Skip to content

APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.

License

Notifications You must be signed in to change notification settings

Cyber-Buddy/APKHunt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 

Repository files navigation

APKHunt


APKHunt | OWASP MASVS Static Analyzer

apkhunt

APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.

With APKHunt, mobile software architects or developers can conduct thorough code reviews to ensure the security and integrity of their mobile applications, while security testers can use the tool to confirm the completeness and consistency of their test results. Whether you're a developer looking to build secure apps or an infosec tester charged with ensuring their security, APKHunt can be an invaluable resource for your work.

NOTE: It is based on the OWASP MASVS v1.5.0 which was released in Jan 2023.

Black Hat Asia Arsenal 2023

https://www.blackhat.com/asia-23/arsenal/schedule/#apkhunt--owasp-masvs-static-analyzer-31003

🎯 Features

  • Scan coverage: Covers most of the SAST (Static Application Security Testing) related test cases of the OWASP MASVS framework.
  • Multiple APK scanning: Supports scanning multiple APK files in a perticular path or folder.
  • Optimised scanning: Specific rules are designed to check for particular security sinks, resulting in an almost accurate scanning process.
  • Low false-positive rate: Designed to pinpoint and highlight the exact location of potential vulnerabilities in the source code.
  • Output format: Results are provided in a TXT file format for easy readability for end-users.

🕸️ Installation

  1. git clone https://github.com/Cyber-Buddy/APKHunt.git
  2. cd APKHunt
  3. go run apkhunt.go

Requirements:

  • Install Git: sudo apt-get install git
  • Install Golang: sudo apt install golang-go
  • Install JADX: sudo apt-get install jadx
  • Install Dex2jar: sudo apt-get install dex2jar

Limitation:

  • Only supported on Linux environments

⚙️ Usage

      _ _   __ __  _   __  _   _                _   
     / _ \ | _ _ \| | / / | | | |              | |  
    / /_\ \| |_/ /| |/ /  | |_| | _   _   _ _  | |_ 
    |  _  ||  __/ |    \  |  _  || | | |/  _  \|  _|                                                                                     
    | | | || |    | |\  \ | | | || |_| || | | || |_                                                                                      
    \_| |_/\_|    \_| \_/ \_| |_/\ _ _ /|_| |_|\_ _|                                                                                     
    ------------------------------------------------                                                                                     
    OWASP MASVS Static Analyzer  

    APKHunt Usage:                                                                                                                       
          go run apkhunt.go [options] {.apk file}                                                                                        

    Options:                                                                                                                             
         -h     For help                                                                                                                 
         -p     Provide the apk file-path
         -m     Provide the folder-path for multiple apk scanning
         -l     For logging (.txt file)

    Examples:                                                                                                                            
         APKHunt.go -p /Downloads/android_app.apk                                                                                        
         APKHunt.go -p /Downloads/android_app.apk -l
         APKHunt.go -m /Downloads/android_apps/
         APKHunt.go -m /Downloads/android_apps/ -l

📱 Security test-case coverage

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.

OWASP MASVS
V1 Architecture, Design and Threat Modeling Requirements
V2 Data Storage and Privacy Requirements
V3 Cryptography Requirements
V4 Authentication and Session Management Requirements
V5 Network Communication Requirements
V6 Environmental Interaction Requirements
V7 Code Quality and Build Setting Requirements
V8 Resiliency & Reverse Engineering Requirements

💻 Demo

APKHunt_deom.mp4

🚧 Upcoming Features

  • Scanning of multiple APK files - DONE ☺️
  • More output format such as HTML - In the outer orbit! 🤔
  • Integration with third-party tools - Cannot commit! 😬

🤝 Contribution

We would love to receive any sort of contribution from the community. Please provide your valuable suggestions or feedback to make this tool even more awesome.

⚠️ Disclaimer

This project is created to help the infosec community. It is important to respect its core philosophy, values, and intentions. Please refrain from using it for any harmful, malicious, or evil purposes.

🧾 License

This project is licensed under the GNU General Public License v3.0

🧘‍♂️ Project Developer

💐 Credits

About

APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.

Topics

Resources

License

Stars

Watchers

Forks

Languages