Androzoo APK Search

Overview

APK Search is an online search service we developed to query Androzoo applications.

Based on this service, security experts can retrieve information about Android apps, including:

  • Embedded files (name, signature, ...)
  • Meta information (market, size, package ...)
  • Antivirus labels (malware family, type, ...)
  • Manifest information (permissions, activities ...)
  • Developer certificates (issuer, owner, signature ...)
  • Source code objects (e.g. classes, methods, strings ...)

APK Search is available under the same access conditions as Androzoo.

Architecture

APK Search uses ElasticSearch as its main storage backend and frontend interface.

We expose a REST API that users can request from any client or programming language.

Authentication

In order to send requests to APK Search, you should authenticate yourself with our service.

Your email and Androzoo API key must be encoded in BASE64 and sent with each search request.

You can use this snippet to generate your key. Do not forget the colon ":" in between !

echo -n <email:Access key> | base64
echo -n example@uni.lu:<sha256> | base64

You must replace the tag '${APIKEY}' in the following queries by the output of the command.

Database Schema

The complete mapping of our main index can be downloaded with this query:

curl -X GET -H "Authorization:Basic ${APIKEY}" \ 
     "https://androzoo.uni.lu/apksearch/apkindex/_mapping?pretty"

Use Case 1: Count number of documents in the database

curl -X GET -H "Authorization:Basic ${APIKEY}" \
     "https://androzoo.uni.lu/apksearch/apkindex/_count"

Use Case 2: Retrieve applications associated to the malware family "adwo"

Content of the query.json
{
    "from": 0,
    "size": 10,
    "_source": false,
    "query": {"match": {"label.family":"adwo"}}
}
curl -X GET -H "Content-Type:application/json" -H "Authorization:Basic ${APIKEY}" \
     "https://androzoo.uni.lu/apksearch/apkindex/_search?pretty" -d @query.json

Use Case 3: Get a document based on the SHA256 of an application

curl -X GET -H "Authorization:Basic ${APIKEY}" \
    "https://androzoo.uni.lu/apksearch/apkindex/doc/00bd7ada6e270fa463db94da24debf43c953b535aed576072756d85a6bc86c72?pretty"

Use Case 4: Get multiple documents based on the SHA256 of their application

Content of the query.json
{
    "docs": [
      {
        "_type": "doc",
        "_id": "0064e25fa9f872488fb754b23c03bba3a5a4dd0d30e89dbb123aa2fa45a08748"
      },
      {
        "_type": "doc",
        "_id": "007603e1ff7c07e00ee62b0a375d2af119a98cc54a53fb4034a57f9230cd65b7"
      }	
    ] 
}
curl -X GET -H "Content-Type:application/json" -H "Authorization:Basic ${APIKEY}" \ 
     "https://androzoo.uni.lu/apksearch/apkindex/_mget?pretty" -d @query.json

Use Case 5: Retrieve a list of apps with Chinese translations and a file ending with ".sh"

Content of the query.json
{
    "query": {
        "bool": {
            "must": [
                {"wildcard": {"file.name": "*.sh"}},
                {"term": {"resource.language": "cn"}}
            ]
        }
    }
}
curl -X POST -H "Content-Type:application/json" -H "Authorization:Basic ${APIKEY}" \
     "https://androzoo.uni.lu/apksearch/apkindex/_search" -d @query.json

Use Case 6: Compute the total size of a set of Android applications

Content of the query.json
{
    "size": 0,
    "aggs": {
        "total": {"sum": {"field": "meta.apk.size"}}
    }
}
curl -X POST -H "Content-Type:application/json" -H "Authorization:Basic ${APIKEY}" \
     "https://androzoo.uni.lu/apksearch/apkindex/_search" -d @query.json

Use Case 7: Retrieve a list of application packages

Content of the query.json
{
    "size": 0,
    "aggs": {
        "packages": {"terms": {"field": "meta.pkg.name"}}
    }
}
curl -X POST -H "Content-Type:application/json" -H "Authorization:Basic ${APIKEY}" \
     "https://androzoo.uni.lu/apksearch/apkindex/_mget?pretty" -d @query.json

Use Case 8: Use Elastic Scroll API to retrieve a large set of results

Content of the query.json
{
    "query": {"match": {"label.family":"adwo"}}
}
curl -X GET -H "Content-Type:application/json" -H "Authorization:Basic ${APIKEY}" \
     "https://androzoo.uni.lu/apksearch/apkindex/_search?pretty&scroll=5m" -d @query.json

Use Case 9: Find Android applications with the READ PHONE STATE permission.

Content of the query.json
{
    "size": 10,
    "_source": false,
    "query": {
        "match": {"manifest.permission": "android.permission.read_phone_state"}
    }
}
curl -X GET -H "Content-Type:application/json" -H "Authorization:Basic ${APIKEY}" \
     "https://androzoo.uni.lu/apksearch/apkindex/_search?pretty" -d @query.json