# Scanning APK for URIs, endpoints & secrets

## Install apkleaks

Install tool from source

{% embed url="<https://github.com/dwisiswant0/apkleaks>" %}

## Scan for URIs, endpoints & secrets

{% tabs %}
{% tab title="Source" %}

```
apkleaks -f ~/path/to/file.apk
```

{% endtab %}

{% tab title="Python" %}

```
python3 apkleaks.py -f ~/path/to/file.apk
```

{% endtab %}

{% tab title="Docker" %}

```
docker run -it --rm -v /tmp:/tmp dwisiswant0/apkleaks:latest -f /tmp/file.apk
```

{% endtab %}
{% endtabs %}

![](https://532189072-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lt8335BPUBXjq3iC572%2F-MYSU3Su-9hb7Qp2KdfB%2F-MYSVPaQNA9M1sMtJkI5%2Fimage.png?alt=media\&token=ead19311-5913-4b01-bf63-571c16919929)

Now you can determine whether a leaked/found Google Maps API Key is vulnerable to unauthorized access by other applications or not using [Google Maps API Scanner](https://pcastagnaro.gitbook.io/pentest-bug-bounty-resources/pentest-bounty-resources/mobile/android/sast-1/apks/google-maps-api-scanner)