Scanning APK file for URIs, endpoints & secrets.
Installation
It’s fairly simple to install APKLeaks:
- from PyPi
pip3 install apkleaks
- from Source
Clone repository and install requirements:
$ git clone https://github.com/dwisiswant0/apkleaks
$ cd apkleaks/
$ pip3 install -r requirements.txt
- from Docker
Pull the Docker image by running:
$ docker pull dwisiswant0/apkleaks:latest
Dependencies
APKLeaks usingΒ jadxΒ disassembler to decompile APK file. If it doesn’t exist in your environment, it’ll ask you to download.
Usage
Simply,
$ apkleaks -f ~/path/to/file.apk
# from Source
$ python3 apkleaks.py -f ~/path/to/file.apk
# or with Docker
$ docker run -it --rm -v /tmp:/tmp dwisiswant0/apkleaks:latest -f /tmp/file.apk
Options
Here are all the options it supports.
Argument | Description | Example |
---|---|---|
-f, –file | APK file to scanning | apkleaks -f file.apk |
-o, –output | Write to file results (random if not set) | apkleaks -f file.apk -o results.txt |
-p, –pattern | Path to custom patterns JSON | apkleaks -f file.apk -p custom-rules.json |
-a, –args | Disassembler arguments | apkleaks -f file.apk --args="--deobf --log-level DEBUG" |
–json | Save as JSON format | apkleaks -f file.apk -o results.json --json |
Output
In general, if you don’t provide -o
argument, then it will generate results file automatically.
NOTE:Β By default it will also save the results in text format, useΒ --json
Β argument if you want JSON output format
Pattern
Custom patterns can be added with the following argument to provide sensitiveΒ search rulesΒ in the JSON file format:Β --pattern /path/to/custom-rules.json
. If not set, it’ll use default patterns fromΒ regexes.jsonΒ file.
Example patterns file:
// custom-rules.json
{
"Amazon AWS Access Key ID": "AKIA[0-9A-Z]{16}",
...
}
$ apkleaks -f /path/to/file.apk -p rules.json -o ~/Documents/apkleaks-results.txt
Arguments (disassembler)
We give user complete discretion to pass the disassembler arguments. For example, if you want to activate threads inΒ jadx
Β decompilation process, you can add it withΒ -a/--args
Β argument, example:Β --args="--threads-count 5"
.
$ apkleaks -f /path/to/file.apk -a "--deobf --log-level DEBUG"
NOTE:Β Please pay attention to the default disassembler arguments we use to prevent collisions.
apkleaks (this link opens in a new window) by dwisiswant0 (this link opens in a new window)
Scanning APK file for URIs, endpoints & secrets.