Scanning APK file for URIs, endpoints & secrets.

Overview

APKLeaks

version contributions

Scanning APK file for URIs, endpoints & secrets.

APKLeaks


Installation

It's fairly simple to install APKLeaks:

from PyPi

$ pip3 install apkleaks

from Source

Clone repository and install requirements:

$ git clone https://github.com/dwisiswant0/apkleaks
$ cd apkleaks/
$ pip3 install -r requirements.txt

from Docker

Pull the Docker image by running:

$ docker pull dwisiswant0/apkleaks:latest

Dependencies

APKLeaks using jadx disassembler to decompile APK file. If it doesn't exist in your environment, it'll ask you to download.

Usage

Simply,

$ apkleaks -f ~/path/to/file.apk
# from Source
$ python3 apkleaks.py -f ~/path/to/file.apk
# or with Docker
$ docker run -it --rm -v /tmp:/tmp dwisiswant0/apkleaks:latest -f /tmp/file.apk

Options

Here are all the options it supports.

Argument Description Example
-f, --file APK file to scanning apkleaks -f file.apk
-o, --output Write to file results (random if not set) apkleaks -f file.apk -o results.txt
-p, --pattern Path to custom patterns JSON apkleaks -f file.apk -p custom-rules.json
-a, --args Disassembler arguments apkleaks -f file.apk --args="--deobf --log-level DEBUG"
--json Save as JSON format apkleaks -f file.apk -o results.json --json

Output

In general, if you don't provide -o argument, then it will generate results file automatically.

NOTE: By default it will also save the results in text format, use --json argument if you want JSON output format.

Pattern

Custom patterns can be added with the following argument to provide sensitive search rules in the JSON file format: --pattern /path/to/custom-rules.json. If not set, it'll use default patterns from regexes.json file.

Example patterns file:

// custom-rules.json
{
  "Amazon AWS Access Key ID": "AKIA[0-9A-Z]{16}",
  ...
}
$ apkleaks -f /path/to/file.apk -p rules.json -o ~/Documents/apkleaks-results.txt

Arguments (disassembler)

We give user complete discretion to pass the disassembler arguments. For example, if you want to activate threads in jadx decompilation process, you can add it with -a/--args argument, example: --args="--threads-count 5".

$ apkleaks -f /path/to/file.apk -a "--deobf --log-level DEBUG"

NOTE: Please pay attention to the default disassembler arguments we use to prevent collisions.

License

apkleaks is distributed under Apache 2.

Acknowledments

Since this tool includes some contributions, and I'm not an asshole, I'll publically thank the following users for their helps and resources:

Comments
  • PermissionError: [WinError 32] The process cannot access the file because it is being used by another process:

    PermissionError: [WinError 32] The process cannot access the file because it is being used by another process:

    After issue #37 was fixed, I cloned the repo and tried testing it again.

    Here's the command I entered: python .\apkleaks.py -f <path-to-apk>\app-armeabi-v7a-release.apk

    Here's the output:

         _    ____  _  ___               _
        / \  |  _ \| |/ / |    ___  __ _| | _____
       / _ \ | |_) | ' /| |   / _ \/ _` | |/ / __|
      / ___ \|  __/| . \| |__|  __/ (_| |   <\__ \
     /_/   \_\_|   |_|\_\_____\___|\__,_|_|\_\___/
     v2.3.0
     --
     Scanning APK file for URIs, endpoints & secrets
     (c) 2020-2021, dwisiswant0
    
    ** Decompiling APK...
    The filename, directory name, or volume label syntax is incorrect.
    
    ** Scanning against 'com.<package-name>'
    Traceback (most recent call last):
      File ".\apkleaks.py", line 5, in <module>
        main()
      File "C:\Users\username\Documents\apkleaks\apkleaks\cli.py", line 38, in main
        init.cleanup()
      File "C:\Users\username\Documents\apkleaks\apkleaks\apkleaks.py", line 144, in cleanup
        os.remove(self.output)
    PermissionError: [WinError 32] The process cannot access the file because it is being used by another process: 'C:\\Users\\username\\AppData\\Local\\Temp\\apkleaks-fimv9xye.txt'
    
    bug 
    opened by masteradit 21
  • Empty results in Windows

    Empty results in Windows

    I just called python apkleaks.py -f app.apk -o app.txt and got:

    Scanning APK file for URIs, endpoints & secrets (c) 2020-2021, dwisiswant0 ←[0m ←[94m** Decompiling APK... ←[0mINFO - loading ... INFO - processing ... ERROR - finished with errors, count: 3

    The app.txt file is completly empty. What could be the problem?

    OS: Windows 10 Python: 3.8.0

    bug 
    opened by fuuman 8
  • ERROR:  No module named apk_parse.apk

    ERROR: No module named apk_parse.apk

    Hi, i'm having this error while trying to run the script:

    python2 apkleaks.py -h

    Traceback (most recent call last): File "apkleaks.py", line 2, in from apk_parse.apk import APK ImportError: No module named apk_parse.apk

    Where can i find this "apk_parse.apk" file ?

    Thanks

    question 
    opened by DIEGOD79 7
  • json.decoder.JSONDecodeError: Expecting property name enclosed in double quotes: line 62 column 1 (char 4619)

    json.decoder.JSONDecodeError: Expecting property name enclosed in double quotes: line 62 column 1 (char 4619)

    I ran apkleaks with this command: sudo python3 apkleaks.py -f ../myapp.apk but I got this error:

    ` ** Decompiling APK... ERROR - Incorrect arguments: File not found /usr/share/jadx/bin/../myapp.apk

    ** Scanning against 'com.flightio.app'

    ** Done with nothing. ¯_(ツ)_/¯ Traceback (most recent call last): File "/home/majidmc2/Desktop/apkleaks/apkleaks.py", line 5, in main() File "/home/majidmc2/Desktop/apkleaks/apkleaks/cli.py", line 36, in main init.scanning() File "/home/majidmc2/Desktop/apkleaks/apkleaks/apkleaks.py", line 124, in scanning regex = json.load(regexes) File "/usr/lib/python3.9/json/init.py", line 293, in load return loads(fp.read(), File "/usr/lib/python3.9/json/init.py", line 346, in loads return _default_decoder.decode(s) File "/usr/lib/python3.9/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib/python3.9/json/decoder.py", line 353, in raw_decode obj, end = self.scan_once(s, idx) json.decoder.JSONDecodeError: Expecting property name enclosed in double quotes: line 62 column 1 (char 4619) `

    bug 
    opened by majidmc2 5
  • Refactor code quality issues

    Refactor code quality issues

    Hey, I work at DeepSource, I ran DeepSource analysis on my fork of the repo and found some improvements in the codebase, opening this PR so you can assess if our platform is right and helpful for you; happy to provide the tweaks separately otherwise.

    Following are the changes-

    • Removed length check in favour of truthiness of the object
    • Removed unused imports
    • Removed unnecessary return statement
    • Use sys.exit() calls
    • Add .deepsource.toml file for continuous analysis on bug risks/performance/code-quality issues on new changes.

    Note: I've fixed a few issues for now. You can find and fix other issues here.

    opened by saif-deepsource 5
  • Issue with requirements.txt (numpy) installation

    Issue with requirements.txt (numpy) installation

    I've been trying to install APKLeaks but having some run time installation error while installing the requirement.text. It seems there's some error with numpy cause it's failing to build and clean wheel again and again.

    I even tried updating numpy to the latest version and re-installing too but there's no success. Please find the entire error here: https://ghostbin.co/paste/ojqknqs/raw

    opened by jacamat 4
  • Can't create directory/permission denied

    Can't create directory/permission denied

    When i use --outpot, i get this error: PermissionError: [Errno 13] Permission denied: 'C:\\Users\\sezer\\Desktop\\folder'

    When use just -f file.apk, i get this one:

    ERROR - Error saving class: com.things.thing
    jadx.core.utils.exceptions.JadxRuntimeException: 
    Can't create directory C:\Users\sezer\AppData\Local\Temp\apkleaks-woqqyysy\sources\com\exampleapk\module\ui\main\api\data\aux
    ______________________________________________________________________________________________
    PermissionError: [WinError 32] The process cannot access the file because it is being used by another process: 'C:\\Users\\sezer\\AppData\\Local\\Temp\\apkleaks-3hmqctov.txt'
    

    I tried use on admin mode too but still same.

    opened by srzern 3
  • ApkLeaks does not decompile all DEX files

    ApkLeaks does not decompile all DEX files

    The code reveals that ApkLeaks only decompiles classes.dex, omitting any other DEX files: https://github.com/dwisiswant0/apkleaks/blob/master/apkleaks/apkleaks.py#L92

    Since jadx is able to decompile an entire APK file, I suggest to pass the following arguments to jadx:

    args = [self.jadx, self.file, "-d", self.tempdir, "--deobf"]
    
    opened by U039b 3
  • The filename, directory name, or volume label syntax is incorrect

    The filename, directory name, or volume label syntax is incorrect

    I used the following command,

    python apkleaks.py -f testapp.apk

    but it gives error :

    ←[0m ←[94m** Decompiling APK... ←[0mThe filename, directory name, or volume label syntax is incorrect.

    ** Scanning against 'instagram.photo.video.downloader.repost.insta'

    ** Done with nothing. ¯_(ツ)_/¯

    opened by adapana 3
  • Can't able to run apkleaks.py

    Can't able to run apkleaks.py

    Getting following Error first

    Traceback (most recent call last):
      File "apkleaks.py", line 2, in <module>
        from apkleaks.apkleaks import APKLeaks
      File "/mnt/f/InfoSec/Tools/apkleaks/apkleaks/apkleaks.py", line 2, in <module>
        from apkleaks.colors import clr
    ImportError: No module named colors
    
    opened by YashGoti 3
  • re.error: missing : at position 31

    re.error: missing : at position 31

    i am running my kali linux on wsl i am getting this type of error

    └─# apkleaks -f ../com.example.client.apk _ ____ _ ___ _ / \ | _ | |/ / | ___ __ | | _____ / _ \ | |) | ' /| | / _ / ` | |/ / __| / ___ | /| . | || __/ (| | <__
    // __| ||_____|_,|_|__/ v2.5.0

    Scanning APK file for URIs, endpoints & secrets (c) 2020-2021, dwisiswant0

    Can't find jadx binary. Do you want to download jadx? (Y/n) y

    ** Downloading jadx...

    ** Decompiling APK... INFO - loading ... INFO - processing ... ERROR - finished with errors, count: 17

    ** Scanning against 'com.example.client'

    ** Done with nothing. ¯_(ツ)_/¯ Traceback (most recent call last): File "/usr/local/bin/apkleaks", line 33, in sys.exit(load_entry_point('apkleaks==2.5.0', 'console_scripts', 'apkleaks')()) File "/usr/local/lib/python3.9/dist-packages/apkleaks-2.5.0-py3.9.egg/apkleaks/cli.py", line 36, in main init.scanning() File "/usr/local/lib/python3.9/dist-packages/apkleaks-2.5.0-py3.9.egg/apkleaks/apkleaks.py", line 132, in scanning thread = threading.Thread(target = self.extract, args = (name, util.finder(pattern, self.tempdir))) File "/usr/local/lib/python3.9/dist-packages/apkleaks-2.5.0-py3.9.egg/apkleaks/utils.py", line 18, in finder matcher = re.compile(pattern) File "/usr/lib/python3.9/re.py", line 252, in compile return _compile(pattern, flags) File "/usr/lib/python3.9/re.py", line 304, in _compile p = sre_compile.compile(pattern, flags) File "/usr/lib/python3.9/sre_compile.py", line 764, in compile p = sre_parse.parse(p, flags) File "/usr/lib/python3.9/sre_parse.py", line 948, in parse p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0) File "/usr/lib/python3.9/sre_parse.py", line 443, in _parse_sub itemsappend(_parse(source, state, verbose, nested + 1, File "/usr/lib/python3.9/sre_parse.py", line 805, in _parse flags = _parse_flags(source, state, char) File "/usr/lib/python3.9/sre_parse.py", line 913, in _parse_flags raise source.error(msg, len(char)) re.error: missing : at position 31

    bug 
    opened by arijitdirghanji 2
  • Fixes #61, and other improvements.

    Fixes #61, and other improvements.

    • Fixes #61
    • This PR also makes it so that we automatically get the absolute path of the file that's passed as an argument with -f/--file. This makes apkleaks easier to use, since we now won't need to manually get the absolute path of the apk's we want to scan.
    • I also made the output of apkleaks easier to grep.

    When installing apkleaks from PyPi on Windows, jadx.bat was installed in the path C:\Program Files\Python39\Lib\site-packages\jadx\bin\jadx.bat. This caused #61, because apkleaks was trying to run C:/Program Files/Python39/Lib/site-packages/jadx/bin/jadx.bat Aurora.Droid.ver.1.0.8.build.8.apk -d C:\Users\REDACTED\AppData\Local\Temp\apkleaks-t996o3tz without quoting the jadx.bat path.

    opened by ItsIgnacioPortal 0
  • Update the docker (latest) to have 2.6.1

    Update the docker (latest) to have 2.6.1

    dwisiswant0/apkleaks:latest

    is 2.6.0, not the latest version

    I do not think I can PR this,

    If possible please update the docker file to run from 2.6.1 ❤️

    opened by cln-io 0
  • ERROR - finished with errors, count: 146

    ERROR - finished with errors, count: 146

    v2.6.1

    Scanning APK file for URIs, endpoints & secrets (c) 2020-2021, dwisiswant0  ** Decompiling APK... INFO - loading ... INFO - processing ... ERROR - finished with errors, count: 146

    opened by fhartavi 0
  • It's possible to make apkleaks save output of jadx instead of create Temporary Dir

    It's possible to make apkleaks save output of jadx instead of create Temporary Dir

    It's possible to make apkleaks save output of jadx , I tried using --output-dir-src and --output-dir-res with -a but apkleaks search only through -d dir and -d dir here is Temporary Dir so It's will be awesome if you make it not temporary dir so later we can use output of jadx

    opened by 0xAwali 1
  • 'C:/Program' is not recognized as an internal or external command, operable program or batch file.

    'C:/Program' is not recognized as an internal or external command, operable program or batch file.

    Issue exists on Apkleaks v2.6.1, running on Windows 10, with python 3.9.0.

    This is probably because of the space in name of the Program Files folder. The error message appears after ** Decompiling APK...

    opened by ItsIgnacioPortal 5
Releases(v2.6.1)
  • v2.6.1(Aug 10, 2021)

  • v2.6.0(Aug 9, 2021)

    Changelog

    Minor

    77a3fa49d3c3145d8f7e467fab8a102205082f33 Added patterns:

    • GitHub Access Token
    • Discord BOT Token
    • JSON Web Token
    • MAC Address
    • CTF Flags:
      • DEF CON (Order Of the Overflow)
      • HackerOne
      • TryHackMe
      • HackTheBox
    Source code(tar.gz)
    Source code(zip)
  • v2.5.2(Jun 27, 2021)

    Changelog

    Patch

    • Fix incompatible issue on Windows (#40)
    • Replace all inline-flags PCRE pattern
    • Remove Vault Token pattern due to false-positive
    • Add kotlin to blacklist LinkFinder as class name
    • Stripping secrets result of LinkFinder
    Source code(tar.gz)
    Source code(zip)
  • v2.5.1(Jun 16, 2021)

  • v2.5.0(Jun 12, 2021)

    DEPRECATED! USE THE ABOVE VERSION INSTEAD.


    Changelog

    Minor

    Added patterns:

    • Facebook Secret Key
    • Facebook ClientID
    • Twitter ClientID
    • Twitter Secret Key
    • Artifactory API Token
    • Artifactory Password
    • Authorization Basic
    • Authorization Bearer
    • Basic Auth Credentials
    • Cloudinary Basic Auth
    • Mailto
    • Vault Token

    Patch

    • Revert NotKeyHacks pattern (splitting into the different files: config/notkeyhacks.json).
    Source code(tar.gz)
    Source code(zip)
  • v2.4.0(Jun 10, 2021)

    Added patterns:

    • Sift
    • Sentry DSN
    • Intercom API Key
    • Singular Configuration
    • Adjust Configuration
    • Bitmovin API Key
    • Salesforce MarketingCloud Token
    • AppDynamics Key
    • AppCenter Secret

    Thanks to @dee__see - for curated potentially sensitive tokens, NotKeyHacks.

    Source code(tar.gz)
    Source code(zip)
Owner
Dwi Siswanto
thou shalt not kill -9!
Dwi Siswanto
APK parser for Android

APK Parser Features Retrieve basic apk metas, such as title, icon, package name, version, etc. Parse and convert binary xml file to text Classes from

Jared Rummler 613 Dec 20, 2022
Apk parser for java

APK parser lib, for decoding binary XML files, getting APK meta info. Table of Contents Features Get APK-parser Usage 1. APK Info 2. Get Binary XML an

Hsiafan 1.1k Dec 18, 2022
A lightning fast, transactional, file-based FIFO for Android and Java.

Tape by Square, Inc. Tape is a collection of queue-related classes for Android and Java. QueueFile is a lightning-fast, transactional, file-based FIFO

Square 2.4k Dec 30, 2022
java.io.File compatible SAF library

DocumentFileX java.io.File compatible SAF implementation Tired of SAF bullshits? Implement SAF with ease! This library is in alpha stage. Most feature

null 24 Aug 25, 2022
Map strings from csv to xml file

CsvToXmlMapper While translating your app, your translator provides you with a .csv file containing the translated strings and you wonder how boring a

Abhriya Roy 6 Sep 25, 2021
Scoper - Access any file with zero permission required

Scoper - Access any file with zero permission required With this codebase you will able to access file from your mobile without requiring permission o

Fakhrul Alam Siddiqei 5 Oct 4, 2022
MMDUtils is a library for read/write mmd related file in java

MMDUtils MMDUtils is a library for read/write mmd related file in java Features Read/Write VMD(Vocaloid Motion Data) file Read/Write PMX(Polygon Model

null 5 Jan 28, 2022
A tool translate a apk file to stantard android project include so hook api and il2cpp c++ scaffolding when apk is a unity il2cpp game. Write code on a apk file elegantly.

FakerAndroid (FakerAndroid.jar or FakerAndroid-AS) A tool translate a apk file to stantard android project include so hook api and il2cpp c++ scaffold

null 231 Dec 29, 2022
Poc-sealed-secrets - An alternative to store sensitive data in the template Secrets Kubernetes an encrypted way

POC Sealed Secrets Overview Proof of concept with the objective of showing an al

Cainã Ferreira da Silva 2 Jan 28, 2022
A library for working with URIs in Kotlin Multiplatform

Uri KMP Most of this work is derived from AOSP's Uri: Uri.java UriCodec.java UriTest.java UriCodecTest.java Gradle Groovy repositories { mavenCentra

Eliezer Graber 10 Jan 4, 2023
APK Explorer & Editor, an open-source tool to explore the contents of an installed APK

APK Explorer & Editor, an open-source tool to explore the contents of an installed APK, is strictly made with an aim to inspect an installed APK file.

APK Explorer & Editor 270 Dec 25, 2022
A Gradle plugin for providing your secrets to your Android project.

Secrets Gradle Plugin for Android A Gradle plugin for providing your secrets securely to your Android project. This Gradle plugin reads secrets from a

Google 560 Jan 8, 2023
Android Kotlin paged endpoints made easy

A smart and simple way to work with paged endpoints. To see an example of how to use it, check out the introducing Fountain posts: part one and part t

xmartlabs 171 Nov 15, 2022
Kotlin backend based on the Clean Architecture principles. Ktor, JWT, Exposed, Flyway, KGraphQL/GraphQL generated endpoints, Gradle.

Kotlin Clean Architecture Backend Kotlin backend based on the Clean Architecture principles. The application is separated into three modules: Domain,

null 255 Jan 3, 2023
Operations are performed by calling api endpoints over the network

##About The app Operations are performed by calling api endpoints over the network. Local data is in effect immutable, the client just downloads updat

Marc Daniel Registre 1 Oct 22, 2021
A file manager,apk editor....

A file manager,apk editor....

FlyingYu 41 Oct 20, 2022
BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

null 4.3k Jan 2, 2023
ZXing ("Zebra Crossing") barcode scanning library for Java, Android

Project in Maintenance Mode Only The project is in maintenance mode, meaning, changes are driven by contributed patches. Only bug fixes and minor enha

ZXing Project 30.5k Dec 27, 2022
card.io provides fast, easy credit card scanning in mobile apps

card.io SDK for Android card.io provides fast, easy credit card scanning in mobile apps. Stay up to date Please be sure to keep your app up to date wi

card.io 2k Jan 1, 2023