APKrash

APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging.

---

Features

• Able to analyze pure Android Manifests, APKs, AABs and JARs.
• Downloads APKs from Google Play Store to perform analysis.
• Analyzes and detects differences on permissions, activities, services, receivers, providers, features and source code.
• With optional dependencies, supports APK extraction, decompiling and conversion to JAR.
• Outputs results as plain text, tables and JSON.

---

Install

You can download a pre-compiled binary from the Releases page.

Alternatively, you can install APKrash using the following commands:

git clone https://github.com/kamushadenes/apkrash.git
cd apkrash/cmd
go build -o apkrash

Dependencies

Those are optional non-Go dependencies that enable certain features.

apktool

For the extract command

bundletool

To support .aab files

dex2jar

For the jar command

jadx

For the decompile command and for using the -l flag to compare source code files

Usage

apkrash help

Android APK security analysis toolkit

Usage:
  apkrash [command]

Available Commands:
  analyze     Analyze an APK or Manifest
  compare     Compares two APKs or Manifests
  completion  Generate the autocompletion script for the specified shell
  decompile   Decompile APK into Java code using jadx
  extract     Extract APK using apktool
  help        Help about any command
  jar         Convert APK to JAR using dex2jar

Flags:
  -c, --color             Output with color (only valid for text mode)
  -e, --email string      Email to use for downloading APKs from Google Play
  -o, --format string     Output format, one of text, json, json_pretty, table (default "text")
  -h, --help              help for apkrash
  -d, --onlyDiffs         Output only diffs (only valid for text mode)
  -w, --password string   Password to use for downloading APKs from Google Play

Use "apkrash [command] --help" for more information about a command.

Analyze an APK or Manifest

apkrash analyze <file.apk or AndroidManifest.xml>

Compare two APKs

apkrash compare <file1.apk or AndroidManifest1.xml> <file2.apk or AndroidManifest2.xml>

Decompile an APK using jadx

apkrash decompile <file.apk> [output_dir]

Extract an APK using apktool

apkrash extract <file.apk> [output_dir]

Convert APK to JAR using dex2jar

apkrash jar <file.apk> [output_dir]

Examples

Compare two APKs showing only diffs with colored output

apkrash compare -c -d apk1.apk apk2.apk

Analyze an APK and output to JSON (pretty), including files and statistics

apkrash analyze -o json_pretty -f apk.apk

Compare two APKs and their source code, outputting to JSON

Note: this may take a few minutes as the APK needs to be decompiled using jadx

apkrash compare -o json -f -l apk1.apk apk2.apk

Roadmap

• Add support for AndroidManifest.xml
• Add support for APKs
• Add support for JARs
• Add support for AABs
• Add support for downloading APKs from Play Store
• Add support for downloading APKs from other stores

Credits

• Inspired by AndroCompare
• Google Play support provided by @89z
• Binary Android Manifest support provided by @shogo82148