Software distribution method or binary type: .apk file

Popularity of distribution method:
Android is the most popular operating system in the world, holding a dominant position in the mobile market with over 3 billion monthly active users as of 2026. It commands over 70-75% of the global smartphone market share. Android OS runs on devices like phones, tablets, wearables, TVs, automotive, and embedded systems.
An Android Package Kit (APK) is a specialized ZIP-format archive (.apk) used to distribute and install apps on Android, containing compiled code, resources, and a AndroidManifest.xml. It follows a strict structure, including classes.dex (compiled code), res/ (resources), and META-INF/ (signature files).

Why is this a good addition
An .apk file is a goldmine which includes API keys and Cryptographic credentials. This will fill a major gap in OSV-SCALIBR / OSV-Scanner related to Android scanning.

Key APK Components relevant to OSV-SCALIBR Scanning:

• AndroidManifest.xml: Describes the app's name, version, and necessary permissions.
• classes.dex: Contains Java or Kotlin code compiled into Dalvik executable bytecode. It's the place where API Keys and Cryptographic Credentials are found 90% of the time as strings.
• lib/: Contains compiled native libraries for specific processor architectures (e.g., arm64-v8a, x86). May contain hardcoded API and Cryptographic Keys.
• resources.arsc: A file containing all compiled resource files. May contain Cryptographic Keys.

Note:
This is a very complex extractor which include code to parse Dalvik Executable file, AndroidMAnifest.xml file (Binary AXML), and resources.arsc.

Resources:

• APK Documentation