Mobile Security

Decompile and Audit Any Android Package in Your Browser

Upload an APK or AAB — we extract the manifest, decompile DEX bytecode, and surface hardcoded secrets, exported components, weak permissions, and insecure network configuration in one pass.

Try Android APK Analyzer Now Talk to an Expert

Try Android APK Analyzer

Upload APK or AAB File

Drag & drop or browse.apk,.aab

How It Works

From target input to actionable findings in three straightforward steps.

Upload APK / AAB

Drop your Android package into the uploader. Size limits apply on the free tier.

Static Analysis

Manifest, smali bytecode, native libs, signing certificate, and network-security config are parsed.

Findings by Severity

Hardcoded secrets, exported components, cleartext-traffic allowance, dangerous permissions, debug flags — all sorted by severity.

Key Capabilities

Purpose-built scanning backed by real penetration testing expertise.

Secret Detection

API keys, AWS secrets, Firebase tokens, private keys buried in resources or smali.

Manifest Audit

Exported components, intent filters, dangerous permissions, backup / debug flags.

Network Security Config

Cleartext traffic, certificate pinning, user-CA trust settings.

Signing Audit

Certificate chain, v1 / v2 / v3 signing, debug-signed binaries.

Library Inventory

Third-party SDK enumeration with known-vulnerability mapping.

Browser Upload

Analysis happens server-side after upload; no local toolchain required.

Common Use Cases

Pre-release check before Play Store submission

Third-party SDK audit

Post-incident triage when an APK is suspected compromised

Verify no debug / test secrets shipped to prod

Compliance evidence collection

Fast triage of an APK handed off by the mobile team

Why Use Pentestas

Security tools built by penetration testers, not just developers.

Enterprise-Grade Accuracy

Our scanning engine is built on the same methodologies our penetration testers use in manual engagements, tuned to minimize false positives and surface genuine risk.

Fast, Actionable Results

Get findings in minutes rather than days. Every result includes severity ratings, technical evidence, and clear remediation steps your team can act on immediately.

Continuous Monitoring

Schedule recurring scans from the Pentestas platform to catch regressions before they reach production. Stay ahead of new CVEs and configuration drift.

Privacy First

Your scan data is encrypted at rest and in transit. You own your data, with full control over retention and export.

Detailed Reporting

Export findings as PDF, CSV, or JSON. Feed results directly into your SIEM, ticketing system, or CI/CD pipeline through our REST API.

Instant Setup

Run scans directly from your browser. Enter a target, click scan, and receive results. Ready in under a minute.

Start scanning with Android APK Analyzer today

Create a free account and run your first scan in under a minute. Full platform access during your 14-day trial.

Launch Free Scan Request a Pentest Quote

Frequently Asked Questions

What is the upload limit?

The free tier caps file size at a conservative limit; larger packages are supported in the paid engine.

Is the APK stored after analysis?

No. Binaries are processed in-memory and discarded.

Does it run dynamic analysis?

The free tool focuses on static analysis. Dynamic sandbox execution is available in the paid engine.