← All Spotlight Stories

Spotlight: Dwi Siswanto

Creator of APKLeaks

Dwi Siswanto
On
Share on Twitter Share on LinkedIn Share on Facebook

Hey Dwi, can you tell us about your background? Where did you grow up? How did you venture into programming?

I’m an Indonesian who lives in Jakarta, but since WFH has been around for this pandemic, I have spent time back in my hometown, Cirebon. So when I answer this question, I’m 22 years old, and many don’t even know that right now I’m a rapper, oh and a shitposter too.

I have no degree or just graduated from vocational high school, so if anyone asks me how did I get started, definitely because my underrated skill is knowing how to use Google. That doesn’t mean I didn’t get anything at school! But I chose not to continue my education ‘cause I didn’t want to burden my parents financially, so I decided to find a job, with that way I could live life to the fullest! When I was in school, I spent most of my time at internet cafés. In fact, I almost wanted to be dropped out of school because I wasn’t being a good student (in the context of frequently skipping classes, not doing homework, a brawl between schools). Thanks to my teachers because they could see me as a potential person, I was finally given the opportunity to atone for those sins. Haha.

In the internet cafés, I really like to explore, looking for answers to my curiosity, and it’s undeniable that I also enjoy playing games. But, at the same time, I often make programs for cheats on the game I play.

What inspired you to build APKLeaks?

APKLeaks has attribution from Nick Mykhailyshyn, Shout out to him! I got inspired by apkurlgrep. At that time, I was just learning about Golang, so I tried to port it to Python and came up with additional rules; to extract not only URLs but also secrets. Did you know that when APKLeaks was created, it only supported Python version 2 because there were incompatible dependencies for Python3, then I entered the Python community on Discord to ask directly for the workaround.

How many other core contributors work on APKLeaks today, apart from yourself?

Actually, no one else has a major contribution but Esther (Co-founder of Defensive Lab Agency), who helped refactor and pack into Python package. Thanks to her!

What problem does APKLeaks solve for its users?

For application developers, this may be useful when pre-released in production, as it is not ideal when sensitive information is written statically.

What are some major features coming up in APKLeaks in the next releases?

I still want to add new patterns for secrets, at that time, I had added the rules from NotKeyHacks, I purposely included it because they also have to be able to distinguish which ones are secrets and which are not. However, I realized it was wrong to put them together, so I separated them into two rules files. Unfortunately, there seems to be a false-positive result from the pattern, so I’ll have to update it accordingly. Since now there is only JADX, I want users to be able to choose the decompile method of the APK, and I’m still thinking about how to implement existing rules for entropy scanning. What a roadmap!

What has been the most frequent feature request from users in the project that you haven’t gotten to yet?

Ever since I ported APKLeaks to support Python version 3, it’s been causing incompatible issues on Windows, and it turns out that many users have experienced it.

Who is the ideal user of APKLeaks? What are some use cases of using APKLeaks?

For early engagement, this is perfect for reconnaissance on Android applications for bug bounty hunters because maybe you don’t find what’s on the web application when you surf. Since I am also a Security Engineer, this is also a good step for me to use myself before doing dynamic analysis.

Are there any success stories about other people or organizations using this project that you would like to share?

Many mentions came to my Twitter of their hunt results, thanks to those who helped share how they found out. Even APKLeaks is on the mind map of how to do static analysis on Android applications, glad that APKLeaks can support it.

If someone wants to support the development of APKLeaks, where can they donate?

Surely you can donate to me personally if you’ve made some impact using my APKLeaks or just want to encourage me to continue creating new stuff. Donate me on PayPal.

About DeepSource
DeepSource helps you automatically find and fix issues in your code during code reviews, such as bug risks, anti-patterns, performance issues, and security flaws. It takes less than 5 minutes to set up with your Bitbucket, GitHub, or GitLab account. It works for Python, Go, Ruby, and JavaScript.
Get started for free
Get new spotlight stories delivered to your inbox.
Subscribe to get notified when we add a new spotlight story, once every month.