Trusted by over 1.6 million members since 2014 — why not join them?
Snailsoft
∞ and beyond!
Staff Member
Moderator
SB Mod Squad ⭐
✔ Approved Releaser
Active User
Member for 2 years
APKscan
Scan for secrets, endpoints, and other sensitive data after decompiling and deobfuscating Android files. (.apk, .xapk, .dex, .jar, .class, .smali, .zip, .aar, .arsc, .aab, .jadx.kts).
Find Leaked Secrets
APKs (Android Package Kits) often leak secrets due to over-reliance on security through obscurity. Developers sometimes leave sensitive information such as API keys, tokens, and credentials hidden within the code, assuming that they won't be found easily since the code has been compiled and obfuscated. However, this approach is fundamentally flawed, and such secrets can be exposed, leading to potential security vulnerabilities.
Identify Sensitive Locations in Application Code
APKscan can help quickly identify sensitive locations in the code, such as SSL pinning libraries, root detection functions, and other security mechanisms. Identifying these functions can speed up reverse engineering and app manipulation by quickly revealing critical points where an app enforces its security policies, making it easier to bypass them with tools like Frida. By pinpointing these areas, APKscan aids in understanding an app's security mechanisms and potential weaknesses.
Identify the Attack Surface of the Backend
APKscan also helps identify the attack surface of the backend by uncovering forgotten endpoints, test data payloads, and other traces of backend interfaces that developers might have unintentionally exposed. These endpoints can provide attackers with access to sensitive data or functionalities that are not meant for public use. By scanning for such endpoints and test data, APKscan assists in ensuring that the backend is secure and that no unnecessary exposure is left in the deployed applications.
Features
Automate the Scanning Process for Multiple Applications:
From Source Install Commands
Usage
Basic Usage
The most basic way to use APKscan is to decompile an APK using the default decompiler JADX and scan using the default Secret locator rules in default.json.
apkscan file-to-scan.apk
Multiple sets of Secret Locators are included and can be refrenced by name. For example, to scan for only AWS credentials and endpoints:
apkscan file-to-scan.apk -r aws endpoints
A slighly more complex example. This time 3 APKs will be decompiled then scanned using the custom rules at /path/to/custom/rules.json. The output written to output_file.yaml in YAML format, and the results will be grouped by which secret locator was matched. Files generated during decompilation will be removed after scanning.
apkscan -r /path/to/custom/rules.json -o output_file.yaml -f yaml -g locator -c file1.apk file2.apk file3.apk
Or in long form:
apkscan --rules /path/to/custom/rules.json --output output_file.yaml --format yaml --groupby locator --cleanup file1.apk file2.apk file3.apk
Both the decompilation AND secret scanning processes can be configured using the following options:
Decompiler Advanced Options:
Options for Java decompiler.
<truncated>
-dct {thread,process,main}, --decompiler-concurrency-type {thread,process,main}
Type of concurrency to use for decompilation. Default is 'thread'.
-dro {completed,submitted}, --decompiler-results-order {completed,submitted}
Order to process results from decompiler. Default is 'completed'.
-dmw DECOMPILER_MAX_WORKERS, --decompiler-max-workers DECOMPILER_MAX_WORKERS
Maximum number of workers to use for decompilation.
-dcs DECOMPILER_CHUNKSIZE, --decompiler-chunksize DECOMPILER_CHUNKSIZE
Number of files to decompile per thread/process.
-dto DECOMPILER_TIMEOUT, --decompiler-timeout DECOMPILER_TIMEOUT
Timeout for decompilation in seconds.
Secret Scanner Advanced Options:
Options for secret scanner.
-sct {thread,process,main}, --scanner-concurrency-type {thread,process,main}
Type of concurrency to use for scanning. Default is 'process'.
-sro {completed,submitted}, --scanner-results-order {completed,submitted}
Order to process results from scanner. Default is 'completed'.
-smw SCANNER_MAX_WORKERS, --scanner-max-workers SCANNER_MAX_WORKERS
Maximum number of workers to use for scanning.
-scs SCANNER_CHUNKSIZE, --scanner-chunksize SCANNER_CHUNKSIZE
Number of files to scan per thread/process.
-sto SCANNER_TIMEOUT, --scanner-timeout SCANNER_TIMEOUT
Timeout for scanning in seconds.
Concurrency Type:
To optimize the performance of APKscan, consider the following tips:
Scan for secrets, endpoints, and other sensitive data after decompiling and deobfuscating Android files. (.apk, .xapk, .dex, .jar, .class, .smali, .zip, .aar, .arsc, .aab, .jadx.kts).
Find Leaked Secrets
APKs (Android Package Kits) often leak secrets due to over-reliance on security through obscurity. Developers sometimes leave sensitive information such as API keys, tokens, and credentials hidden within the code, assuming that they won't be found easily since the code has been compiled and obfuscated. However, this approach is fundamentally flawed, and such secrets can be exposed, leading to potential security vulnerabilities.
Identify Sensitive Locations in Application Code
APKscan can help quickly identify sensitive locations in the code, such as SSL pinning libraries, root detection functions, and other security mechanisms. Identifying these functions can speed up reverse engineering and app manipulation by quickly revealing critical points where an app enforces its security policies, making it easier to bypass them with tools like Frida. By pinpointing these areas, APKscan aids in understanding an app's security mechanisms and potential weaknesses.
Identify the Attack Surface of the Backend
APKscan also helps identify the attack surface of the backend by uncovering forgotten endpoints, test data payloads, and other traces of backend interfaces that developers might have unintentionally exposed. These endpoints can provide attackers with access to sensitive data or functionalities that are not meant for public use. By scanning for such endpoints and test data, APKscan assists in ensuring that the backend is secure and that no unnecessary exposure is left in the deployed applications.
Features
Automate the Scanning Process for Multiple Applications:
Multiple Decompilers and Deobfuscators:
- Supports all popular decompilers including JADX, APKTool, CFR, Procyon, Krakatau, and Fernflower, providing flexibility and robustness in your scanning process.
- Uses enjarify-adapter to convert the Dalvik bytecode in .apk files into Java bytecode on the fly, so the resulting .jar can be processed by decompilers/deobfuscators that do not support .apks directly.
- Support for common formats: SecretLocator JSON, secret-patterns-db YAML, gitleaks TOML, and simple key-value pairs.
Comprehensive File Support:
- NEW: .xapk -> .apk(s) unpacking/extraction support added in v0.4.0.
Installation
PyPi Install Command
Code:
pip3 install apkscan
Code:
git clone https://github.com/LucasFaudman/apkscan.git
cd apkscan
python3 -m venv .venv
source .venv/bin/activate
pip3 install -e .
cd ../Basic Usage
The most basic way to use APKscan is to decompile an APK using the default decompiler JADX and scan using the default Secret locator rules in default.json.
apkscan file-to-scan.apk
Multiple sets of Secret Locators are included and can be refrenced by name. For example, to scan for only AWS credentials and endpoints:
apkscan file-to-scan.apk -r aws endpoints
A slighly more complex example. This time 3 APKs will be decompiled then scanned using the custom rules at /path/to/custom/rules.json. The output written to output_file.yaml in YAML format, and the results will be grouped by which secret locator was matched. Files generated during decompilation will be removed after scanning.
apkscan -r /path/to/custom/rules.json -o output_file.yaml -f yaml -g locator -c file1.apk file2.apk file3.apk
Or in long form:
apkscan --rules /path/to/custom/rules.json --output output_file.yaml --format yaml --groupby locator --cleanup file1.apk file2.apk file3.apk
Both the decompilation AND secret scanning processes can be configured using the following options:
Decompiler Advanced Options:
Options for Java decompiler.
<truncated>
-dct {thread,process,main}, --decompiler-concurrency-type {thread,process,main}
Type of concurrency to use for decompilation. Default is 'thread'.
-dro {completed,submitted}, --decompiler-results-order {completed,submitted}
Order to process results from decompiler. Default is 'completed'.
-dmw DECOMPILER_MAX_WORKERS, --decompiler-max-workers DECOMPILER_MAX_WORKERS
Maximum number of workers to use for decompilation.
-dcs DECOMPILER_CHUNKSIZE, --decompiler-chunksize DECOMPILER_CHUNKSIZE
Number of files to decompile per thread/process.
-dto DECOMPILER_TIMEOUT, --decompiler-timeout DECOMPILER_TIMEOUT
Timeout for decompilation in seconds.
Secret Scanner Advanced Options:
Options for secret scanner.
-sct {thread,process,main}, --scanner-concurrency-type {thread,process,main}
Type of concurrency to use for scanning. Default is 'process'.
-sro {completed,submitted}, --scanner-results-order {completed,submitted}
Order to process results from scanner. Default is 'completed'.
-smw SCANNER_MAX_WORKERS, --scanner-max-workers SCANNER_MAX_WORKERS
Maximum number of workers to use for scanning.
-scs SCANNER_CHUNKSIZE, --scanner-chunksize SCANNER_CHUNKSIZE
Number of files to scan per thread/process.
-sto SCANNER_TIMEOUT, --scanner-timeout SCANNER_TIMEOUT
Timeout for scanning in seconds.
Concurrency Type:
- thread: Uses threading, suitable for I/O-bound tasks.
- process: Uses multiprocessing, more efficient for CPU-bound tasks.
- main: Runs in the main thread, useful for debugging or environments where concurrency is restricted.
- completed: Processes results as soon as they are completed.
- submitted: Processes results in the order they were submitted.
- Adjust based on your system's CPU and memory resources.
- This helps balance the workload and can improve performance.
- This ensures that stalled tasks do not indefinitely block the overall process.
To optimize the performance of APKscan, consider the following tips:
- Decompilation is memory-intensive: Set the maximum number of decompiler workers based on your available RAM to avoid system slowdowns or crashes.
- Balance workload between decompilation and scanning: Consider whether your workload is more focused on decompiling or scanning.
- If using a large number of decompilers and scanning for few secret locators, allocate more workers to decompilation and fewer to scanning.
- Conversely, if using fewer decompilers but scanning for many secret locators, allocate more workers to the scanning process.
