alikesk222/apk-analyzer

# apk-analyzer [](https://python.org) [](LICENSE) [](#) 无需设备、模拟器或 Android SDK 即可分析 Android APK 文件的安全漏洞。 ## 功能特性 - **OWASP Mobile Top 10 (2024)** 覆盖 — 检查所有 10 个类别 - **AndroidManifest.xml 分析** — debuggable, allowBackup, 导出组件, SDK 版本 - **权限审计** — 40+ 个危险权限，可疑组合（间谍软件模式） - **硬编码机密扫描** — 30+ 种模式：AWS, Google, Firebase, GitHub, Stripe, OpenAI, 私钥, 数据库 URL - **网络安全** — 明文流量, NSC 错误配置, TrustManager 覆盖, WebView 风险 - **HTML 报告** — 深色主题，易于分享，按 OWASP 类别分组 - **CI/CD 集成** — `--fail-on critical` 退出码为 1 ## 安装 ``` pip install apk-analyzer ``` 或从源码安装： ``` git clone https://github.com/alikesk222/apk-analyzer cd apk-analyzer pip install -e . ``` ## 快速开始 ``` # 完整安全扫描 apkanalyze scan app.apk # 扫描并生成 HTML 报告 apkanalyze scan app.apk --output report.html # 仅显示元数据和权限 apkanalyze info app.apk # CI/CD — 若存在 critical/high 发现则失败 apkanalyze scan app.apk --fail-on high ``` ## 检查内容 ### AndroidManifest.xml (M8: 安全配置错误) | 检查项 | 风险等级 | |-------|------| | `android:debuggable="true"` | CRITICAL — 允许调试器附加 | | `android:allowBackup="true"` | HIGH — 数据可通过 adb backup 提取 | | `android:usesCleartextTraffic="true"` | HIGH — 允许 HTTP 流量 | | 导出的 Activities/Services/Receivers/Providers | MEDIUM-HIGH | | 低版本 minSdkVersion (< API 21) | LOW-MEDIUM | | 自定义深度链接 scheme | LOW | ### 权限 (M6: 隐私控制不足) - READ_SMS, RECEIVE_SMS (OTP 拦截) - ACCESS_FINE_LOCATION + RECORD_AUDIO 组合 - BIND_ACCESSIBILITY_SERVICE + SYSTEM_ALERT_WINDOW (Overlay 攻击) - INSTALL_PACKAGES + RECEIVE_BOOT_COMPLETED (恶意软件模式) - 40+ 项单独的危险权限检查 ### 硬编码机密 (M1: 凭据使用不当) - AWS Access Keys 和 Secret Keys - Google API Keys, Firebase 凭据 - GitHub tokens (ghp_, github_pat_) - Stripe 线上密钥 (sk_live_, pk_live_) - OpenAI / Anthropic API keys - RSA/EC 私钥 (PEM 格式) - 数据库连接字符串 - 硬编码密码和机密 - JWT tokens - 包含嵌入凭据的 URL ### 网络安全 (M5: 通信不安全) - `network_security_config.xml` 明文权限 - 信任用户 CA 证书 - DEX 字节码中的 HTTP 端点 - 自定义 TrustManager 实现 - `ALLOW_ALL_HOSTNAME_VERIFIER` 使用 - 弱 TLS 版本 (SSLv3, TLSv1.0) - WebView: 启用 JavaScript, JavascriptInterface, 文件访问 ## 示例输出 ``` _ ____ _ __ _ _ / \ | _ \| |/ / / \ _ __ __ _| |_ _ _______ _ __ ... v1.0.0 - Android APK Security Analyzer (OWASP Mobile Top 10) Loading: app-release.apk Package: com.example.myapp | Size: 8421.3 KB | Files: 347 Overall Risk: CRITICAL (12 findings, 3.2s) CRITICAL: 2 HIGH: 5 MEDIUM: 3 LOW: 2 +------+-------------------------------+---------+-----------+ | ID | Category | Findings | Status | +------+-------------------------------+---------+-----------+ | M1 | Improper Credential Usage | 3 | CRITICAL | | M5 | Insecure Communication | 2 | HIGH | | M6 | Inadequate Privacy Controls | 2 | HIGH | | M8 | Security Misconfiguration | 3 | CRITICAL | | M9 | Insecure Data Storage | 1 | HIGH | | M10 | Insufficient Cryptography | 1 | CRITICAL | | ... | ... | 0 | PASS | +------+-------------------------------+---------+-----------+ Critical/High Findings (7): [CRITICAL] Application is Debuggable (M8) [CRITICAL] Hardcoded AWS Access Key (M1) [CRITICAL] Potential SSL/TLS Bypass: Custom TrustManager (M5) [HIGH] Application Data Backup Enabled (M9) [HIGH] Exported Services (2) (M1) [HIGH] Critical Permissions Declared (3) (M6) [HIGH] HTTP (Non-HTTPS) Endpoints Found (4) (M5) ``` ## CI/CD 集成 ``` # .github/workflows/apk-security.yml - name: APK Security Scan run: | pip install apk-analyzer apkanalyze scan app/build/outputs/apk/release/app-release.apk \ --output security-report.html \ --fail-on high - name: Upload Report uses: actions/upload-artifact@v4 with: name: apk-security-report path: security-report.html ``` ## 注意事项 - APK 解析使用 [pyaxmlparser](https://github.com/appknox/pyaxmlparser) 处理二进制 AndroidManifest.xml - 机密扫描基于 DEX 字节码字符串提取（无需反编译） - 无需 Android SDK, ADB 或模拟器 - 适用于 macOS, Linux 和 Windows ## 许可证 MIT — 详见 [LICENSE](LICENSE)

标签：Android Manifest, Android安全, APK分析器, CI/CD安全, DevSecOps, HTML报告, Llama, OWASP Mobile Top 10, Python, SAST, 上游代理, 云安全监控, 云资产清单, 无后门, 权限审计, 盲注攻击, 硬编码密钥检测, 移动应用安全, 网络安全配置, 逆向工具, 逆向工程, 隐私合规, 静态分析