To track state-sponsored malware and combat the stalkerware of abusive partners, you need tools. Safe, reliable, and fast tools. Yet when we started our investigations into the underbelly of the Android software ecosystem, a generic tool for reliably downloading packages on the command-line did not exist. So we decided to make one, and make it available to everyone.

Developing apkeep was our solution to a practical obstacle that we faced, but the intention wasn’t to script out something that just solved our particular problem. We wanted it to be useful for the broad range of reasons someone may want to download an Android package: creating backups, performing academic research, auditing app properties, monitoring package distribution systems, and much more. To encompass this wide range of use cases, we wanted to create a tool which was simple and safe to use, reliable, and fast.

These requirements led to a set of design constraints. Deciding to write this in async Rust fulfilled these, and gave us the flexibility to target a number of architectures and platforms, including Android itself. But for ease of use in various circumstances, we aimed to support not just Google Play, but many other app stores as well. And due to the opacity of some of these, we needed to turn to Android reverse engineering techniques and dynamic analysis to look at real-time traffic of app stores over HTTPS.

This talk aims to introduce apkeep as a tool, explore some of the novel obstacles we faced in building out this tool, and show some of the results of those who have incorporated it into their toolboxes.