Android APK security analysis tool that runs in the browser. Drop an APK file, it decompiles the DEX, parses the manifest, scans for issues, and lets you browse the code. Nothing gets uploaded anywhere.
DEX Decompiler : reads DEX bytecode and converts it to Java pseudocode and Smali disassembly. Class trees, method signatures, field listings, string extraction.
Security Scanner : 80+ rules covering hardcoded secrets, weak crypto, insecure HTTP, exported components, WebView vulns, intent issues, SQL injection, certificate pinning bypasses, and more. Findings tagged with CWE, OWASP Mobile Top 10, MASVS.
Manifest Parser : decodes binary AXML. Exported components, permissions, SDK versions, backup flags, deep link schemes, task hijacking, custom permissions.
Certificate Analysis : reads signing certs from the APK
Component Inspector : lists all exported activities, services, receivers, providers with intent filters and permissions. Generates ADB commands to test each one.
Tracker Detection : identifies 38+ ad SDKs, analytics, crash reporters, payment libs from DEX strings.
File Explorer : browse APK contents. XML, JSON, images, databases, .so files with syntax highlighting or hex view.
PDF Export : findings report with all instances.
Go to apkauditor.com and drop an APK.
Open index.html in Chrome, Firefox, or Edge. Or serve it:
python -m http.server 8000Open the page, drag and drop an APK onto the drop zone. Wait for analysis to finish. Browse the five tabs: Overview, Findings, Code & Explorer, Components, Manifest.
Click any finding to jump to the source. Use the sidebar search to find classes, methods, strings across all decompiled code.
| Category | What it checks |
|---|---|
| Storage | World-readable/writable files, external storage, SharedPreferences, SQLite raw queries |
| Crypto | Weak hashes (MD5, SHA-1), hardcoded keys, ECB mode, static IVs, no padding, deprecated ciphers |
| Network | Cleartext HTTP, missing cert pinning, custom TrustManagers, hostname verifier bypasses |
| Components | Exported without permissions, intent redirection, pending intent mutability, deep link hijacking |
| WebView | JavaScript enabled, file access, debug mode, content provider access, mixed content |
| Secrets | API keys (Google, AWS, Firebase, Stripe, Twilio, etc.), hardcoded passwords and tokens |
| Code | Reflection, dynamic class loading, native libs, clipboard access, screenshot flags |
Handles APKs with multiple DEX files (classes.dex through classes9.dex). All get parsed and scanned.
index.html - UI and styling
apk-analyzer.js - all analysis logic
lib/
jszip.min.js - ZIP extraction (MIT)
jspdf.umd.min.js - PDF export (MIT)
Everything runs client-side in JavaScript. The APK is extracted with JSZip, DEX files are parsed from binary, bytecode is translated to Java pseudocode through register tracking and pattern matching, binary XML is decoded from AXML format, and certificates are parsed from PKCS#7/DER. No server, no uploads, no external calls.
MIT. See LICENSE.
For authorized security testing and educational use only. Get permission before analyzing APKs you don't own.
