APKHunt is an open-source Android static code analysis tool built on the OWASP MASVS framework that helps developers identify and address potential security vulnerabilities within their codebase.
APKHunt allows mobile software architects and developers to conduct code reviews to ensure the security of their mobile apps. Security testers can also use the tool to confirm that their tests are complete and consistent. APKHunt is a valuable tool for anyone who wants to build secure apps or if you are an infosec tester tasked with ensuring the security of those apps.
- Scan coverage Covers the majority of SAST (Static Application Security Testing) related test cases of the OWASP MASVS Framework.
- Multiple APK Scanning: Supports the scanning of numerous APK files within a specific path or folder.
- Optimized Scanning: Specific Rules are designed to check specific security sinks, resulting in a scanning process that is almost 100% accurate.
- Low false positive rate: Designed for pinpointing and highlighting the location of vulnerabilities in the source codes.
- Output Format: Results can be viewed in TXT format.
Here are a few things APKHunt can do:
- Scan Android applications for known security vulnerabilities.
- Uncover potential issues within an app’s code, such as insecure coding practices, improper permissions, and hardcoded credentials that might compromise security.
- Generate reports with details from the scan.
- Help developers address security vulnerabilities in their code.
- Ensure developer apps meet current security compliance standards.
Here are a few benefits of APKHunt:
- Early identification of security vulnerabilities in apps can save time and money while complying with security standards such as OWASP MASVS.
- Improve the security of apps to protect users against data breaches or any other security incidents.
Here are a few limitations of APKHunt:
- Static code analysis tools like APKHunt only detect vulnerabilities in an app’s code; therefore, they cannot find vulnerabilities caused by runtime conditions.
- This tool does not offer comprehensive security testing solutions, so it should be combined with other testing solutions like dynamic analysis tools and penetration testing to achieve optimal performance.
- APKHunt is only supported on Linux environments.
APKHunt Security test-case coverage
The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications and security testers to ensure completeness and consistency of test results.
OWASP MASVS
V1 | Architecture, Design, and Threat Modeling Requirements
V2 | Data Storage and Privacy Requirements
V3 | Cryptography Requirements
V4 | Authentication and Session Management Requirements
V5 | Network Communication Requirements
V6 | Environmental Interaction Requirements
V7 | Code Quality and Build Setting Requirements
V8 | Resiliency & Reverse Engineering Requirements
APKHunt Installation & Requirements
Installation:
- git clone https://github.com/Cyber-Buddy/APKHunt.git
- cd apkhunt
- go run apkhunt.go
Requirements:
- Install Git: sudo apt-get install git
- Install Golang: sudo apt install golang-go
- Install JADX: sudo apt-get install jadx
- Install Dex2jar: sudo apt-get install dex2jar
APKHunt is an invaluable tool for mobile app developers and security testers. It allows early identification of security vulnerabilities within apps – saving time and money – while helping comply with security standards to strengthen apps’ protections.