Skip to content

justapk β€” Download Android APKs by package name (6 sources, ... #1904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

justapk β€” Download Android APKs by package name (6 sources, ... #1904

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions src/mobile-pentesting/android-app-pentesting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,21 @@ Sometimes it is interesting to **modify the application code** to access **hidde
- [Android IME / InputMethodService Abuse (Malicious Keyboards)](inputmethodservice-ime-abuse.md)
- [NFC/EMV Relay via HCE (Android Tap-to-Pay abuse)](android-hce-nfc-emv-relay-attacks.md)
- **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)

### Automated multi-source APK acquisition (justapk)

`pip install justapk` (Python 3.11+). CLI outputs JSON to **stdout** and progress to **stderr** (pipe-friendly). It tries a deterministic fallback chain across **APK20 β†’ F-Droid β†’ APKPure (mobile API) β†’ APKMirror (HTML scrape) β†’ Uptodown (mobile API) β†’ APKCombo (HTML scrape)**. Cloudflare-protected sources use **curl_cffi** with TLS fingerprint impersonation to mimic real clients and reduce bot-detection blocks.

```bash
justapk download <package> # auto fallback
justapk download <package> -s apkpure # pin a source / version / output dir
justapk search telegram
justapk info org.telegram.messenger
justapk convert app.xapk -o output/ # merges splits, re-signs with debug key
```

**convert** merges XAPK/split APKs and signs them with a **debug key**, so the resulting APK signature/provenance differs from the original (use for testing/analysis, not production installs).

- Extract APK from device:

```bash
Expand Down Expand Up @@ -891,5 +906,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
- [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [CoRPhone β€” Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
- [justapk β€” multi-source APK downloader with Cloudflare bypass](https://github.com/TheQmaks/justapk)

{{#include ../../banners/hacktricks-training.md}}