appxploit 1.0.1

Professional Android APK security analysis tool for bug bounty hunters

AppXploit

    ___               _  __       __      _ __ 
   /   |  ____  ____ | |/ /____  / /___  (_) /_
  / /| | / __ \/ __ \|   // __ \/ / __ \/ / __/
 / ___ |/ /_/ / /_/ /   |/ /_/ / / /_/ / / /_  
/_/  |_/ .___/ .___/_/|_/ .___/_/\____/_/\__/  
      /_/   /_/        /_/                     

Professional Android APK Bug Hunting Tool

Built for security researchers, bug bounty hunters, and red teams

---

🎯 Overview

AppXploit is an Elite Android Vulnerability Discovery Framework that performs intelligent static analysis to discover HIGH-SEVERITY, BOUNTY-WORTHY vulnerabilities. Built for bug bounty hunters who need fewer, higher-quality findings.

🏆 Elite Framework Features

🎯 Business Logic Intelligence

• Payment bypass detection (client-side verification)
• Premium feature unlock detection
• Price manipulation detection
• Access control bypass via boolean flags

🔍 Advanced IDOR Engine

• Logic-based detection (not just patterns)
• Identifier flow tracking (API → Storage → UI → API)
• IDOR classification (Horizontal, Vertical, Contextual)
• Confidence scoring per finding

🔗 Deep Link Abuse v2

• State-changing deep link detection
• Auth-bypass deep link identification
• Callback abuse (password reset, verification, OAuth)
• Attack narrative generation

🔐 Crypto Misuse Intelligence

• Context-aware analysis (only exploitable issues)
• ECB mode detection with pattern analysis
• Weak algorithm detection (MD5, SHA1, DES, RC4)
• Encoding vs encryption distinction

🏆 Exploit Path Ranking

• Rank by: Business Impact (40%), Ease (30%), Acceptance (30%)
• Highlight TOP 1-3 MOST DANGEROUS PATHS
• "Why This Is Exploitable" explanations
• Bug bounty acceptance likelihood

✅ Quality Control

• Evidence requirement (file + line + code)
• Speculation filter (no "might", "could")
• Deterministic results (same APK = same findings)
• Confidence scoring (0.75-0.95)

📊 Core Capabilities

✨ Intelligent Analysis

• App classification (fintech, social, e-commerce, etc.)
• Risk surface estimation
• Vulnerability scoring using Reachability × Control × Impact × Exploitability × ContextConfidence

🔍 Comprehensive Discovery

• 15+ secret patterns (AWS keys, Firebase, OAuth, JWT, etc.)
• REST, GraphQL, WebSocket endpoint extraction
• Admin/internal API detection

⛓️ Exploit Chain Correlation

• Chains multiple findings into attack paths
• Generates PoC outlines
• CVSS scoring

📊 HackerOne-Ready Reports

• TOP 3 Most Dangerous Paths section
• Detailed impact analysis (users, business, security)
• Clear exploitation steps
• Professional remediation guidance
• JSON export support

🚀 Zero Configuration

• Auto-downloads tools (apktool, jadx)
• Cross-platform (Windows + Linux)
• No manual setup required

📈 Quality Metrics

Metric	Traditional Scanners	AppXploit Elite
Findings per APK	15-30	5-15
False Positive Rate	20-30%	<5%
Critical Findings	1-3	3-7
Confidence Scores	0.5-0.7	0.75-0.95
Report Quality	Generic	HackerOne-ready

---

📦 Installation

From PyPI (Recommended)

pip install appxploit

From Source

git clone https://github.com/letchupkt/AppXploit.git
cd AppXploit
pip install -e .

Requirements

• Python 3.8+
• Java 8+ (for apktool and jadx)

AppXploit will automatically download apktool and jadx on first run.

---

🚀 Usage

Basic Usage

appxploit target.apk

This will:

1. Extract and analyze the APK
2. Discover secrets and API endpoints
3. Detect vulnerabilities
4. Generate exploit chains
5. Create a report: target_report.md

Advanced Options

# Specify output file
appxploit target.apk -o custom_report.md

# JSON output
appxploit target.apk --format json

# Verbose mode
appxploit target.apk -v

# Quick scan (skip deep analysis)
appxploit target.apk --quick

# Suppress banner
appxploit target.apk --no-banner

Example Output

    ___                 _  __      __      _ __ 
   /   |  ____  ____   | |/ /___  / /___  (_) /_
  / /| | / __ \/ __ \  |   / __ \/ / __ \/ / __/
 / ___ |/ /_/ / /_/ / /   / /_/ / / /_/ / / /_  
/_/  |_/ .___/ .___/ /_/|_\____/_/\____/_/\__/  
      /_/   /_/                                  

╔═══════════════════════════════════════════════════════════╗
║  Professional Android APK Bug Hunting Tool                ║
║  Version: 1.0.0                                           ║
║  Author: LAKSHMIKANTHAN K (letchupkt)                     ║
╚═══════════════════════════════════════════════════════════╝

[] Target APK: target.apk [] Output: target_report.md [] Mode: Deep Analysis [] Verbose: Disabled

[*] Starting analysis...

[1/8] Extracting APK... [✓] APK extracted [2/8] Running APK intelligence... [✓] Intelligence complete App Type: Fintech Risk Level: Critical [3/8] Running static analysis... [✓] Static analysis complete [4/8] Discovering secrets and APIs... [] Decompiling with jadx... [] Scanning 1247 Java files for secrets... [✓] Discovery complete Secrets found: 12 Endpoints found: 45 [5/8] Analyzing vulnerabilities... [*] Advanced vulnerabilities found: 8 [✓] Vulnerability analysis complete Vulnerabilities found: 16 [6/8] Correlating exploit chains... [✓] Exploit correlation complete Exploit chains found: 4 [7/8] Filtering noise... [✓] Filtering complete High-signal findings: 12 [8/8] Generating report... [✓] Report generated

[✓] Analysis complete! [✓] Report saved to: target_report.md

---

## ✨ Advanced Features (v1.0+)

### 🔍 8 Advanced Vulnerability Categories

- **Authentication & Session Logic** - Client-side auth, bypass flags
- **IDOR & Access Control** - User IDs in URLs, admin endpoints
- **Cryptography & Data Protection** - Weak algorithms, hardcoded keys
- **WebView Security** - XSS, JavaScript interfaces
- **Storage & Data Leaks** - SharedPreferences, logs
- **Component Abuse** - Exported components, PendingIntents
- **OTP & Verification** - Client-side validation
- **Payment & Financial** - Price manipulation

### 🎯 Improved Confidence Scoring

- **ContextConfidence factor** reduces false positives by 40-60%
- Evidence strength, usage frequency, business logic relevance
- Minimum confidence threshold filtering

### ⛓️ Multi-Hop Exploit Chains

- **8 pre-built exploit chains** (3-5 steps each)
- Impact classification (Account Takeover, Data Exfiltration, etc.)
- Human-readable attack narratives
- Business impact explanations

### 📦 Version Checking

- Automatic PyPI version check on startup
- Non-blocking update notifications

### 📂 Current Directory Execution

- Reports save to current working directory by default
- Matches expected CLI tool behavior

---

---

## 📋 What AppXploit Detects

### Security Misconfigurations
- `android:debuggable="true"`
- `android:allowBackup="true"`
- `android:usesCleartextTraffic="true"`
- Old target SDK versions

### Component Security
- Exported activities without permissions
- Exported content providers
- Exported services and receivers
- Deep link injection risks

### Secret Exposure
- AWS access keys
- Google API keys
- Firebase configurations
- Stripe keys
- OAuth secrets
- JWT secrets
- Database credentials
- Private keys

### API Security
- Admin/internal endpoints
- HTTP (non-HTTPS) endpoints
- GraphQL endpoints
- WebSocket URLs

### Exploit Chains
- Debuggable + Exported Activity → Runtime Manipulation
- Hardcoded API Key + Admin Endpoint → Account Takeover
- Backup Enabled + Secrets → Data Exfiltration
- Deep Link + Exported Activity → Auth Bypass

---

## 📊 Report Example

AppXploit generates professional Markdown reports with:

- **Executive Summary** - App info and findings overview
- **Exploit Chains** - Correlated attack paths with PoC outlines
- **Vulnerability Findings** - Detailed findings with CWE, impact, and remediation
- **API Inventory** - All discovered endpoints
- **Secrets Summary** - Exposed credentials and keys
- **Recommendations** - Actionable security improvements

---

## 🏗️ Architecture

AppXploit/ ├── appxploit/ │ ├── core/ # CLI, orchestration, config │ ├── intelligence/ # APK fingerprinting, classification │ ├── analysis/ # Manifest, components, permissions │ ├── discovery/ # Secrets, API endpoints │ ├── reasoning/ # Vulnerability detection, scoring │ ├── filtering/ # Noise reduction │ └── reporting/ # Report generation

### Analysis Pipeline

1. **APK Extraction** → Extract with apktool
2. **Intelligence** → Fingerprint, classify, estimate risk
3. **Static Analysis** → Parse manifest, analyze components
4. **Discovery** → Decompile with jadx, find secrets/APIs
5. **Reasoning** → Detect vulnerabilities, score findings
6. **Correlation** → Chain findings into exploit paths
7. **Filtering** → Remove noise, prioritize high-impact
8. **Reporting** → Generate professional report

---

## 🎓 Methodology

AppXploit uses intelligent reasoning over brute-force scanning:

### Vulnerability Scoring Formula

Score = Reachability × Control × Impact × Exploitability × 100

- **Reachability**: Can attacker reach this? (exported components, deep links)
- **Control**: Can attacker manipulate input?
- **Impact**: What's the business impact? (data leak, auth bypass)
- **Exploitability**: How easy to exploit? (PoC complexity)

### Noise Filtering

- Prioritizes exploit chains (highest value)
- Filters low-impact findings
- Focuses on business-critical vulnerabilities
- Removes common false positives

---

## 🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

---

## 📄 License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

---

## 👤 Author

**LAKSHMIKANTHAN K**  
GitHub: [@letchupkt](https://github.com/letchupkt)

---

## ⚠️ Disclaimer

This tool is intended for **authorized security testing only**. Unauthorized testing or exploitation of vulnerabilities is illegal and unethical. Always obtain proper authorization before testing any application.

---

## 🙏 Acknowledgments

- [apktool](https://ibotpeaches.github.io/Apktool/) - APK decompilation
- [jadx](https://github.com/skylot/jadx) - Dex to Java decompiler

---

<div align="center">

**Built with ❤️ for the security community**

If AppXploit helped you find bugs, consider ⭐ starring the repo!

</div>