APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging.
- Able to analyze pure Android Manifests, APKs, AABs and JARs.
- Downloads APKs from Google Play Store to perform analysis.
- Analyzes and detects differences on permissions, activities, services, receivers, providers, features and source code.
- With optional dependencies, supports APK extraction, decompiling and conversion to JAR.
- Outputs results as plain text, tables and JSON.
You can download a pre-compiled binary from the Releases page.
Alternatively, you can install APKrash using the following commands:
git clone https://github.com/kamushadenes/apkrash.git cd apkrash/cmd go build -o apkrash
Those are optional non-Go dependencies that enable certain features.
decompile command and for using the
-l flag to compare source code files
Android APK security analysis toolkit Usage: apkrash [command] Available Commands: analyze Analyze an APK or Manifest compare Compares two APKs or Manifests completion Generate the autocompletion script for the specified shell decompile Decompile APK into Java code using jadx extract Extract APK using apktool help Help about any command jar Convert APK to JAR using dex2jar Flags: -c, --color Output with color (only valid for text mode) -e, --email string Email to use for downloading APKs from Google Play -o, --format string Output format, one of text, json, json_pretty, table (default "text") -h, --help help for apkrash -d, --onlyDiffs Output only diffs (only valid for text mode) -w, --password string Password to use for downloading APKs from Google Play Use "apkrash [command] --help" for more information about a command.
Analyze an APK or Manifest
apkrash analyze <file.apk or AndroidManifest.xml>
Compare two APKs
apkrash compare <file1.apk or AndroidManifest1.xml> <file2.apk or AndroidManifest2.xml>
Decompile an APK using jadx
apkrash decompile <file.apk> [output_dir]
Extract an APK using apktool
apkrash extract <file.apk> [output_dir]
Convert APK to JAR using dex2jar
apkrash jar <file.apk> [output_dir]
Compare two APKs showing only diffs with colored output
apkrash compare -c -d apk1.apk apk2.apk
Analyze an APK and output to JSON (pretty), including files and statistics
apkrash analyze -o json_pretty -f apk.apk
Compare two APKs and their source code, outputting to JSON
Note: this may take a few minutes as the APK needs to be decompiled using jadx
apkrash compare -o json -f -l apk1.apk apk2.apk
- Add support for AndroidManifest.xml
- Add support for APKs
- Add support for JARs
- Add support for AABs
- Add support for downloading APKs from Play Store
- Add support for downloading APKs from other stores
- Inspired by AndroCompare
- Google Play support provided by @89z
- Binary Android Manifest support provided by @shogo82148
Show your support