APK Components Inspector
A simple-to-use Python tool that retrieves and lists exposed functionalities of Android applications (such as activities, services, receivers, and providers), derives actual intent extras attributes from Smali code, and scripts practical ADB commands for Android penetration testing.
APK Components Inspector is a Command Line utility for security researchers which automatically generates ADB commands to access exported Android components hiding in the APK files. By deriving real intent extras (name, type) from Smali code—rather than guessing—you save time and eliminate manual guesswork.
It unpacks the APK, enumerates exported activities, services, receivers, and providers, and then analyzes each component’s Smali to extract actual parameter names (e.g., what getStringExtra("username") really expects). Finally, it outputs ready-to-run adb shell commands.
⚠️ Notice: This tool is intended for research and educational purposes only. Please do not copy, or redistribute it without the author's permission
- Python3.X+
- apktool 2.6.0+
- Androguard 3.3.5 (pip install androguard==3.3.5)
- Unix-like OS (Linux/macOS/WSL) with tools installed and in your
PATH.
git clone https://github.com/thecybersandeep/apk-components-inspector
cd apk-components-inspector
python3 -m venv venv
source venv/bin/activate
pip install androguard==3.3.5 richpython apk-components-inspector.py some.apk
Note: This tool does not guarantee a working exploit for every component. It automates about 74% of the work, but a pentester must still validate, tweak, and test the generated commands to achieve an actual exploit.
| Use Case | APK Components Inspector | Drozer | Manual ADB Commands | MobSF |
|---|---|---|---|---|
| Rapid Testing of Exported Components | ✅ Instantly generates precise ADB commands for exported components (activities, services, receivers, providers), enabling testing in seconds. | ❌ Requires manual module execution and console setup, slowing down testing. | ❌ Demands manual crafting of commands, highly time-consuming. | ❌ Identifies components but requires manual command creation, delaying testing. |
| Targeting Specific Intent Extras | ✅ Extracts real intent extras (names and types) from Smali code for accurate exploitation. | ❌ Limited to runtime extra extraction, less precise and partially automated. | ❌ No extra extraction, relies on guesswork or manual reverse-engineering. | ❌ Lacks intent extra extraction, missing critical exploitation details. |
| Accessibility for All Skill Levels | ✅ Simple command-line interface—just input the APK for quick results, no complex setup. | ❌ Steep learning curve with agent installation and console expertise needed. | ❌ Requires deep ADB and Android knowledge, inaccessible to beginners. | ❌ Web interface is user-friendly, but exploitation requires manual expertise. |
| Focused Exploitation Tasks | ✅ Targets exported components with laser focus, delivering fast, relevant data. | ❌ Broad dynamic testing dilutes focus on component-specific exploits. | ❌ Unfocused, no guidance for targeting components. | ❌ Broad analysis overwhelms with unrelated data, less focus on components. |
| Time-Critical Analysis | ✅ Automates the process, minimizing manual effort and speeding up analysis. | ❌ Manual interaction and setup make it slower for urgent tasks. | ❌ Slowest due to fully manual command research and creation. | ❌ Slow for exploitation due to manual steps post-analysis. |
- Unauthorized copying, reproduction, or redistribution of this tool is strictly forbidden.
Happy Pentesting!