apkleaks

APKLeaks is a CLI tool that statically scans Android APK files to find potentially sensitive information such as URIs/endpoints and secrets, using the jadx disassembler (and other tooling) plus configurable regex-based patterns.

Evaluated Mar 29, 2026 (0d ago)
Repo ↗ Security android-security apk static-analysis secrets cli regex-scanning reverse-engineering
⚙ Agent Friendliness
46
/ 100
Can an agent use this?
🔒 Security
40
/ 100
Is it safe for agents?
⚡ Reliability
24
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
0
Documentation
70
Error Messages
0
Auth Simplicity
100
Rate Limits
0

🔒 Security

TLS Enforcement
0
Auth Strength
100
Scope Granularity
0
Dep. Hygiene
45
Secret Handling
40

Strength: no hosted service/auth implies fewer credential-handling risks. Concerns: it is designed to process potentially sensitive artifacts and produce outputs containing secrets/endpoints; the provided README does not document safe handling of results (e.g., redaction, secure storage, avoiding logging of sensitive matches) or runtime mitigations. Also depends on external tooling (jadx and others) whose integrity/verification is not described in the provided content.

⚡ Reliability

Uptime/SLA
0
Version Stability
35
Breaking Changes
30
Error Recovery
30
AF Security Reliability

Best When

You want a local, repeatable static scan of APKs for common secret/endpoint patterns and can review results for false positives.

Avoid When

You need high-confidence results with minimal false positives, or you require dynamic/behavioral assurance rather than static pattern matching.

Use Cases

  • Bug bounty / mobile app security assessments by scanning APKs for exposed endpoints
  • Static analysis of Android apps for hardcoded secrets and sensitive URLs
  • Automated triage of potentially risky strings in APK resources and decompiled code

Not For

  • Verifying the presence of exploitable vulnerabilities (static regex matching may produce false positives)
  • Runtime detection of data exfiltration or behavior (no dynamic analysis mentioned)
  • Secure handling of secrets as a managed service (this is a local scanner)

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
No
Webhooks
No

Authentication

OAuth: No Scopes: No

No network service authentication is described; it appears to be a local CLI workflow.

Pricing

Free tier: No
Requires CC: No

Installable open-source tool (no SaaS pricing described in provided content).

Agent Metadata

Pagination
none
Idempotent
True
Retry Guidance
Not documented

Known Gotchas

  • Relies on external disassembler (jadx) presence; behavior may differ if jadx needs to be downloaded
  • User-controlled disassembler arguments (-a/--args) could change output and potentially affect stability
  • If -o is omitted, output filename may be random, complicating automated pipelines

Alternatives

MobSF (static + dynamic analysis framework for Android) Grep/regex-based secret scanners over decompiled sources trufflehog-style regex scanners (for generic text/secrets) applied to extracted artifacts Semgrep/CodeQL-style rules on decompiled code (if you need rule-based findings)

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for apkleaks.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-29.

5347
Packages Evaluated
21056
Need Evaluation
586
Need Re-evaluation
Community Powered