loading
loading
Discovery
Extract URLs and endpoints from Android APK files.
overview
apkurlgrep greps an Android APK for URL-like strings and endpoint paths, surfacing the API hosts and routes an app hard-codes without making you read smali by hand. Mobile apps talk to backends, and those hosts and paths ship inside the package, so extracting them is often the quickest look at a server-side surface that has no public docs or web UI.
It stays single-purpose. Point it at the file with --apk and it walks the package resources, assets, and compiled code, then prints two things: full URLs with scheme and host, and bare endpoint paths like /api/v2/login. No separate apktool decode-and-grep dance to set up first.
On Trickest, apkurlgrep is a Discovery node that takes an APK file and writes a file plus a folder of endpoints. Wire it after an APK-collection step so mobile-derived hosts flow into the same httpx probing and nuclei scanning stages your web recon already runs, widening coverage to the app's backend.
use cases
Extract the URLs and endpoint paths embedded in an APK to reveal the API hosts and routes a mobile app depends on, often undocumented and absent from any web UI.
Hand extracted URLs to httpx and nuclei so the app's backend gets the same liveness and vulnerability testing as your web targets, from one merged endpoint list.
Pull API hosts that appear only inside the app and never in DNS or a web crawl, expanding scope beyond what subdomain enumeration finds.
Fan the node across a list of packages in a workflow, merge and dedupe the results, then probe the combined endpoint set in one pass.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| apk-file | FILE | --apk | Path to the APK file to walk and extract URLs and endpoint paths from. |
Showing key inputs. apkurlgrep exposes 1 inputs in total.
example
# extract every URL and endpoint path baked into an APKapkurlgrep --apk app-release.apkhttps://api.example.comhttps://api.example.com/v2/usershttps://cdn.example.com/static/http://analytics.example.com/collecthttps://198.51.100.24:8443/mobile/configcontent://com.example.app.fileprovider//auth/login/api/v2/profile/payments/checkoutguidance
Use apkurlgrep when you have an APK and want its embedded endpoints fast, without a full decode. It finds URLs, it does not probe them, so feed its output into httpx and a scanner. For a complete source tree, decode the APK with apktool first.
Unpacks the whole APK into a source tree. Use it when you need more than just URLs.
Extracts endpoints from JavaScript files. The web counterpart to apkurlgrep for mobile.
Pulls JS files from web targets for endpoint mining. Pairs with linkfinder on the web side.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
Crawl a list of domains and scan for endpoints, secrets, API keys, file extensions, tokens, and more.
An APK feeds apkurlgrep, which extracts the embedded endpoints and passes them to httpx so only live backend hosts land as output.
Facts on this page come from the live Trickest tool library.