A simple desktop GUI tool to poke around APKs and fish out hidden API endpoints. It tries to crack the APK open with jadx, and if jadx throws a tantrum, dexlib2 steps in as backup so you still catch those juicy strings. Perfect for security folks, reverse engineers, or just developers who are curious about what their own APKs are really up to 😁 — as long as the APK isn’t heavily obfuscated, of course.
- Extract API endpoints from popular HTTP libraries:
- Retrofit (
@GET,@POST, etc.) - OkHttp
- Volley
- Ktor
- Retrofit (
- Detect generic URLs via regex.
- Decompile with jadx.
- Fallback string extraction with dexlib2 (smali-level).
- APK metadata extraction (package name, version, etc.) via apk-parser.
- Interactive Swing-based GUI with progress updates.
This project uses the following libraries:
- jadx-core → Java decompiler for Android.
- dexlib2 → Dalvik bytecode parsing.
- apk-parser → Extracts APK metadata (package name, manifest, resources).
- Java Swing (built-in) → GUI.
All dependencies are pulled via Gradle.
git clone https://github.com/hangga/ApiEndpointExtractor.git
cd ApiEndpointExtractorWe use Gradle Shadow to package all dependencies:
./gradlew shadowJarThe runnable JAR will be in:
build/libs/EndpointExtractorGUI-1.0-SNAPSHOT-all.jar
java -jar build/libs/EndpointExtractorGUI-1.0-SNAPSHOT-all.jar- Java 17+ (recommended)
- Gradle 8+
- Internet (for first-time dependency download)
- Launch the app (
java -jar ...). - Click Browse to select an
.apkfile. - Wait until decompilation + scanning finishes.
- View extracted endpoints in the result area.
- Use Export to save results to text file.
src/main/java/id/web/hangga/
├── ApiEndpointExtractor.java # Main GUI
└── ApkAnalyzer.java # APK analysis & Jadx integration
- Java 17
- Swing (UI)
- Jadx (APK decompilation)
- Gradle + ShadowJar
MIT License © 2025 \Hangga Aji Sayekti