Setting Up My Mobile Application Security Testing: Mass Downloading APK files
The Problem
Hunting on a prorgram with many APK files is good. Security testing too. Its always a problem when they provide a bunch of App IDs that makes it hard to download them individually.
There are a couple of ways to do this. I however use APKEEP to mass download the apk files from the app store.
The Tool
I use apkeep.
Installation
1
2
cargo install apkeep
cargo install --git https://github.com/EFForg/apkeep.git (for latest commit)
Usage
For a single downlaod, use:
1
apkeep -a <app-id> -d <sources> <output dir>
The supported download sources are:
1
apk-pure, google-play, f-droid, huawei-app-gallery
To download the instagram apk from apk-pure do:
1
apkeep -a com.instagram.android -d apk-pure .
For mass download, there is an option to load IDs into a CSV file and read from a specific column with
1
apkeep -c <csv file> -f <field containing IDs>
If the above is a hustle, a bash for loop can be written:
1
2
3
4
for i in $(cat ids.txt) #ids.txt is the file containing the apk IDs.
do
apkeep -a $i -d apk-pure . #The dot inicated the output destination folder
done
If the ids are present, they will download. If not, a Could not get download URL message will be displayed.
The good thing with apkeep is it can be used to download historical versions of the app if available from the sources.
Downloading from Google Play Store will however require authentication. This can be done by following the steps here
Feeling a little Paranoid?
In the likely case you do not trust the store, feel free to scan your files on virustotal, Kasperskey, OPSWAT Metadefender Cloud or a more personalized apk scanner like Koodous which gives more details.
What next?
Deep dive into SAST and DAST.