Upload Build File
What We Analyze
- App size and components breakdown
- Architecture support
- Minimum OS version requirements
- Permissions and entitlements
- Code signing information
- Third-party libraries
What the APK / IPA analyzer checks
Static analysis of mobile build files — the pre-flight check your CI should be running before every release. For Android APKs:
- AndroidManifest.xml — package name, version code/name, minSDK, targetSDK, permissions, exported components.
- Signing certificate — issuer, subject, validity, fingerprint. Detects debug-signed builds shipping as "release".
- ProGuard / R8 status — was the code obfuscated? Unobfuscated release builds leak business logic.
- Dangerous permissions —
READ_CONTACTS,ACCESS_FINE_LOCATION,READ_SMS. Flags permissions the app requests but may not justify. - Cleartext traffic config —
usesCleartextTraffic="true"is a common miss; iOS App Transport Security refusal equivalent. - Exposed services / receivers / providers — missing
android:permissionmeans any app can invoke them. - Native libraries — detects outdated versions of OpenSSL, libcurl, SQLite with known CVEs.
- Bundled secrets — scans strings for API keys matching AWS / Firebase / Stripe formats.
For iOS IPAs: provisioning profile, entitlements, Info.plist (ATS settings, privacy usage descriptions), embedded frameworks, signing chain, URL schemes, background modes.
When to run the analyzer
- Pre-release sanity check — right before uploading to Play Store / App Store / TestFlight.
- Suspicious APK from third party — someone sent you a build to review.
- Post-deploy forensics — "why is the app bundle 50MB?" size analysis shows the top offenders.
- Security audit — especially for apps that handle payments, personal data, health records.
- Competitive analysis — publicly available APKs from competitors reveal their SDK stack, permissions, internal names.
For continuous monitoring, MobSF (Mobile Security Framework) is the open-source equivalent of this analyzer — self-hosted, richer (also does dynamic analysis), best integrated into CI pipelines. Ours is the browser-native quick-check sibling.
Frequently Asked Questions
How do I analyze an Android APK or iOS IPA file?
Drop your `.apk`, `.aab` or `.ipa` file. The analyzer extracts manifest, permissions, signing certificate, SDK usage, ProGuard/R8 status, asset sizes and library versions. Flags common issues: debuggable builds, missing permissions, unsigned, bloated assets.
What security issues does the APK analyzer catch?
Debuggable flag in release builds, exported activities / services without permission protection, hardcoded API keys in strings, insecure network config (cleartext HTTP, missing TLS), outdated vulnerable libraries (OkHttp, OpenSSL versions with CVEs).
Does it check iOS IPA files the same way?
Yes. For IPA: provisioning profile, entitlements, signing certificate chain, Info.plist (ATS config, privacy usage descriptions), embedded frameworks, URL schemes, and app size breakdown. All the pre-release checks your CI should be doing.
Is my build file uploaded to your servers?
APK and IPA files are processed in our secure sandbox for deeper analysis that can't run in-browser (ZIP+DEX parsing, native library extraction). Files are auto-deleted after analysis. See our Privacy Policy for details.
How is this different from MobSF (Mobile Security Framework)?
Same idea — static analysis of Android/iOS builds. MobSF is self-hosted and richer (dynamic analysis, API tracing). Ours is instant, browser-based, zero setup — great for pre-publish sanity checks and sharing a build report with teammates.
Related Developer Tools
Smarter quality checks. Faster deployments.
Better apps.
