APK.keyx — Pull Every Hidden API Key & Secret Out of Any Android App

APK.keyx rips API keys, Firebase configs & hardcoded secrets out of any APK, free & 100% in your browser

Drop any Android app file (.apk) → it rips out every hidden API key, Firebase config, and hardcoded secret. Runs 100% in your browser. No upload, no signup, no limits.

:link: https://apk-keyx.vercel.app/

Pulls 30+ secret types: Google/Firebase (full config), AWS, Stripe (live+test), OpenAI, Slack, GitHub tokens, JWT, private keys — even decodes base64/hex blobs and re-scans them.

Digs every layer: strings.xml, google-services.json, DEX bytecode (compiled code), native .so libs, resources.arsc. Each hit = exact file path + byte offset + code snippet.

Beats protected apps (Bangcle, Jiagu, method 6629) where most tools quit. Batch-upload, export JSON.

100% client-side — the APK never leaves your device, so opening a sketchy/malware sample is safe.

Good for: auditing your own app before shipping, bug bounty recon on Android targets, checking what a “free” app secretly calls home to, or surfacing CTF flags hidden in bytecode.

For apps you own, built, or are cleared to test.

The secret was never hidden. It was just unopened.

1 Like