d78ui98 / apkdeeplens Goto Github PK

View Code? Open in Web Editor NEW

386.0 11.0 48.0 41.14 MB

Android security insights in full spectrum.

License: MIT License

Python 63.31% HTML 4.26% Shell 20.59% Batchfile 11.84%

android android-security apk mobile-security

apkdeeplens's Introduction

APKDeepLens

Features • Installation • Changlog

APKDeepLens is a Python based tool designed to scan Android applications (APK files) for security vulnerabilities. It specifically targets the OWASP Top 10 mobile vulnerabilities, providing an easy and efficient way for developers, penetration testers, and security researchers to assess the security posture of Android apps.

Features

APKDeepLens is a Python-based tool that performs various operations on APK files. Its main features include:

APK Analysis -> Scans Android application package (APK) files for security vulnerabilities.
OWASP Coverage -> Covers OWASP Top 10 vulnerabilities to ensure a comprehensive security assessment.
Advanced Detection -> Utilizes custom python code for APK file analysis and vulnerability detection.
Sensitive Information Extraction -> Identifies potential security risks by extracting sensitive information from APK files, such as insecure authentication/authorization keys and insecure request protocols.
In-depth Analysis -> Detects insecure data storage practices, including data related to the SD card, and highlights the use of insecure request protocols in the code.
Intent Filter Exploits -> Pinpoint vulnerabilities by analyzing intent filters extracted from AndroidManifest.xml.
Local File Vulnerability Detection -> Safeguard your app by identifying potential mishandlings related to local file operations
Report Generation -> Generates detailed and easy-to-understand reports for each scanned APK, providing actionable insights for developers.
CI/CD Integration -> Designed for easy integration into CI/CD pipelines, enabling automated security testing in development workflows.
User-Friendly Interface -> Color-coded terminal outputs make it easy to distinguish between different types of findings.

Installation

To use APKDeepLens, you'll need to have Python 3.8 or higher installed on your system. You can then install APKDeepLens using the following command:

For Linux

git clone https://github.com/d78ui98/APKDeepLens.git
cd /APKDeepLens
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python APKDeepLens.py --help

For Windows

git clone https://github.com/d78ui98/APKDeepLens.git
cd \APKDeepLens
python3 -m venv venv
.\venv\Scripts\activate
pip install -r .\requirements.txt
python APKDeepLens.py --help

Usage

To simply scan an APK, use the below command. Mention the apk file with -apk argument. Once the scan is complete, a detailed report will be displayed in the console.

python3 APKDeepLens.py -apk file.apk

If you've already extracted the source code and want to provide its path for a faster scan you can use the below command. Mention the source code of the android application with -source parameter.

python3 APKDeepLens.py -apk file.apk -source <source-code-path>

To generate detailed PDF and HTML reports after the scan you can pass -report argument as mentioned below.

python3 APKDeepLens.py -apk file.apk -report

Contributing

We welcome contributions to the APKDeepLens project. If you have a feature request, bug report, or proposal, please open a new issue here.

For those interested in contributing code, please follow the standard GitHub process. We'll review your contributions as quickly as possible :)

Featured at

Blackhat MEA 2023 - https://blackhatmea.com/session/apkaleidoscope-android-security-insights-full-spectrum-0
Blackhat ASIA 2024 - https://www.blackhat.com/asia-24/arsenal/schedule/index.html#apkdeeplens---android-security-insights-in-full-spectrum-37182

apkdeeplens's People

Contributors

Stargazers

Watchers

apkdeeplens's Issues

Feature Request : Check Exported Status of Android Activities

Great work on the project so far. It is very useful for initial analysis of APK files.

I would like to request a feature that checks if Android components (activities, services, receivers, providers) are exported. This can be done by analyzing the android:exported attribute. This feature will aid developers in ensuring the security and proper configuration of their Android components, enhancing app security and integrity.

AndroidManifest.xml not found

So, I get an error saying AndroidManifest.xml not found with the below. I can run jadx against the APK successfully. What is happening?

❯ python3 APKDeepLens.py -apk Example.apk                                                                    
                 
 ████  █████  ██  ██    ( )                  (_ )                           
██  ██ ██  ██ ██ ██    _| |  __     __  _ _   | |     __    ___    ___      
██████ █████  ████   /'_` | /'_`\ /'_`\( '_`\ | |    /'_`\/' _ `\/',__)     
██  ██ ██     ██ ██ ( (_| |(  __/(  __/| (_) )| |__ (  __/| ( ) |\__, \     
██  ██ ██     ██  ██`\__,_)`\___)`\___)| ,__/'(____/`\___)(_) (_)(____/     
                                       | |                                  
                                       (_)                                  
                                              - Made By Deepanshu
        
[+] /Users/jj/Documents/APKDeepLens/Example.apk found!
[+] Creating new directory for extracting apk : /Users/jj/Documents/APKDeepLens/app_source/Example.apk
[+] Extracting the source code to : /Users/jj/Documents/APKDeepLens/app_source/Example.apk
INFO  - loading ...
CompletedProcess(args=['/Users/jj/Documents/APKDeepLens/static_tools/jadx/bin/jadx', '/Users/jj/Documents/APKDeepLens/Example.apk', '-d', '/Users/jj/Documents/APKDeepLens/app_source/Example.apk'], returncode=0)
[-] ERROR: Manifest file /Users/jj/Documents/APKDeepLens/app_source/Example.apk/resources/AndroidManifest.xml not found.
/Users/jj/Documents/APKDeepLens/APKDeepLens.py:275: [-] [Errno 2] No such file or directory: '/Users/jj/Documents/APKDeepLens/app_source/Example.apk/resources/AndroidManifest.xml' at line 202

[Errno 2] No such file or directory: 'reports/report_smartplug.json' at line 268

I have tried to test 2 different apk file and it shows me this error. I have also tried to test the sample apk file smartplug.apk.

扫描测试APP提示报错

报错信息
\APKDeepLens-main\app_source\com.thewalleyapp.apk\resources\AndroidManifest.xml' at line 202
截图

Not generating report

I am running this program on my windows 11 laptop which has python 3.11 installed and I am able to install the script but whenever I am scanning an apk file with the given command then its not showing any report on console, also I tried to generate report in pdf but it's still not generating

An error occurred during scanning

[Errno 2] No such file or directory: 'C:\Users\XXX\Downloads\APKDeepLens-main\APKDeepLens-main\app_source\testing_apps\ARS-9D-1.0-369.apk\sources\kotlin\coroutines\intrinsics\IntrinsicsKt__IntrinsicsJvmKt$createCoroutineUnintercepted$$inlined$createCoroutineFromSuspendFunction$IntrinsicsKt__Intri.java'
C:\Users\xxx\Downloads\APKDeepLens-main\APKDeepLens-main\APKDeepLens.py:275: [-] [Errno 2] No such file or directory: 'reports/report_./testing_apps/ARS-9D-1.0-369.json' at line 268

issue in macos: WARNING: Secure coding is automatically enabled for restorable state! However, not on all supported macOS versions of this application.

Running on macos M1 arm

[+] /Users/nimrod/gitapps/APKDeepLens/base.apk found!
[+] Creating new directory for extracting apk : /Users/nimrod/gitapps/APKDeepLens/app_source/base.apk
[+] Extracting the source code to : /Users/nimrod/gitapps/APKDeepLens/app_source/base.apk
INFO  - loading ...
INFO  - processing ...
2024-03-12 11:49:41.559 java[6738:1798207] WARNING: Secure coding is automatically enabled for restorable state! However, not on all supported macOS versions of this application. Opt-in to secure coding explicitly by implementing NSApplicationDelegate.applicationSupportsSecureRestorableState:.
ERROR - Error saving class: androidx.datastore.migrations.SharedPreferencesMigration
jadx.core.utils.exceptions.JadxRuntimeException: Failed to generate code for class: androidx.datastore.migrations.SharedPreferencesMigration
	at jadx.core.ProcessClass.generateCode(ProcessClass.java:93)
	at jadx.core.dex.nodes.ClassNode.decompile(ClassNode.java:253)
	at jadx.core.dex.nodes.ClassNode.decompile(ClassNode.java:218)
	at jadx.api.JavaClass.getCodeInfo(JavaClass.java:53)
	at jadx.api.JadxDecompiler.lambda$appendSourcesSave$4(JadxDecompiler.java:257)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: jadx.core.utils.exceptions.JadxRuntimeException: Codegen failed
	at jadx.core.ProcessClass.generateCode(ProcessClass.java:89)
	... 7 common frames omitted
ERROR - Error saving class: kotlinx.coroutines.flow.FlowKt__ShareKt$launchSharing$1
jadx.core.utils.exceptions.JadxRuntimeException: Failed to generate code for class: kotlinx.coroutines.flow.FlowKt__ShareKt$launchSharing$1
	at jadx.core.ProcessClass.generateCode(ProcessClass.java:93)
	at jadx.core.dex.nodes.ClassNode.decompile(ClassNode.java:253)
	at jadx.core.dex.nodes.ClassNode.decompile(ClassNode.java:218)
	at jadx.api.JavaClass.getCodeInfo(JavaClass.java:53)
	at jadx.api.JadxDecompiler.lambda$appendSourcesSave$4(JadxDecompiler.java:257)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: jadx.core.utils.exceptions.JadxRuntimeException: Codegen failed
	at jadx.core.ProcessClass.generateCode(ProcessClass.java:89)
	... 7 common frames omitted
ERROR - finished with errors, count: 18
CompletedProcess(args=['/Users/nimrod/gitapps/APKDeepLens/static_tools/jadx/bin/jadx', '/Users/nimrod/gitapps/APKDeepLens/base.apk', '-d', '/Users/nimrod/gitapps/APKDeepLens/app_source/base.apk'], returncode=0)
jad

Jadx installed

jadx --version
1.4.7

Add JSON Output

Though we are parsing the results in HTML and PDF, but we should also add output in json.