Skip to main content
ONEROXE
Sign In
Android · MASVS

Mobile APK Security Scan

Upload an Android APK and get a static security assessment in seconds. We decode the manifest, flag risky posture (debuggable, backup, cleartext traffic, exported components), list dangerous permissions, and scan the dex and resources for hard-coded secrets — all without installing anything.

Pro feature

Mobile APK Scan is a Pro tool

Specialized scans are part of ONEROXE Pro. Sign in and upgrade to run the mobile apk scan.

What you'll unlock
  • AndroidManifest decoding — package, version, min/target SDK
  • Risky posture — debuggable, allowBackup, cleartext traffic, Network Security Config
  • Exported activities/services/receivers/providers without a protecting permission
  • Requested permissions, with dangerous (runtime) permissions highlighted
ExampleIllustrative — not your results
View Pro plansSign in

Pro from ₹349/mo ($12/mo).

What this assesses

AndroidManifest decoding — package, version, min/target SDK
Risky posture — debuggable, allowBackup, cleartext traffic, Network Security Config
Exported activities/services/receivers/providers without a protecting permission
Requested permissions, with dangerous (runtime) permissions highlighted
Hard-coded secrets in classes*.dex and readable resources (redacted)
Archive inventory — dex files and bundled native libraries

How it works

Read-only· static analysis — your APK is not run
  1. You upload an Android APK; we unpack it server-side (with strict zip-bomb limits) and analyse it statically.
  2. We review the manifest posture, exported components, dangerous permissions, code-signing (flagging debug certs), and scan the dex/resources for hard-coded secrets — MASVS-aligned.
  3. The app is never executed and the upload is bounded and discarded after analysis.

What it doesn’t do: It is a static review; dynamic/runtime and deep MASVS-L2 testing are out of scope.

Why it matters

Anyone can pull your published APK from a device or store and inspect it. A debuggable release, a key baked into the dex, or an unprotected exported component is trivially found by an attacker — and just as trivially found here, before they do.

Frequently asked questions

Do you keep my APK?

No. The file is decoded in-memory for the duration of the scan and is not stored. Any secrets found are redacted to a masked preview.

How deep does it go?

This is a fast static pass: manifest, archive structure, permissions and string-level secret detection across the dex and resources. Deeper bytecode analysis (crypto misuse, root/tamper detection, data-flow) is part of a full mobile engagement.

Can it scan iOS apps (IPA)?

This tool targets Android APKs. iOS IPA analysis is available as part of a mobile penetration test.

More specialized scans

Compliance ReportSSL/TLS Deep AuditRepo Secrets + SCAAPI Security ScanLLM / AI PentestWordPress Security ScannerGraphQL Security ScanCloud Bucket Scanner