Skip to content

worldtreeboy/apkAnalyzer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

19 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ›‘οΈ APK Analyzer

The Only Android Security Tool You'll Ever Need

Static analysis. Dynamic analysis. Frida instrumentation. Binary patching. One tool. One terminal. Zero dependencies.

Python License: MIT Platform ADB Frida


⭐ If this tool saves you time, give it a star β€” it helps others find it!


πŸš€ Get Started in 10 Seconds

git clone https://github.com/worldtreeboy/apkAnalyzer.git
cd apkAnalyzer
python3 apkAnalyzer.py

That's it. No pip install. No Docker. No config files. Just plug in a rooted device and go.


🎬 Demo

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚              APK Analyzer β€” Main Menu                 β”‚
β”‚         github.com/worldtreeboy/apkAnalyzer          β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  Target: com.example.app (v2.1.0)                    β”‚
β”‚  Device: Pixel 6 (Android 14)                        β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚                                                      β”‚
β”‚   [1]  App Analysis          [7]  Logcat Monitor     β”‚
β”‚   [2]  Storage Audit         [8]  Frida CodeShare    β”‚
β”‚   [3]  Shell Access          [9]  Binary Patcher     β”‚
β”‚   [4]  Screenshot            [10] Frida Server       β”‚
β”‚   [5]  Security Scan         [11] Testcases          β”‚
β”‚   [6]  Keyboard Cache        [12] Runtime Check      β”‚
β”‚                                                      β”‚
β”‚   [a]  Switch App   [r] Export Report  [0] Exit       β”‚
β”‚                                                      β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
═══════════════════════════════════════════════════════
  SECURITY SCAN β€” com.example.app
═══════════════════════════════════════════════════════

  [CRITICAL] Debuggable          android:debuggable="true"  (MASVS-RESILIENCE-1 | CWE-489)
  [HIGH]     allowBackup          No exclusion rules defined  (MASVS-STORAGE-1 | CWE-530)
  [PASS]     Cleartext Traffic    usesCleartextTraffic="false"
  [HIGH]     Exported Components  3 activities, 1 provider  (MASVS-PLATFORM-1 | CWE-926)
  [CRITICAL] Hardcoded Secrets    Found AWS key in config.xml  (MASVS-STORAGE-1 | CWE-798)
  [PASS]     Network Security     Custom config with certificate pins
  [HIGH]     APK Signing          v1-only β€” Janus (CVE-2017-13156)  (MASVS-RESILIENCE-2 | CWE-347)
  ...
  ═══════════════════════════════════════════════════════
  CRITICAL: 2  |  HIGH: 3  |  MEDIUM: 4  |  LOW: 2
  PASS: 11  FAIL: 5  WARN: 3
  Overall: CRITICAL RISK
═══════════════════════════════════════════════════════

πŸ“Ή Want to see it live? Record your own session with asciinema and share it!


πŸ’‘ Why APK Analyzer?

Most Android security tools do one thing β€” a static scanner, a Frida wrapper, or a storage dumper. You end up with 10 terminals open, copying package names between tools.

APK Analyzer replaces all of them.

What You Get
πŸ” 19 security checks in one scan β€” everything MobSF flags, from allowBackup to Janus CVE
🎣 38 Frida scripts ready to inject β€” SSL bypass, root hiding, crypto monitoring
🧬 Universal bypass script β€” SSL + root + anti-tamper in a single file
πŸ”§ Binary patching β€” Frida Gadget or LSPatch injection in one command
πŸ“¦ Zero dependencies β€” pure Python stdlib, no pip, no Docker
⚑ Smart caching β€” decompile once, reuse across all 11 tools
πŸ”Ž ~40 secret patterns β€” catches AWS, Firebase, Stripe, GitHub tokens & more
πŸ€– Framework-aware β€” auto-detects Flutter, React Native, Kotlin and adjusts scans

πŸ“‹ All 11 Features

# Feature What It Does
1 App Analysis Permissions, components, version info, framework detection, APK extraction
2 Storage Audit SharedPrefs, SQLite, Realm DBs β€” scan for secrets, PII, and insecure file permissions
3 Shell Access Interactive root shell with directory tracking
4 Screenshot Capture device screen, save locally with timestamp
5 Security Scan 19 static checks with OWASP MASVS mapping, CWE IDs, severity scoring (details below)
6 Keyboard Cache Detect if keyboard apps cache plaintext input
7 Logcat Monitor Real-time filtered log streaming with keyword highlighting
8 Frida CodeShare 38 scripts across 10 categories β€” inject from menu (details below)
9 Binary Patcher Frida Gadget injection or LSPatch/Xposed embedding (details below)
10 Frida Server USB/remote mode switching, port forwarding, auto server management
11 Testcases Launch exported components with intent actions + extras, clipboard spy, dev URL finder, adb backup extraction
12 Runtime Security Check ADB-based dynamic analysis: post-launch secret scanning, file permissions, exported component probing, clipboard/logcat leakage, WebView cache
r Report Export Export findings to JSON or HTML with severity badges, MASVS references, and CWE IDs (--report json|html)


πŸ”’ Security Scan (19 Checks)

Static analysis of the decompiled APK and AndroidManifest.xml. Each finding is scored with CRITICAL / HIGH / MEDIUM / LOW severity, mapped to OWASP MASVS v2.0 categories, and tagged with CWE IDs. Results also shown as PASS / FAIL / WARN with an overall risk summary.

CategoryCheckWhat It Flags
Manifest Debuggableandroid:debuggable="true"
allowBackupBackup enabled without exclusion rules
Exported ComponentsActivities, services, receivers, providers with exported="true"
Dangerous PermissionsCAMERA, LOCATION, SMS, RECORD_AUDIO, etc.
Network Cleartext TrafficusesCleartextTraffic="true"
Network Security ConfigMissing config or trusts user CAs
DeeplinksCustom URI schemes without validation
Code Data LeakageHardcoded secrets in XML, JSON, YAML, properties
WebView JS InterfaceaddJavascriptInterface() β€” XSS risk on SDK < 17
Debug LoggingLog.v/d, Timber, console.log, debugPrint in production
Broadcast SecuritysendBroadcast() without permission
UI / Input FLAG_SECUREMissing screenshot protection
Clipboard ExposureClipboardManager without FLAG_SENSITIVE
Keyboard CacheMissing textPassword / textNoSuggestions
TapjackingMissing filterTouchesWhenObscured
Platform SDK VersionminSdk < 23 or targetSdk < 30
PendingIntentMissing FLAG_IMMUTABLE (Android 12+ hijacking)
Task HijackingCustom taskAffinity β€” StrandHogg attack
APK Signingv1-only = Janus vulnerability (CVE-2017-13156). Checks v1/v2/v3/v4

πŸ”‘ Secret Detection (~40 Patterns)

Both Storage Audit and Security Scan use ~40 regex patterns to catch hardcoded secrets:

Provider Patterns
Generic Passwords, API keys, tokens, JWTs, bearer tokens, encryption keys
AWS AKIA access keys, secret keys, session tokens, S3 URLs
Google / Firebase AIza keys, Firebase secrets, OAuth client IDs
Azure Storage keys, connection strings, tenant secrets
Stripe / Payment sk_live_, pk_live_, PayPal, Braintree, Razorpay
Messaging Twilio, SendGrid, Slack tokens, webhook URLs
GitHub ghp_/ghs_ PATs, fine-grained tokens
Database MongoDB, Postgres, MySQL, Redis connection strings
Crypto PEM private keys, certificates

🧬 Custom Frida Script (Universal Bypass)

frida_scripts/universal_bypass.js β€” a single all-in-one script that bypasses SSL pinning, root detection, and runtime tampering simultaneously. More comprehensive than any individual CodeShare script.

frida -U -f <package> -l frida_scripts/universal_bypass.js
Layer What It Bypasses
SSL Pinning TrustManager, TrustManagerFactory, HostnameVerifier, OkHttp3 CertificatePinner (+ proguarded), Conscrypt, TrustKit, WebView SSL, Flutter BoringSSL, Apache HTTP
Root Detection File.exists (30+ paths), PackageManager (20+ root packages), Runtime.exec, ProcessBuilder, Build.TAGS, SystemProperties, RootBeer library, native fopen/access/stat
Runtime Tampering Anti-Frida (port 27042, /proc/maps, native strstr), anti-debug (ptrace, TracerPid spoofing), System.exit blocking, emulator detection, Xposed detection, process kill prevention

Every hook is wrapped in try/catch β€” if a class isn't present, it silently skips instead of crashing. Unique class names prevent collision on script reload.

🎣 Frida CodeShare (38 Scripts)

Auto-starts frida-server on device. Run scripts from local files or the built-in library:

Category Scripts
SSL Pinning Bypass Multi-Unpinning, Universal Android, Universal v2, Flutter TLS, OkHttp4
Root Detection Bypass fridantiroot, Multi-Library, RootBeer, Xamarin, freeRASP, Talsec
Anti-Debug / Anti-Tamper Anti-Debug, USB Debug, Developer Mode, Anti-Frida
Multi-Bypass SSL+Root+Emulator, Root+Emulator+SSL, OneRule
Biometric / Auth Universal Biometric, Android 11+ Biometric
Network Monitoring Traffic Interceptor, OkHttp3, TCP Trace
Crypto Monitoring Crypto Monitor, AES Monitor, KeyStore Extractor
Storage Monitoring SharedPrefs, EncryptedSharedPrefs, SQLite, File System, Clipboard
Intent / WebView Intent Intercept, Deep Link Observer, WebView Debugger
Tracing raptor Tracer, JNI Trace, List Classes, DEX Dump

πŸ”§ Binary Patcher

Two methods for non-rooted analysis:

Frida Gadget

Injects frida-gadget.so into the APK for rootless dynamic analysis.

Check deps β†’ Download gadget β†’ Decompile β†’ Patch manifest β†’ Inject smali
β†’ Copy .so β†’ Rebuild β†’ Sign β†’ Output: patched_apks/<pkg>_gadget_patched.apk

LSPatch

Embeds LSPosed/Xposed framework into the APK β€” load Xposed modules without root.

Check java β†’ Download LSPatch β†’ Get APK β†’ Patch
β†’ Output: patched_apks/

πŸ€– Framework Detection

Scans automatically detect the app framework and adjust keyword groups:

Framework How It's Detected Impact
Flutter libflutter.so Adds Flutter security plugin keywords
React Native libreactnativejni.so, libhermes.so Adds RN keywords, scans .bundle files
Kotlin kotlin/ in smali Java/Kotlin keyword coverage
Java Default fallback Default keyword coverage

Native security SDKs (VKey, Zimperium, Promon, DexGuard) are detected from .so files on every scan.


πŸ“Š Report Export

Export findings to JSON or self-contained HTML reports with severity badges, MASVS references, and CWE IDs:

python3 apkAnalyzer.py --report html --output report.html
python3 apkAnalyzer.py --report json --output findings.json

Or use the [r] Export Report menu option during an interactive session. HTML reports include color-coded severity badges, device info, and a findings summary table.


πŸ“¦ Requirements

Requirement Required Notes
Python 3.6+ Yes No pip packages needed
ADB Yes Must be in PATH
Rooted device Yes Connected via USB
apktool Yes Install guide
apksigner Optional For APK signing scheme check
frida + frida-tools Optional For Frida scripts

πŸ“ Output Structure

./extracted_apks/      ← Pulled APKs from device
./patched_apks/        ← Frida Gadget / LSPatch output
./screenshots/         ← Device screenshots
./backups/             ← adb backup .ab files + unpacked app data
./.gadget_cache/       ← Cached Frida Gadget & LSPatch jar
./.apkanalyzer_tmp/    ← Decompiled APK cache (reused across scans)

🀝 Contributing

Contributions are welcome! Feel free to open an issue or submit a pull request.


πŸ“„ License

This project is licensed under the MIT License.


⭐ Found this useful?

If APK Analyzer saved you time, star this repo β€” it helps other security researchers discover it.


Star History Chart

About

Automated static analysis tool for Android APKs - decompilation, manifest audit, sensitive data detection, and taint-to-sink analysis

Resources

License

Stars

7 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors