Mobile Security

ApkLeaks – Scanning APK File For URIs, Endpoints And Secrets

ApkLeaks - Scanning APK File For URIs, Endpoints And Secrets


Scanning APK file for URIs, endpoints & secrets.


To install apkLeaks, simply:

$ git clone
$ cd apkleaks/
$ pip install -r requirements.txt

Or download at release tab.


This package works in Python2 (not Python3).

Install global packages:


$ sudo apt-get install libssl-dev swig -y


$ brew install openssl swig


You need to install:



$ python -f ~/path/to/file.apk


usage: apkleaks [-h] -f FILE [-o OUTPUT] [-p PATTERN]
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE APK file to scanning
-o OUTPUT, --output OUTPUT
Write to file results (NULL will be saved into random
-p PATTERN, --pattern PATTERN
Path to custom patterns JSON

In general, if you don’t provide -o argument, then it will generate results file automatically.

Custom patterns can be added with the following flag --pattern /path/to/rules.json to provide sensitive search rules in the JSON file format. For example,

// rules.json
  "Amazon AWS Access Key ID": "AKIA[0-9A-Z]{16}",
$ python -f /path/to/file.apk -c rules.json -o ~/Documents/apkleaks-resuts.txt


Current version is v1.0.2, and still development.

Credits and Thanks

Since this tool includes some contributions, and I’m not an asshole, I’ll publically thank the following users for their help and resource:

  • @ndelphit – for his inspiring apkurlgrep, that’s why this tool was made.
  • @dxa4481 and y’all who contribute to truffleHogRegexes.
  • @GerbenJavado & @Bankde – for awesome pattern to discover URLs, endpoints & their parameters from LinkFinder.
  • @tomnomnom – a gf patterns.
  • @pxb1988 – for awesome APK dissambler dex2jar.
  • @ph4r05 for standalone APK parser.

About the author

Mazen Elzanaty

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: