Metadata-Version: 2.4
Name: firefetch
Version: 0.2.3
Summary: Extract Firebase credentials from Android APKs and probe their backends.
Author: bitthebyte
License: MIT
Project-URL: Homepage, https://github.com/bitthebyte/firefetch
Keywords: android,apk,firebase,security,recon,pentest
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Information Technology
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Topic :: Security
Requires-Python: >=3.9
Description-Content-Type: text/markdown
Requires-Dist: requests>=2.31
Requires-Dist: curl_cffi>=0.7
Requires-Dist: rich>=13.0
Provides-Extra: dev
Requires-Dist: pytest>=7.4; extra == "dev"
Requires-Dist: requests-mock>=1.11; extra == "dev"
Requires-Dist: black>=24.0; extra == "dev"
Requires-Dist: isort>=5.13; extra == "dev"
Requires-Dist: pre-commit>=3.5; extra == "dev"

# FireFetch

A Firebase audit tool, mostly aimed at mobile apps.

Point it at an APK, an Android package name, or a set of Firebase values you
already have. It checks Remote Config, Realtime Database, Firestore, Cloud
Storage, Auth, and Hosting and tells you what's
exposed.

## Install

```bash
pipx install firefetch
```


## Use it

```bash
# you already have the apk
firefetch apk app-release.apk

# you only know the package name
firefetch apk com.example.app

# no apk; just creds you already have
firefetch manual --project-id foo --api-key AIzaSy... --app-id 1:1234:android:abc
```

Handy flags: `--json out.json` for a structured dump, `--no-write` to skip
write probes (on by default; they write a tiny payload at a unique path and
delete it). `firefetch apk --help` for the rest.

## What you get

![](assets/terminal.png)

## Dev

```bash
git clone https://github.com/bitthebyte/firefetch
cd firefetch
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest
```
