Project Url: bytedance/appshark
More: Author   ReportBugs   


Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.


Appshark requires a specific version of JDK -- JDK 11. After testing, it does not work on other LTS versions, JDK 8 and JDK 16, due to the dependency compatibility issue.

Building/Compiling AppShark

We assume that you are working in the root directory of the project repo. You can build the whole project with the gradle tool.

$ ./gradlew build  -x test

After executing the above command, you will see an artifact file AppShark-0.1.1-all.jar in the directory build/libs.

Running AppShark

Like the previous step, we assume that you are still in the root folder of the project. You can run the tool with

 $ java -jar build/libs/AppShark-0.1.1-all.jar  config/config.json5

The config.json5 has the following configuration contents.

  "apkPath": "/Users/apks/app1.apk",
  "out": "out",
  "rules": "unZipSlip.json",
  "maxPointerAnalyzeTime": 600

Each JSON field is explained below.

  • apkPath: the path of the apk file to analyze
  • out: the path of the output directory
  • rules: the path(s) of the rule file(s), can be more than 1 rules
  • maxPointerAnalyzeTime: the timeout duration in seconds set for the analysis started from an entry point
  • debugRule: specify the rule name that enables logging for debugging

If you provide a configuration JSON file which sets the output path as out in the project root directory, you will find the result file out/results.json after running the analysis.

Interpreting the Results

Below is an example of the results.json.

  "AppInfo": {
    "AppName": "test",
    "PackageName": "",
    "min_sdk": 17,
    "target_sdk": 28,
    "versionCode": 1000,
    "versionName": "1.0.0"
  "SecurityInfo": {
    "FileRisk": {
      "unZipSlip": {
        "category": "FileRisk",
        "detail": "",
        "model": "2",
        "name": "unZipSlip",
        "possibility": "4",
        "vulners": [
            "details": {
              "position": "< void UnZipFolderFix1(java.lang.String,java.lang.String)>",
              "Sink": "< void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r31",
              "entryMethod": "< void f()>",
              "Source": "< void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r3",
              "url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/1-unZipSlip.html",
              "target": [
                "< void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r3",
                "pf{obj{< void UnZipFolderFix1(java.lang.String,java.lang.String)>:35=>java.lang.StringBuilder}(unknown)->@data}",
                "< void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r11",
                "< void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r31"
            "hash": "ec57a2a3190677ffe78a0c8aaf58ba5aee4d2247",
            "possibility": "4"
            "details": {
              "position": "< void UnZipFolder(java.lang.String,java.lang.String)>",
              "Sink": "< void UnZipFolder(java.lang.String,java.lang.String)>->$r34",
              "entryMethod": "< void f()>",
              "Source": "< void UnZipFolder(java.lang.String,java.lang.String)>->$r3",
              "url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/2-unZipSlip.html",
              "target": [
                "< void UnZipFolder(java.lang.String,java.lang.String)>->$r3",
                "pf{obj{< void UnZipFolder(java.lang.String,java.lang.String)>:33=>java.lang.StringBuilder}(unknown)->@data}",
                "< void UnZipFolder(java.lang.String,java.lang.String)>->$r14",
                "< void UnZipFolder(java.lang.String,java.lang.String)>->$r34"
            "hash": "26c6d6ee704c59949cfef78350a1d9aef04c29ad",
            "possibility": "4"
        "wiki": "",
        "deobfApk": "/Volumes/dev/zijie/appshark-opensource/app.apk"
  "DeepLinkInfo": {
  "HTTP_API": [
  "JsBridgeInfo": [
  "BasicInfo": {
    "ComponentsInfo": {
    "JSNativeInterface": [
  "UsePermissions": [
  "DefinePermissions": {
  "Profile": "/Volumes/dev/zijie/appshark-opensource/out/vuln/3-profiler.json"


AppShark is licensed under the APACHE LICENSE, VERSION 2.0

Contact Us


About Me
GitHub: Trinea
Facebook: Dev Tools