I was recently combing through GitHub for a tool that I tend to use on mobile application penetration tests when I came across APKLeaks. I currently make use of Mobile Security Framework for discovering sensitive information within the APK files but thought – why not try a new tool. ApkLeaks specifically scans APK files for URIs, endpoints, and secrets.
Installation
There are a ways to complete the installation:
- PyPi
- pip3 install apkleaks
- Source
- git clone https://github.com/dwisiswant0/apkleaks
- cd apkleaks/
- pip3 install -r requirments.txt
- Docker
- docker pull dwisiswant0/apkleaks:latest
I chose to do from PyPi – simple installation and worked perfectly on the new Mac M1.
Usage
Running apkleaks from the terminal will bring of the basic help menu otherwise apkleaks -h will provide additional information on each of the flags allowed for execution.
Now let’s move into some real examples – I went ahead and downloaded a couple APK files from APKPure to test this tool against. To prevent any exposure of the application tested against – I went ahead and blurred the output of the tool but you get the jist of it.
The above screenshot breaks down multiple categories the tool may discover items within source code. I have noticed that quite few of the items flagged have been false positives, however the tool has a very high processing time that can provide additional items to review – it just makes sense to add this to my testing playbook when testing mobile applications.
More from White Oak Security
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.
Read more from White Oak Security’s pentesting team.
Also – Brett made a short video to accompany this blog. Located on White Oak’s YouTube channel here – https://youtu.be/O5dGZVvX3Gg