A static analysis toolkit for Android APK files. Built for mobile security researchers and penetration testers.
Author: Uppula Abhiram — Mobile Security Researcher
LinkedIn: https://linkedin.com/in/abhiram-patel-09a778244
Blog: https://medium.com/@uppulaabhirampatel2601
Runs a complete static analysis pass on any Android APK:
- Manifest Analysis — detects debuggable apps, backup flags, exported components with no permissions, dangerous permissions
- Secret Scanning — finds hardcoded API keys, AWS credentials, Firebase tokens, bearer tokens, password hashes, internal IPs
- Dangerous API Detection — flags use of Runtime.exec, DexClassLoader, JavaScript interfaces, world-readable file modes, and more
- Native Library Analysis — extracts strings from .so files, detects unsafe C functions (strcpy, sprintf, gets), embedded URLs and IPs in ARM binaries
- Report Generation — outputs a clean severity-ranked report in both TXT and JSON
# Basic scan
python3 apk_scanner.py target_app.apk
# Output
security_report_<appname>_<timestamp>.txt
security_report_<appname>_<timestamp>.json# Python 3 (no external libraries required — stdlib only)
python3 --version
# APKTool (for decompilation)
sudo apt install apktool
# strings utility (for native binary analysis)
sudo apt install binutils============================================================
APK SECURITY SCAN REPORT
Generated by APK Security Scanner v1.0
Author: Uppula Abhiram | Mobile Security Researcher
============================================================
APK: target_app
Package: com.example.targetapp
Timestamp: 2025-01-15 14:32:10
============================================================
SUMMARY
🔴 HIGH : 4
🔶 MEDIUM : 7
⚠️ LOW : 2
ℹ️ INFO : 5
TOTAL : 18
────────────────────────────────────────────────────────────
🔴 HIGH FINDINGS (4)
────────────────────────────────────────────────────────────
[1] Application is debuggable
Type : MANIFEST
Detail : android:debuggable="true" — app can be attached to a debugger
File : AndroidManifest.xml
[2] Potential Google API Key found
Type : SECRET
Detail : AIzaSyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File : /res/values/strings.xml
...
This tool automates Phase 1 of a full Android security assessment. For the complete methodology including dynamic analysis (Frida), local file analysis, and native binary reverse engineering with Binary Ninja:
Read: Android Application Security Testing: A Practical Methodology
- Manual code review in JADX for logic flaws
- Dynamic analysis with Frida and Burp Suite
- ARM binary analysis in Binary Ninja / Ghidra
- Third-party library CVE matching with OWASP Dependency-Check
Static analysis is the first step. The findings this tool surfaces should be manually verified before reporting.
- Third-party library version extraction and CVE lookup via NVD API
- Frida script integration for automated dynamic analysis
- HTML report output
- Support for scanning extracted APK directories (not just .apk files)
MIT License — free to use, modify, and distribute.