APKLeaks - Scanning APK file for URIs, endpoints & secrets.

Last update: Jan 09, 2023

Overview

APKLeaks

Scanning APK file for URIs, endpoints & secrets.

Installation
Usage
- Options
License
Acknowledments

Installation

It's fairly simple to install APKLeaks:

from PyPi

$ pip3 install apkleaks

from Source

Clone repository and install requirements:

$ git clone https://github.com/dwisiswant0/apkleaks
$ cd apkleaks/
$ pip3 install -r requirements.txt

from Docker

Pull the Docker image by running:

$ docker pull dwisiswant0/apkleaks:latest

Dependencies

APKLeaks using jadx disassembler to decompile APK file. If it doesn't exist in your environment, it'll ask you to download.

Usage

Simply,

$ apkleaks -f ~/path/to/file.apk
# from Source
$ python3 apkleaks.py -f ~/path/to/file.apk
# or with Docker
$ docker run -it --rm -v /tmp:/tmp dwisiswant0/apkleaks:latest -f /tmp/file.apk

Options

Here are all the options it supports.

Argument	Description	Example
-f, --file	APK file to scanning	`apkleaks -f file.apk`
-o, --output	Write to file results (random if not set)	`apkleaks -f file.apk -o results.txt`
-p, --pattern	Path to custom patterns JSON	`apkleaks -f file.apk -p custom-rules.json`
-a, --args	Disassembler arguments	`apkleaks -f file.apk --args="--deobf --log-level DEBUG"`
--json	Save as JSON format	`apkleaks -f file.apk -o results.json --json`

Output

In general, if you don't provide -o argument, then it will generate results file automatically.

NOTE: By default it will also save the results in text format, use --json argument if you want JSON output format.

Pattern

Custom patterns can be added with the following argument to provide sensitive search rules in the JSON file format: --pattern /path/to/custom-rules.json. If not set, it'll use default patterns from regexes.json file.

Example patterns file:

// custom-rules.json
{
  "Amazon AWS Access Key ID": "AKIA[0-9A-Z]{16}",
  ...
}

$ apkleaks -f /path/to/file.apk -p rules.json -o ~/Documents/apkleaks-results.txt

Arguments (disassembler)

We give user complete discretion to pass the disassembler arguments. For example, if you want to activate threads in jadx decompilation process, you can add it with -a/--args argument, example: --args="--threads-count 5".

$ apkleaks -f /path/to/file.apk -a "--deobf --log-level DEBUG"

NOTE: Please pay attention to the default disassembler arguments we use to prevent collisions.

License

apkleaks is distributed under Apache 2.

Acknowledments

Since this tool includes some contributions, and I'm not an asshole, I'll publically thank the following users for their helps and resources:

@ndelphit - for his inspiring apkurlgrep, that's why this tool was made.
@dxa4481 and y'all who contribute to truffleHogRegexes.
@GerbenJavado & @Bankde - for awesome pattern to discover URLs, endpoints & their parameters from LinkFinder.
@tomnomnom - a gf patterns.
@pxb1988 - for awesome APK dissambler dex2jar.
@subho007 for standalone APK parser.
SHA2048#4361 (Discord user) that help me porting code to Python3.
@Ry0taK because he had reported an OS command injection bug.
All contributors.

Comments

PermissionError: [WinError 32] The process cannot access the file because it is being used by another process:

After issue #37 was fixed, I cloned the repo and tried testing it again.

Here's the command I entered: python .\apkleaks.py -f <path-to-apk>\app-armeabi-v7a-release.apk

Here's the output:

     _    ____  _  ___               _
    / \  |  _ \| |/ / |    ___  __ _| | _____
   / _ \ | |_) | ' /| |   / _ \/ _` | |/ / __|
  / ___ \|  __/| . \| |__|  __/ (_| |   <\__ \
 /_/   \_\_|   |_|\_\_____\___|\__,_|_|\_\___/
 v2.3.0
 --
 Scanning APK file for URIs, endpoints & secrets
 (c) 2020-2021, dwisiswant0

** Decompiling APK...
The filename, directory name, or volume label syntax is incorrect.

** Scanning against 'com.<package-name>'
Traceback (most recent call last):
  File ".\apkleaks.py", line 5, in <module>
    main()
  File "C:\Users\username\Documents\apkleaks\apkleaks\cli.py", line 38, in main
    init.cleanup()
  File "C:\Users\username\Documents\apkleaks\apkleaks\apkleaks.py", line 144, in cleanup
    os.remove(self.output)
PermissionError: [WinError 32] The process cannot access the file because it is being used by another process: 'C:\\Users\\username\\AppData\\Local\\Temp\\apkleaks-fimv9xye.txt'

bug

opened by masteradit 21

Empty results in Windows

I just called python apkleaks.py -f app.apk -o app.txt and got:

Scanning APK file for URIs, endpoints & secrets (c) 2020-2021, dwisiswant0 ←[0m ←[94m** Decompiling APK... ←[0mINFO - loading ... INFO - processing ... ERROR - finished with errors, count: 3

The app.txt file is completly empty. What could be the problem?

OS: Windows 10 Python: 3.8.0
bug

opened by fuuman 8
ERROR: No module named apk_parse.apk

Hi, i'm having this error while trying to run the script:

python2 apkleaks.py -h

Traceback (most recent call last): File "apkleaks.py", line 2, in from apk_parse.apk import APK ImportError: No module named apk_parse.apk

Where can i find this "apk_parse.apk" file ?

Thanks
question

opened by DIEGOD79 7
json.decoder.JSONDecodeError: Expecting property name enclosed in double quotes: line 62 column 1 (char 4619)

I ran apkleaks with this command: sudo python3 apkleaks.py -f ../myapp.apk but I got this error:

` ** Decompiling APK... ERROR - Incorrect arguments: File not found /usr/share/jadx/bin/../myapp.apk

** Scanning against 'com.flightio.app'

** Done with nothing. ¯_(ツ)_/¯ Traceback (most recent call last): File "/home/majidmc2/Desktop/apkleaks/apkleaks.py", line 5, in main() File "/home/majidmc2/Desktop/apkleaks/apkleaks/cli.py", line 36, in main init.scanning() File "/home/majidmc2/Desktop/apkleaks/apkleaks/apkleaks.py", line 124, in scanning regex = json.load(regexes) File "/usr/lib/python3.9/json/init.py", line 293, in load return loads(fp.read(), File "/usr/lib/python3.9/json/init.py", line 346, in loads return _default_decoder.decode(s) File "/usr/lib/python3.9/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib/python3.9/json/decoder.py", line 353, in raw_decode obj, end = self.scan_once(s, idx) json.decoder.JSONDecodeError: Expecting property name enclosed in double quotes: line 62 column 1 (char 4619) `
bug

opened by majidmc2 5
Refactor code quality issues
Hey, I work at DeepSource, I ran DeepSource analysis on my fork of the repo and found some improvements in the codebase, opening this PR so you can assess if our platform is right and helpful for you; happy to provide the tweaks separately otherwise.

Following are the changes-

Removed length check in favour of truthiness of the object

Removed unused imports

Removed unnecessary return statement

Use sys.exit() calls

Add .deepsource.toml file for continuous analysis on bug risks/performance/code-quality issues on new changes.

Note: I've fixed a few issues for now. You can find and fix other issues here.
opened by saif-deepsource 5
Issue with requirements.txt (numpy) installation

I've been trying to install APKLeaks but having some run time installation error while installing the requirement.text. It seems there's some error with numpy cause it's failing to build and clean wheel again and again.

I even tried updating numpy to the latest version and re-installing too but there's no success. Please find the entire error here: https://ghostbin.co/paste/ojqknqs/raw

opened by mdisrail2468 4

Can't create directory/permission denied

When i use --outpot, i get this error: PermissionError: [Errno 13] Permission denied: 'C:\\Users\\sezer\\Desktop\\folder'

When use just -f file.apk, i get this one:

ERROR - Error saving class: com.things.thing
jadx.core.utils.exceptions.JadxRuntimeException: 
Can't create directory C:\Users\sezer\AppData\Local\Temp\apkleaks-woqqyysy\sources\com\exampleapk\module\ui\main\api\data\aux
______________________________________________________________________________________________
PermissionError: [WinError 32] The process cannot access the file because it is being used by another process: 'C:\\Users\\sezer\\AppData\\Local\\Temp\\apkleaks-3hmqctov.txt'

I tried use on admin mode too but still same.

opened by srzern 3

ApkLeaks does not decompile all DEX files
The code reveals that ApkLeaks only decompiles classes.dex, omitting any other DEX files: https://github.com/dwisiswant0/apkleaks/blob/master/apkleaks/apkleaks.py#L92

Since jadx is able to decompile an entire APK file, I suggest to pass the following arguments to jadx:

args = [self.jadx, self.file, "-d", self.tempdir, "--deobf"]
opened by U039b 3
The filename, directory name, or volume label syntax is incorrect

I used the following command,

python apkleaks.py -f testapp.apk

but it gives error :

←[0m ←[94m** Decompiling APK... ←[0mThe filename, directory name, or volume label syntax is incorrect.

** Scanning against 'instagram.photo.video.downloader.repost.insta'

** Done with nothing. ¯_(ツ)_/¯

opened by adapana 3

Can't able to run apkleaks.py

Getting following Error first

Traceback (most recent call last):
  File "apkleaks.py", line 2, in <module>
    from apkleaks.apkleaks import APKLeaks
  File "/mnt/f/InfoSec/Tools/apkleaks/apkleaks/apkleaks.py", line 2, in <module>
    from apkleaks.colors import clr
ImportError: No module named colors

opened by YashGoti 3

re.error: missing : at position 31

i am running my kali linux on wsl i am getting this type of error

└─# apkleaks -f ../com.example.client.apk _ ____ _ ___ _ / \ | _ | |/ / | ___ __ | | _____ / _ \ | |) | ' /| | / _ / ` | |/ / __| / ___ | /| . | || __/ (| | <__
// __| ||_____|_,|_|__/ v2.5.0

Scanning APK file for URIs, endpoints & secrets (c) 2020-2021, dwisiswant0

Can't find jadx binary. Do you want to download jadx? (Y/n) y

** Downloading jadx...

** Decompiling APK... INFO - loading ... INFO - processing ... ERROR - finished with errors, count: 17

** Scanning against 'com.example.client'

** Done with nothing. ¯_(ツ)_/¯ Traceback (most recent call last): File "/usr/local/bin/apkleaks", line 33, in sys.exit(load_entry_point('apkleaks==2.5.0', 'console_scripts', 'apkleaks')()) File "/usr/local/lib/python3.9/dist-packages/apkleaks-2.5.0-py3.9.egg/apkleaks/cli.py", line 36, in main init.scanning() File "/usr/local/lib/python3.9/dist-packages/apkleaks-2.5.0-py3.9.egg/apkleaks/apkleaks.py", line 132, in scanning thread = threading.Thread(target = self.extract, args = (name, util.finder(pattern, self.tempdir))) File "/usr/local/lib/python3.9/dist-packages/apkleaks-2.5.0-py3.9.egg/apkleaks/utils.py", line 18, in finder matcher = re.compile(pattern) File "/usr/lib/python3.9/re.py", line 252, in compile return _compile(pattern, flags) File "/usr/lib/python3.9/re.py", line 304, in _compile p = sre_compile.compile(pattern, flags) File "/usr/lib/python3.9/sre_compile.py", line 764, in compile p = sre_parse.parse(p, flags) File "/usr/lib/python3.9/sre_parse.py", line 948, in parse p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0) File "/usr/lib/python3.9/sre_parse.py", line 443, in _parse_sub itemsappend(_parse(source, state, verbose, nested + 1, File "/usr/lib/python3.9/sre_parse.py", line 805, in _parse flags = _parse_flags(source, state, char) File "/usr/lib/python3.9/sre_parse.py", line 913, in _parse_flags raise source.error(msg, len(char)) re.error: missing : at position 31
bug

opened by arijitdirghanji 2
Fixes #61, and other improvements.
Fixes #61

This PR also makes it so that we automatically get the absolute path of the file that's passed as an argument with -f/--file. This makes apkleaks easier to use, since we now won't need to manually get the absolute path of the apk's we want to scan.

I also made the output of apkleaks easier to grep.

When installing apkleaks from PyPi on Windows, jadx.bat was installed in the path C:\Program Files\Python39\Lib\site-packages\jadx\bin\jadx.bat. This caused #61, because apkleaks was trying to run C:/Program Files/Python39/Lib/site-packages/jadx/bin/jadx.bat Aurora.Droid.ver.1.0.8.build.8.apk -d C:\Users\REDACTED\AppData\Local\Temp\apkleaks-t996o3tz without quoting the jadx.bat path.
opened by ItsIgnacioPortal 0
Update the docker (latest) to have 2.6.1

dwisiswant0/apkleaks:latest

is 2.6.0, not the latest version

I do not think I can PR this,

If possible please update the docker file to run from 2.6.1 ❤️

opened by cln-io 0
ERROR - finished with errors, count: 146

v2.6.1

Scanning APK file for URIs, endpoints & secrets (c) 2020-2021, dwisiswant0 [0m [94m** Decompiling APK... [0mINFO - loading ... INFO - processing ... ERROR - finished with errors, count: 146

opened by fhartavi 0
It's possible to make apkleaks save output of jadx instead of create Temporary Dir

It's possible to make apkleaks save output of jadx , I tried using --output-dir-src and --output-dir-res with -a but apkleaks search only through -d dir and -d dir here is Temporary Dir so It's will be awesome if you make it not temporary dir so later we can use output of jadx

opened by 0xAwali 1
'C:/Program' is not recognized as an internal or external command, operable program or batch file.

Issue exists on Apkleaks v2.6.1, running on Windows 10, with python 3.9.0.

This is probably because of the space in name of the Program Files folder. The error message appears after ** Decompiling APK...

opened by ItsIgnacioPortal 5

Releases(v2.6.1)

v2.6.1(Aug 10, 2021)
Changelog

Patch

Remove trailing comma (hotfix #52)

Source code(tar.gz)
Source code(zip)
v2.6.0(Aug 9, 2021)
Changelog

Minor

77a3fa49d3c3145d8f7e467fab8a102205082f33 Added patterns:

GitHub Access Token

Discord BOT Token

JSON Web Token

MAC Address

CTF Flags:

DEF CON (Order Of the Overflow)

HackerOne

TryHackMe

HackTheBox

Source code(tar.gz)
Source code(zip)
v2.5.2(Jun 27, 2021)
Changelog

Patch

Fix incompatible issue on Windows (#40)

Replace all inline-flags PCRE pattern

Remove Vault Token pattern due to false-positive

Add kotlin to blacklist LinkFinder as class name

Stripping secrets result of LinkFinder

Source code(tar.gz)
Source code(zip)
v2.5.1(Jun 16, 2021)
Changelog

Patch

Update Facebook_Secret_Key pattern.

Convert inline-flags PCRE style (#48).

Source code(tar.gz)
Source code(zip)
v2.5.0(Jun 12, 2021)
DEPRECATED! USE THE ABOVE VERSION INSTEAD.

Changelog

Minor

Added patterns:

Facebook Secret Key

Facebook ClientID

Twitter ClientID

Twitter Secret Key

Artifactory API Token

Artifactory Password

Authorization Basic

Authorization Bearer

Basic Auth Credentials

Cloudinary Basic Auth

Mailto

Vault Token

Patch

Revert NotKeyHacks pattern (splitting into the different files: config/notkeyhacks.json).

Source code(tar.gz)
Source code(zip)
v2.4.0(Jun 10, 2021)
Added patterns:

Sift

Sentry DSN

Intercom API Key

Singular Configuration

Adjust Configuration

Bitmovin API Key

Salesforce MarketingCloud Token

AppDynamics Key

AppCenter Secret

Thanks to @dee__see - for curated potentially sensitive tokens, NotKeyHacks.
Source code(tar.gz)
Source code(zip)

Owner

dw1

Bashturbation

GitHub Repository

APKLeaks - Scanning APK file for URIs, endpoints & secrets.

Related tags

Overview

APKLeaks

Installation

from PyPi

from Source

from Docker

Dependencies

Usage

Options

Output

Pattern

Arguments (disassembler)

License

Acknowledments

Comments

python2 apkleaks.py -h

└─# apkleaks -f ../com.example.client.apk _ ____ _ ___ _ / \ | _ | |/ / | ___ __ | | _____ / _ \ | |) | ' /| | / _ / ` | |/ / __| / ___ | /| . | || __/ (| | <__ // __| ||_____|_,|_|__/ v2.5.0

v2.6.1

Releases(v2.6.1)

v2.6.1(Aug 10, 2021)

Changelog

Patch

v2.6.0(Aug 9, 2021)

Changelog

Minor

v2.5.2(Jun 27, 2021)

Changelog

Patch

v2.5.1(Jun 16, 2021)

Changelog

Patch

v2.5.0(Jun 12, 2021)

Changelog

Minor

Patch

v2.4.0(Jun 10, 2021)

Owner

dw1

Generate your own NFTs and their metadata based on your desired probabilities.

Multi Brute Force Facebook - Crack Facebook With Login - Free For Now

Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

Lightweight and beneficial Dependency Injection plugin for apscheduler

Password Manager is a simple Python project which helps users in managing their passwords in a easier way

proxyshell payload generate

Metasploit Multi Purpose Exploiting Toolkit For Termux

This tool allows to automatically test for Content Security Policy bypass payloads.

Script checks provided domains for log4j vulnerability

A signature parser for hikari's command handler tanjun.

"KeyLogger-WebService" Is a Keylogger Write In python.

CSAW 2021 writeups

A terminal based web shell controller

Wireguard VPN Server Installer for: on Ubuntu, Debian, Arch, Fedora and CentOS

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Visibility and Mitigation for Log4J vulnerabilities

Scans for Log4j versions effected by CVE-2021-44228

CVE-2021-22986 & F5 BIG-IP RCE

BOF-Roaster is an automated buffer overflow exploit machine which is begin written with Python 3.

A black hole for Internet advertisements

└─# apkleaks -f ../com.example.client.apk _ ____ _ ___ _ / \ | _ | |/ / | _ | | _____ / _ \ | |) | ' /| | / _ / ` | |/ / | / _ | /| . | || / (| | <
// | ||___|_,|_|__/ v2.5.0