Fetch, download, and decompile mobile/exe assets from bug bounty programs
Project description
H1 Asset Fetcher
A terminal tool for bug bounty hunters that fetches, downloads, and decompiles mobile app assets from bug bounty programs.
It pulls in-scope Android, iOS, and Executable assets from HackerOne, Bugcrowd, Intigriti, YesWeHack, and Immunefi, bulk-downloads the APKs, and decompiles them for review — all from one guided, interactive prompt.
Install
pipx install h1-asset-fetcher # or: pip install h1-asset-fetcher
This gives you the h1-asset-fetcher command. The APK download and decompile steps also need apkeep and jadx, which the bundled installer fetches for you:
git clone https://github.com/0xbartita/h1-asset-fetcher.git
cd h1-asset-fetcher && ./install.sh
Usage
Just run it with no arguments — it walks you through the whole pipeline, one question at a time, inline in your terminal:
h1-asset-fetcher
It guides you through, in order:
- Platform — HackerOne, Bugcrowd, Intigriti, YesWeHack, or Immunefi
- Credentials — token (and username where needed); reused on later runs
- Scope & filters —
android/ios/exe/all, program filter, bounty-only, out-of-scope - Fetch — pulls in-scope assets to
output/<scope>/ - Download — pick which assets to grab; APKs fetched via apkeep (apk-pure → huawei → f-droid)
- Decompile — optionally run jadx on the downloaded APKs
Press Enter to accept each default, or Esc / Ctrl-C to quit.
h1-asset-fetcher
? Platform (↑↓)
❯ HackerOne
Bugcrowd
Intigriti
YesWeHack
Immunefi
? HackerOne username › 0xbartita
? HackerOne token › ••••••••••
? Scope android
? Filter Private BBP → bbp,private
? Bounty-only assets? (Y/n)
? Include out-of-scope? (Y/n)
✔ 87 assets from 42 programs
✔ Saved output to output/android/
? Download APKs now? Yes
? Select assets to download (space toggles, ↵ confirms)
❯ ◉ com.acme.app APK Acme Corp
◯ com.globex.app APK Globex
The wizard remembers your credentials and last platform/scope/filter, so the next run just asks "Use saved credentials? (Y/n)" — press Enter to reuse. To wipe saved settings: h1-asset-fetcher --forget.
License
MIT
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file h1_asset_fetcher-1.2.0.tar.gz.
File metadata
- Download URL: h1_asset_fetcher-1.2.0.tar.gz
- Upload date:
- Size: 66.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a0b46fbc8c994cc8870881fcaf6565f705c4df9cec1d85e46e22445b9412d596
|
|
| MD5 |
e3a05f41c56c51127a89c0aed6f812eb
|
|
| BLAKE2b-256 |
7880adbf136bc1fb498bc73c442595489f482d91e9237b337d5b09cb0fcbaf71
|
Provenance
The following attestation bundles were made for h1_asset_fetcher-1.2.0.tar.gz:
Publisher:
publish.yml on 0xbartita/h1-asset-fetcher
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
h1_asset_fetcher-1.2.0.tar.gz -
Subject digest:
a0b46fbc8c994cc8870881fcaf6565f705c4df9cec1d85e46e22445b9412d596 - Sigstore transparency entry: 1936780465
- Sigstore integration time:
-
Permalink:
0xbartita/h1-asset-fetcher@800ba67b16ba750e61a9355bc1a7f4726acacaa4 -
Branch / Tag:
refs/tags/v1.2.0 - Owner: https://github.com/0xbartita
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@800ba67b16ba750e61a9355bc1a7f4726acacaa4 -
Trigger Event:
push
-
Statement type:
File details
Details for the file h1_asset_fetcher-1.2.0-py3-none-any.whl.
File metadata
- Download URL: h1_asset_fetcher-1.2.0-py3-none-any.whl
- Upload date:
- Size: 66.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
58c4ef032d9d8b9948ff966ada81e45d98db708a60f7a0fab894e54cc4b8d3e9
|
|
| MD5 |
20c919cd72e0acf987c0ce4684e560c0
|
|
| BLAKE2b-256 |
561b452e3271ab52dff067b98ae2378f2f0769ed2dcefa65c2e00ced3e3aae5b
|
Provenance
The following attestation bundles were made for h1_asset_fetcher-1.2.0-py3-none-any.whl:
Publisher:
publish.yml on 0xbartita/h1-asset-fetcher
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
h1_asset_fetcher-1.2.0-py3-none-any.whl -
Subject digest:
58c4ef032d9d8b9948ff966ada81e45d98db708a60f7a0fab894e54cc4b8d3e9 - Sigstore transparency entry: 1936780866
- Sigstore integration time:
-
Permalink:
0xbartita/h1-asset-fetcher@800ba67b16ba750e61a9355bc1a7f4726acacaa4 -
Branch / Tag:
refs/tags/v1.2.0 - Owner: https://github.com/0xbartita
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@800ba67b16ba750e61a9355bc1a7f4726acacaa4 -
Trigger Event:
push
-
Statement type: