Advanced APK Static Analysis & Secret Detection Tool
Features • Installation • Usage • Documentation • Contributing
ApkSentinel is a powerful, high-performance CLI tool designed for security researchers, penetration testers, and Android developers to perform comprehensive static analysis on APK files. It detects hard-coded secrets, API keys, sensitive URLs, and security misconfigurations with advanced obfuscation resolution capabilities.
- 🚀 High Performance: Parallel processing with goroutines for fast analysis
- 🧠 Intelligent Detection: Context-aware pattern matching with confidence scoring
- 🔓 Obfuscation Resolver: Automatically decodes Base64 and other encoded strings
- 📊 Multiple Output Formats: JSON and HTML reports with detailed findings
- 🔌 Plugin-Ready: Extensible pattern system for custom detection rules
- 🛠️ CI/CD Integration: Ready-to-use GitHub Actions & GitLab CI/CD workflows
- APK Decompilation: Leverages
jadxfor DEX to Java/Smali conversion - Secret Scanning: Regex-based detection for:
- Google API Keys
- Firebase URLs
- AWS Access Keys
- OAuth Tokens
- GitHub Tokens
- And many more...
- Obfuscation Resolution: Detects and decodes Base64-encoded secrets
- Context-Aware Scanning: Identifies variable names like
api_key,secret,token - Manifest Security Audit: Detects
debuggable,allowBackup, and Network Security configurations - Root & SSL Detection: Built-in rules for Root Detection and SSL Pinning mechanisms
- Rich Reports: JSON and HTML formats with severity classification
- CI/CD Ready: Pre-configured workflows for GitHub Actions and GitLab
- Colored CLI: Beautiful terminal output with progress indicators
- Go 1.25 or higher
- jadx installed and accessible in PATH
go install -v github.com/ismailtsdln/ApkSentinel@latestgit clone https://github.com/ismailtsdln/ApkSentinel.git
cd ApkSentinel
go build -o apk-sentinel cmd/apk-sentinel.goapk-sentinel -i app.apk -o ./report -f json# Scan with custom patterns
apk-sentinel -i app.apk -p custom-patterns.json -o ./report
# Generate both JSON and HTML reports
apk-sentinel -i app.apk -o ./report -f both
# Specify custom jadx path
apk-sentinel -i app.apk --jadx-path /usr/local/bin/jadx -o ./report
# Verbose output
apk-sentinel -i app.apk -vFlags:
-i, --input string Input APK path (required)
-o, --output string Output directory (default "./report")
-f, --format string Output format: json|html|both (default "json")
-p, --pattern string Custom pattern file or directory (JSON)
--jadx-path string Path to jadx executable (default "jadx")
-v, --verbose Show verbose output
-h, --help Display help information
ApkSentinel comes with built-in patterns for detecting:
| Category | Examples |
|---|---|
| API Keys | Google API, Firebase, AWS, Azure |
| OAuth Tokens | Facebook, GitHub, Slack |
| Secrets | Private keys, passwords, auth tokens |
| URLs | Internal endpoints, staging servers |
| Root Detection | RootBeer, Su binary check, Magisk, Test-keys |
| SSL Pinning | OkHttp CertificatePinner, TrustKit, TrustManager |
Create a JSON file with your patterns:
{
"patterns": [
{
"name": "Custom API Key",
"regex": "customapi_[0-9a-zA-Z]{32}",
"severity": "high",
"confidence": "high"
}
]
}Use it with -p flag:
apk-sentinel -i app.apk -p custom-patterns.json{
"apk_path": "app.apk",
"results": [
{
"file": "com/example/Config.java",
"line": 42,
"pattern_name": "Google API Key",
"severity": "high",
"confidence": "high",
"content": "private static final String API_KEY = \"AIza...\";"
}
],
"findings": [
{
"type": "Manifest",
"description": "Application is debuggable",
"severity": "high"
}
]
}ApkSentinel includes a ready-to-use GitHub Actions workflow:
# .github/workflows/scan.yml
name: APK Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run ApkSentinel
run: |
go install github.com/ismailtsdln/ApkSentinel@latest
apk-sentinel -i app.apk -o results -f both# .gitlab-ci.yml
scan_apk:
script:
- go build -o apk-sentinel cmd/apk-sentinel.go
- ./apk-sentinel -i app.apk -o results -f bothContributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
Ismail Tasdelen
- GitHub: @ismailtsdln
- LinkedIn: ismailtasdelen
- jadx - Dex to Java decompiler
- cobra - CLI framework
- fatih/color - Colored terminal output
This tool is intended for security research and educational purposes only. Always obtain proper authorization before testing applications you don't own. The authors are not responsible for any misuse or damage caused by this tool.
If you find ApkSentinel useful, please consider giving it a ⭐ on GitHub!
Made with ❤️ by Ismail Tasdelen