LinuxCommandLibrary

apkleaks

Analyze APK files for sensitive information

TLDR

Scan an APK file for URIs, endpoints, and secrets

$ apkleaks [[-f|--file]] [path/to/file].apk
copy

Scan and save the output to a specific file
$ apkleaks [[-f|--file]] [path/to/file].apk [[-o|--output]] [path/to/output.txt]
copy

Pass jadx disassembler arguments
$ apkleaks [[-f|--file]] [path/to/file].apk [[-a|--args]] "[--threads-count 5 --deobf]"
copy

SYNOPSIS

apkleaks -f APK_FILE [options...]

PARAMETERS

-f, --file FILE
    Target APK file to analyze (required)

-p, --plugins PLUGINS
    Comma-separated list of plugins to use (e.g., 'urls,secrets')

-o, --output FILE
    Output file (default: 'apkleaks.json')

-d, --directory DIR
    Output directory for results and decompiled APK

-s, --simple
    Use simple text output instead of JSON

-v, --verbose
    Enable verbose logging

-h, --help
    Show help message

-V, --version
    Print version information

DESCRIPTION

Apkleaks is a lightweight, open-source command-line tool designed for static analysis of Android APK files to detect potential security leaks. It automatically decompiles the APK using apktool, then applies a set of predefined regex patterns (plugins) to scan for sensitive information such as API keys, endpoints, URLs, credentials, secrets, and tokens.

Key features include customizable plugins for targeted scanning, JSON or simple text output formats, and support for verbose logging. It's particularly useful for security researchers, penetration testers, and developers performing mobile app security audits. The tool identifies hardcoded secrets that could lead to vulnerabilities like unauthorized access or data exposure.

Apkleaks requires apktool and Java to be installed. It processes the APK's resources, manifests, and code to extract strings matching patterns for services like AWS, Firebase, Google APIs, and more. Output can be directed to files or directories for further analysis with tools like jq or grep.

CAVEATS

Requires apktool and Java; may miss dynamically loaded or obfuscated secrets; false positives possible with regex matching; large APKs can be slow.

INSTALLATION

Install via go install github.com/dwisiswant0/apkleaks/cmd/apkleaks@latest or download binaries from GitHub releases. Ensure apktool in PATH.

EXAMPLE USAGE

apkleaks -f app.apk -p urls,secrets -o results.json -v
Scans 'app.apk' for URLs and secrets, outputs verbose JSON to 'results.json'.

HISTORY

Developed by DWTFymH in Go, first released on GitHub in 2020. Actively maintained with plugin updates for new services; gained popularity in mobile security communities like OWASP.

SEE ALSO

apktool(1), jadx(1), grep(1), strings(1)

Copied to clipboard