apkutil

apkutil is a useful utility for mobile security testing. This tool makes it easy to resign the APK, check for potentially sensitive files and AndroidManifest.xml in the APK.

It is a wrapper for apktool, apksigner, aapt, and zipalign commands.

iOS version is here.

Requirements

Android SDK build tools
Apktool

Also, place ~/apkutil.json containing the keystore information necessary for signing apk in your home directory.

{
    "keystore_path": "hoge.keystore",
    "ks-key-alias": "fuga",
    "ks-pass": "pass:foo"
}

Installation

Since apkutil is implemented in Python, it can be installed with the pip command, which is a Python package management system.

$ pip install git+ssh://[email protected]/aktsk/apkutil.git

Usage

The command outputs are displayed in color. You can use a function with subcommands. The GIF shows the scene where the APK is changed to debuggable and res/xml/network_security_config.xml is created.

Subcommands

Most of the subcommands are assigned with alias, which is useful.

subcommand	alias	desc
`all`	-	set debuggable & networkSecurityConfig, build & sign APK
`debuggable`	`debug`, `dg`	set debuggable, build & sign APK
`network`	`net`, `n`	set networkSecurityConfig, build & sign APK
`info`	`i`	identify the package name
`screenshot`	`ss`	get screenshot from connected device
`decode`	`d`	decode APK
`build`	`b`	build APK
`sign`	`s`	sign APK
`align`	`a`	align APK

Apply all necessary patches for pentest

all subcommand sets networkSecurityConfig, makes the APK debuggable. Decode the APK, set debuggable attribute to true, set networkSecurityConfig attribute to @xml/network_security_config in AndroidManifest, make res/xml/network_security_config.xml, and rebuild it.

This feature is useful to make APK accept user certs, and use aktsk/apk-medit.

$ apkutil all sample.apk
Decoding APK by Apktool...
I: Using Apktool 2.4.1 on sample.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /Users/taichi.kotake/Library/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

Potentially Sensitive Files:
sample/README.md
sample/hoge.sh

Checking AndroidManifest.xml...
Permission:
android.permission.INTERNET

Debuggable:
False

AllowBackup:
False

Custom schemas:
None

Set debuggable attribute to true in AndroidManifest!

Set networkSecurityConfig attribute to true in AndroidManifest!

Building APK by Apktool...
I: Using Apktool 2.4.1
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Copying libs... (/lib)
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...

Signing APK by apksigner...
Signed

Output: sample.patched.apk

Set up networkSecurityConfig

network subcommand sets networkSecurityConfig. Decode the APK, set networkSecurityConfig attribute to @xml/network_security_config in AndroidManifest, make res/xml/network_security_config.xml, and rebuild it.

This feature is useful to make APK accept user certs.

$ apkutil network sample.apk
...

Output: sample.patched.apk

Set debuggable attribute

debuggable subcommand makes the APK debuggable. Decode the APK, set debuggable attribute to true in AndroidManifest, and rebuild it.

This feature is useful to use aktsk/apk-medit.

$ apkutil debuggable sample.apk
...

Output: sample.patched.apk

Get the package name

info subcommand allows you to see the package name.

$ apkutil info sample.apk
Getting package name by aapt...
    A: package="jp.aktsk.sample" (Raw: "jp.aktsk.sample")

Get the screenshot

screenshot subcommand allows you to get the screenshot from connected device.

$ apkutil screenshot
Getting a screenshot from connected device...
/data/local/tmp/screenshot-2020-05-21-16-58-20.png: 1 file pulled. 2.1 MB/s (14419 bytes in 0.007s)

Output: screenshot-2020-05-21-16-58-20.png

Decode the APK

decode subcommand make the APK decode by apktool. When decoding the APK, check for potentially sensitive files and check the AndroidManifest.xml.

$ apkutil decode sample.apk
Decoding APK by Apktool...
...

Potentially Sensitive Files:
sample/README.md
sample/hoge.sh

Checking AndroidManifest.xml...
Permission:
android.permission.INTERNET

Debuggable:
False

AllowBackup:
False

Custom schemas:
None

Build the APK

build subcommand make the APK build by apktool. It also sign the APK after the build is complete.

$ apkutil build sample
Building APK by Apktool...
...

Signing APK by apksigner...
Signed

Output: sample.patched.apk

Sign the APK

sign subcommand make the apk sign by apksigner.

$ apkutil sign sample.apk
Signing APK by apksigner...
Signed

Align the APK

align subcommand make the apk align by zipalign.

$ apkutil align base.patched.apk
Aligning APK by zipalign...

License

MIT License

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

aktsk / apkutil

Programming Languages

Labels

Projects that are alternatives of or similar to apkutil