Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android
APKiD gives you information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff. It’s PEiD for Android.
For more information on what this tool can be used for, check out:
pip install apkid
You can also run APKiD with Docker! Of course, this requires that you have git and Docker installed.
Here’s how to use Docker:
git clone https://github.com/rednaga/APKiDcd APKiD/docker build . -t rednaga:apkiddocker/apkid.sh ~/reverse/targets/android/example/example.apk[+] APKiD 2.1.0 :: from RedNaga :: rednaga.io[*] example.apk!classes.dex|-> compiler : dx
usage: apkid [-h] [-v] [-t TIMEOUT] [-r] [--scan-depth SCAN_DEPTH][--entry-max-scan-size ENTRY_MAX_SCAN_SIZE] [--typing {magic,filename,none}] [-j][-o DIR][FILE [FILE ...]]APKiD - Android Application Identifier v2.1.2positional arguments:FILE apk, dex, or directoryoptional arguments:-h, --help show this help message and exit-v, --verbose log debug messagesscanning:-t TIMEOUT, --timeout TIMEOUT Yara scan timeout (in seconds)-r, --recursive recurse into subdirectories--scan-depth SCAN_DEPTH how deep to go when scanning nested zips--entry-max-scan-size ENTRY_MAX_SCAN_SIZE max zip entry size to scan in bytes, 0 = no limit--typing {magic,filename,none} method to decide which files to scanoutput:-j, --json output scan results in JSON format-o DIR, --output-dir DIR write individual results here (implies --json)
If you come across an APK or DEX which APKiD does not recognize, please open a GitHub issue and tell us:
We are open to any type of concept you might have for “something interesting” to detect, so do not limit yourself solely to packers, compilers or obfuscators. If there is an interesting anti-disassembler, anti-vm, anti-* trick, please make an issue.
Pull requests are welcome. If you’re submitting a new rule, be sure to include a file hash of the APK / DEX so we can check the rule.
This tool is available under a dual license: a commercial one suitable for closed source projects and a GPL license that can be used in open source software.
Depending on your needs, you must choose one of them and follow its policies. A detail of the policies and agreements for each license type are available in the LICENSE.COMMERCIAL and LICENSE.GPL files.
If you want to install the latest version in order to make changes, develop your own rules, and so on, simply clone this repository, compile the rules, and install the package in editable mode:
git clone https://github.com/rednaga/APKiDcd APKiDpython prep-release.pypip install -e .[dev,test]
If the above doesn’t work, due to permission errors dependent on your local machine and where Python has been installed, try specifying the --user flag. This is likely needed if you’re not using a virtual environment:
pip install -e .[dev,test] --user
If you update any of the rules, be sure to run prep-release.py to recompile them.
If you are using Windows, install Yara 3.11.0 and yara-python-dex before compiling
pip install yara-python==3.11.0pip install wheelpip wheel --wheel-dir=yara-python-dex git+https://github.com/MobSF/yara-python-dex.gitpip install --no-index --find-links=yara-python-dex yara-python-dex
When releasing a new version, make sure the version has been updated in apkid/init.py.
As for running tests, check out .travis.yml to see how the dev and test environments are setup and tests are run.
Update the compiled rules, the readme, build the package and upload to PyPI:
./prep-release.py readmerm -f dist/*python setup.py sdist bdist_wheeltwine upload --repository-url https://upload.pypi.org/legacy/ dist/*
For more information see Packaging Projects.