APKscan

Scan for secrets, endpoints, and other sensitive data after decompiling and deobfuscating Android files. (.apk, .xapk, .dex, .jar, .class, .smali, .zip, .aar, .arsc, .aab, .jadx.kts).

https://github.com/user-attachments/assets/6aaedf8c-5a84-4541-ae08-53df2f16d7c6

Why use APKscan?
Features
Installation
- PyPi Install Command
- From Source Install Commands
Usage
- Basic Usage
- Advanced Usage (All Command Line Arguments)
Configuring Scanning Rules
Configuring Decompilers
Concurrency and Performance
- Concurrency Options
- Optimizing Performance
Contributing
License

Why use APKscan?

Find Leaked Secrets

APKs (Android Package Kits) often leak secrets due to over-reliance on security through obscurity. Developers sometimes leave sensitive information such as API keys, tokens, and credentials hidden within the code, assuming that they won't be found easily since the code has been compiled and obfuscated. However, this approach is fundamentally flawed, and such secrets can be exposed, leading to potential security vulnerabilities.

<details> <summary> <h4>Demo: Finding Cloud Credentials</h4> </summary>

https://github.com/user-attachments/assets/9c33aad1-6683-4ae6-a6dd-ccb49d6e0bd1

</details>

Identify the Attack Surface of the Backend

APKscan also helps identify the attack surface of the backend by uncovering forgotten endpoints, test data payloads, and other traces of backend interfaces that developers might have unintentionally exposed. These endpoints can provide attackers with access to sensitive data or functionalities that are not meant for public use. By scanning for such endpoints and test data, APKscan assists in ensuring that the backend is secure and that no unnecessary exposure is left in the deployed applications.

<details> <summary> <h4>Demo: Finding Endpoints</h4> </summary>

https://github.com/user-attachments/assets/de03f3fa-0d7a-46b1-b68e-0beb6c4962f8

</details>

Identify Sensitive Locations in Application Code

APKscan can help quickly identify sensitive locations in the code, such as SSL pinning libraries, root detection functions, and other security mechanisms. Identifying these functions can speed up reverse engineering and app manipulation by quickly revealing critical points where an app enforces its security policies, making it easier to bypass them with tools like Frida. By pinpointing these areas, APKscan aids in understanding an app's security mechanisms and potential weaknesses.

Features

Automate the Scanning Process for Multiple Applications:

APKscan allows you to automate the process of scanning for secrets in any number of applications, saving you time and ensuring thorough coverage.

Multiple Decompilers and Deobfuscators:

Utilize one or more decompilers and deobfuscators to increase the chances of finding hidden secrets.

Supports all popular decompilers including JADX, APKTool, CFR, Procyon, Krakatau, and Fernflower, providing flexibility and robustness in your scanning process.
Uses enjarify-adapter to convert the Dalvik bytecode in .apk files into Java bytecode on the fly, so the resulting .jar can be processed by decompilers/deobfuscators that do not support .apks directly.

Customizable Rules:

Define your own secret locator rules or use the default ones provided. This flexibility allows you to tailor the scanning process to your specific needs and improve the detection accuracy of sensitive information.

Support for common formats: SecretLocator JSON, secret-patterns-db YAML, gitleaks TOML, and simple key-value pairs.

Flexible Output Options:

Choose from multiple output formats (JSON, YAML, or text) and organize the results by input file or locator. This makes it easier to integrate with other tools and workflows, and to analyze the findings effectively.

Comprehensive File Support:

Decompile and scan a wide range of Android-related files, including .apk, .xapk, .dex, .jar, .class, .smali, .zip, .aar, .arsc, .aab, and .jadx.kts files.

NEW: .xapk -> .apk(s) unpacking/extraction support added in v0.4.0.

Advanced Configuration and Concurrency Options:

APKscan offers advanced options for concurrency, decompilation, and scanning, enabling you to optimize the performance and behavior of the tool to suit your environment and requirements.

Installation

APKscan can be installed from PyPi or from source.

PyPi Install Command

pip3 install apkscan

From Source Install Commands

git clone https://github.com/LucasFaudman/apkscan.git
cd apkscan
python3 -m venv .venv
source .venv/bin/activate
pip3 install -e .
cd ../

Usage

Basic Usage

The most basic way to use APKscan is to decompile an APK using the default decompiler JADX and scan using the default Secret locator rules in default.json.

apkscan file-to-scan.apk

Multiple sets of Secret Locators are included and can be refrenced by name. For example, to scan for only AWS credentials and endpoints:

apkscan file-to-scan.apk -r aws endpoints

A slighly more complex example. This time 3 APKs will be decompiled then scanned using the custom rules at /path/to/custom/rules.json. The output written to output_file.yaml in YAML format, and the results will be grouped by which secret locator was matched. Files generated during decompilation will be removed after scanning.

apkscan -r /path/to/custom/rules.json -o output_file.yaml -f yaml -g locator -c file1.apk file2.apk file3.apk

Or in long form:

apkscan --rules /path/to/custom/rules.json --output output_file.yaml --format yaml --groupby locator --cleanup file1.apk file2.apk file3.apk

Advanced Usage

<details> <summary> <h4>All Command Line Arguments</h4> </summary>

usage: apkscan [-h] [-r [SECRET_LOCATOR_FILES ...]] [-o SECRETS_OUTPUT_FILE]
               [-f {text,json,yaml}] [-g {file,locator,both}]
               [-c | --cleanup | --no-cleanup] [-q] [--jadx [JADX]]
               [--apktool [APKTOOL]] [--cfr [CFR]] [--procyon [PROCYON]]
               [--krakatau [KRAKATAU]] [--fernflower [FERNFLOWER]]
               [--enjarify-choice {auto,never,always}]
               [--unpack-xapks | --no-unpack-xapks]
               [-d | --deobfuscate | --no-deobfuscate]
               [-w DECOMPILER_WORKING_DIR]
               [--decompiler-output-suffix DECOMPILER_OUTPUT_SUFFIX]
               [--decompiler-extra-args DECOMPILER_EXTRA_ARGS [DECOMPILER_EXTRA_ARGS ...]]
               [-dct {thread,process,main}] [-dro {completed,submitted}]
               [-dmw DECOMPILER_MAX_WORKERS] [-dcs DECOMPILER_CHUNKSIZE]
               [-dto DECOMPILER_TIMEOUT] [-sct {thread,process,main}]
               [-sro {completed,submitted}] [-smw SCANNER_MAX_WORKERS]
               [-scs SCANNER_CHUNKSIZE] [-sto SCANNER_TIMEOUT]
               [FILES_TO_SCAN ...]

APKscan v0.4.0 - Scan for secrets, endpoints, and other sensitive
data after decompiling and deobfuscating Android files. (.apk,
.xapk, .dex, .jar, .class, .smali, .zip, .aar, .arsc, .aab, .jadx.kts)
(c) Lucas Faudman, 2024. License information in LICENSE file. Credits
to the original authors of all dependencies used in this project.

options:
  -h, --help            show this help message and exit

Input Options:
  FILES_TO_SCAN         Path(s) to Java files to decompile and scan.
  -r [SECRET_LOCATOR_FILES ...], --rules [SECRET_LOCATOR_FILES ...]
                        Path(s) to secret locator rules/patterns files OR
                        names of included locator sets. Files can be in
                        SecretLocator JSON, secret-patterns-db YAML, or
                        Gitleak TOML formats. Included locator sets:
                        all_secret_locators, aws, azure, cloud, curated,
                        default, endpoints, gcp, generic, gitleaks, high-
                        confidence, key_locators, leakin-regexes,
                        locator_sort, nuclei-regexes, secret. If not provided,
                        default ru

Apkscan

Install / Use

README