Jump to content
Kev

apk2url

Recommended Posts

Posted

  apk2url easily extracts URL and IP endpoints from an APK file and performs filtering into a .txt output. This is suitable for information gathering by the red team, penetration testers and developers to quickly identify endpoints associated with an application.

 

NOTE: Why use apk2url? When compared with APKleaks, MobSF and AppInfoScanner, apk2url identifies a significantly higher number of endpoints.

 

Running apk2url

NOTE: apk2url requires apktool and jadx which can be easily installed with apt. Please refer to the dependencies section.

 

git clone https://github.com/n0mi1k/apk2url

 

./apk2url.sh /path/to/apk/file.apk

 

UPDATE v1.2 now supports directory input for multiple APKs!

 

./apk2url.sh /path/to/apk-directory/

 

You can also install directly for easy access by running ./install.sh.
After that you can run apk2url anywhere:

 

By default there are 2 output files in the "endpoints" directory:

  • <apkname>_endpoints.txt - Contains endpoints with full URL paths
  • <apkname>_uniq.txt - Contains unique endpoint domains and IPs

 

By default, the program does not log the Android file name/path where endpoints are discovered.

 

To enable logging, run as follows:

 

apk2url /path/to/apk/file.apk log

 

*Tested on Kali 2023.2 and Ubuntu 22.04

 

Dependencies

Use apt for easy installation of these tools required by apk2url:

  • sudo apt install apktool
  • sudo apt install jadx

 

Demonstration

apk2url.jpg

 

Disclaimer

This tool is for educational and testing purposes only. Do not use it to exploit the vulnerability on any system that you do not own or have permission to test. The authors of this script are not responsible for any misuse or damage caused by its use.

 

Download:

git clone https://github.com/n0mi1k/apk2url.git

 

Source

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...