @pxb1988 - for awesome APK dissambler
dex2jar
. - @subho007 for standalone APK parser.
SHA2048#4361
(Discord user) that help me porting code to Python3.- @Ry0taK because he had reported an OS command injection bug.
- All contributors.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.