APKLeaks

扫描APK文件的URI、端点和秘密。「Scanning APK file for URIs, endpoints & secrets.」

Github stars Tracking Chart

APKLeaks

version
contributions

Scanning APK file for URIs, endpoints & secrets.


Installation

It's fairly simple to install APKLeaks:

from PyPi

$ pip3 install apkleaks

from Source

Clone repository and install requirements:

$ git clone https://github.com/dwisiswant0/apkleaks
$ cd apkleaks/
$ pip3 install -r requirements.txt

from Docker

Pull the Docker image by running:

$ docker pull dwisiswant0/apkleaks:latest

Dependencies

The APKLeaks utilizes the jadx disassembler to decompile APK files. If jadx is not present in your system, it will prompt you to download it.

Usage

Simply,

$ apkleaks -f ~/path/to/file.apk
# from Source
$ python3 apkleaks.py -f ~/path/to/file.apk
# or with Docker
$ docker run -it --rm -v /tmp:/tmp dwisiswant0/apkleaks:latest -f /tmp/file.apk

Options

Here are all the options it supports.

Argument Description Example
-f, --file APK file to scanning apkleaks -f file.apk
-o, --output Write to file results (random if not set) apkleaks -f file.apk -o results.txt
-p, --pattern Path to custom patterns JSON apkleaks -f file.apk -p custom-rules.json
-a, --args Disassembler arguments apkleaks -f file.apk --args="--deobf --log-level DEBUG"
--json Save as JSON format apkleaks -f file.apk -o results.json --json

Output

In general, if you don't provide -o argument, then it will generate results file automatically.

NOTE: By default it will also save the results in text format, use --json argument if you want JSON output format.

Pattern

Custom patterns can be added with the following argument to provide sensitive search rules in the JSON file format: --pattern /path/to/custom-rules.json. If no file is set, the tool will use the default patterns found in regexes.json file.

Here's an example of what a custom pattern file could look like:

// custom-rules.json
{
  "Amazon AWS Access Key ID": "AKIA[0-9A-Z]{16}",
  // ...
}

To run the tool using these custom rules, use the following command:

$ apkleaks -f /path/to/file.apk -p rules.json -o ~/Documents/apkleaks-results.txt

Arguments (disassembler)

We give user complete discretion to pass the disassembler arguments. For example, if you want to activate threads in jadx decompilation process, you can add it with -a/--args argument, example: --args="--threads-count 5".

$ apkleaks -f /path/to/file.apk -a "--deobf --log-level DEBUG"

Warning:
Please pay attention to the default disassembler arguments we use to prevent collisions.

License

apkleaks is distributed under Apache 2.

Acknowledments

Since this tool includes some contributions, and I'm not an asshole, I'll publically thank the following users for their helps and resources:

Main metrics

Overview
Name With Ownerdwisiswant0/apkleaks
Primary LanguagePython
Program languagePython (Language Count: 3)
Platform
License:Apache License 2.0
所有者活动
Created At2020-05-29 21:26:13
Pushed At2025-08-20 21:55:15
Last Commit At2025-08-21 04:43:13
Release Count29
Last Release Namev2.6.3 (Posted on )
First Release Namev0.3.1-beta (Posted on 2020-05-30 04:34:01)
用户参与
Stargazers Count5.7k
Watchers Count85
Fork Count551
Commits Count177
Has Issues Enabled
Issues Count66
Issue Open Count20
Pull Requests Count19
Pull Requests Open Count4
Pull Requests Close Count10
项目设置
Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private