Automated suite for HackerOne scope APK downloading, decompilation and regex searching for secrets.
This project was done a long time ago, code is rough and things can be broken.
Open sourcing the code as an example, hopefully gives some inspiration to security researchers.
- Install python requirements.txt
- Install The Silver Searcher https://github.com/ggreer/the_silver_searcher
- Make sure to have apktool installed
- Make sure to have nodejs for html interpretation
- In h1.py fill in anticaptcha api key if needed
- In h1.py fill in your proxy ip
- In h1.py fill in your ip for a killswitch
python3 h1.py
python3 apk-down.py
- ./decompile.sh
To sync output from server better use rsync:
rsync -azP root@1.2.3.4:/root/apk-hazker/output/sources/ tmp.nosync.noindex/sources
APK files can be huge, invest in cheap external storage and set up a symlink apks
in output
.