I’m an Indonesian who lives in Jakarta, but since WFH has been around for this pandemic, I have spent time back in my hometown, Cirebon. So when I answer this question, I’m 22 years old, and many don’t even know that right now I’m a rapper, oh and a shitposter too.
I have no degree or just graduated from vocational high school, so if anyone asks me how did I get started, definitely because my underrated skill is knowing how to use Google. That doesn’t mean I didn’t get anything at school! But I chose not to continue my education ‘cause I didn’t want to burden my parents financially, so I decided to find a job, with that way I could live life to the fullest! When I was in school, I spent most of my time at internet cafés. In fact, I almost wanted to be dropped out of school because I wasn’t being a good student (in the context of frequently skipping classes, not doing homework, a brawl between schools). Thanks to my teachers because they could see me as a potential person, I was finally given the opportunity to atone for those sins. Haha.
In the internet cafés, I really like to explore, looking for answers to my curiosity, and it’s undeniable that I also enjoy playing games. But, at the same time, I often make programs for cheats on the game I play.
APKLeaks has attribution from Nick Mykhailyshyn, Shout out to him! I got inspired by apkurlgrep. At that time, I was just learning about Golang, so I tried to port it to Python and came up with additional rules; to extract not only URLs but also secrets. Did you know that when APKLeaks was created, it only supported Python version 2 because there were incompatible dependencies for Python3, then I entered the Python community on Discord to ask directly for the workaround.
Actually, no one else has a major contribution but Esther (Co-founder of Defensive Lab Agency), who helped refactor and pack into Python package. Thanks to her!
For application developers, this may be useful when pre-released in production, as it is not ideal when sensitive information is written statically.
I still want to add new patterns for secrets, at that time, I had added the rules from NotKeyHacks, I purposely included it because they also have to be able to distinguish which ones are secrets and which are not. However, I realized it was wrong to put them together, so I separated them into two rules files. Unfortunately, there seems to be a false-positive result from the pattern, so I’ll have to update it accordingly. Since now there is only JADX, I want users to be able to choose the decompile method of the APK, and I’m still thinking about how to implement existing rules for entropy scanning. What a roadmap!
Ever since I ported APKLeaks to support Python version 3, it’s been causing incompatible issues on Windows, and it turns out that many users have experienced it.
For early engagement, this is perfect for reconnaissance on Android applications for bug bounty hunters because maybe you don’t find what’s on the web application when you surf. Since I am also a Security Engineer, this is also a good step for me to use myself before doing dynamic analysis.
Many mentions came to my Twitter of their hunt results, thanks to those who helped share how they found out. Even APKLeaks is on the mind map of how to do static analysis on Android applications, glad that APKLeaks can support it.
Surely you can donate to me personally if you’ve made some impact using my APKLeaks or just want to encourage me to continue creating new stuff. Donate me on PayPal.