Skip to content
/ strings.xml-scanner Public

Android app static analysis tool used to find insecure storage buckets and Firebase endpoints and to enumerate API, HTTP endpoints, and API Keys from Strings.xml

License

MIT license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

powalll/strings.xml-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
scanner.py
scanner.py
 
 

Repository files navigation

strings.xml scanner

Purpose

Simple scanner for the strings.xml Android apk configuration file - used to enumerate potentially insecure storage buckets, Firebase endpoints, API keys, and HTTP/API endpoints. Automatically scans and outputs notable strings.xml entries and contains a keyword search option.

Instructions

git clone github.com/powalll/strings.xml-scanner
pip3 install xmltodict argparse

In order to extract the strings.xml from the android APK, utilize APKTool and type the following command:

apktool d -s <name>.apk

Then find the file at <name>/res/values/strings.xml

Usage

python3 scanner.py [--keyword KEYWORD] <path to strings.xml>

Limitations

The current method for finding additional API/HTTP endpoints isn't comprehensive and will be improved. Identifies storage buckets and firebase but doesn't check for level of permission

About

Android app static analysis tool used to find insecure storage buckets and Firebase endpoints and to enumerate API, HTTP endpoints, and API Keys from Strings.xml

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages