APK Vulnerability Scanner
Scan an APK for security weaknesses: insecure settings, exposed components, hard-coded secrets, risky permissions, and suspicious code patterns. Not a CVE scan.
Drop your file here
or click to choose from your device
About APK Vulnerability Scanner
Scan an APK for security weaknesses: insecure settings, exposed components, hard-coded secrets, risky permissions, and suspicious code patterns. Not a CVE scan.
APK Vulnerability Scanner is part of APKLint’s security & malware toolkit — Find risky behavior, trackers, and suspicious patterns. It’s free to use and needs no account.
Your privacy is the default: files you upload are processed on our servers over an encrypted connection and permanently deleted by a scheduled hourly cleanup after analysis finishes, and never shared.
What APK Vulnerability Scanner checks
- Insecure manifest settings and exported surfaces
- Hard-coded secrets and credentials
- Risky permissions and cleartext traffic
- Suspicious code patterns via YARA
Good to know: Finds weaknesses in the app's own configuration and code. It does NOT match bundled libraries against a CVE database.
When to use APK Vulnerability Scanner
- Best for
- Finding weaknesses the app itself ships, exposed components, insecure storage/transport settings, and hard-coded secrets, when you think in terms of vulnerabilities rather than viruses.
- Not the right tool for
- Not CVE matching against third-party library versions (that is the Gradle Vulnerability Scanner) and not antivirus.
- What you get back
- App-owned vulnerability findings: exposed surfaces, insecure flags, and secret-like strings, each with context.
- How it differs from related APKLint tools
- It overlaps with the Security Scanner but is framed around 'weaknesses in your code/config', whereas Gradle Vulnerability Scan targets known-bad dependency versions.
- Limitations
- It reasons statically about the app's own code and config; it does not match a CVE database or execute the app.
How to use APK Vulnerability Scanner
- Choose your APK file — Drop an .apk file onto the page, or click to select it from your device.
- Send securely — The file is uploaded over an encrypted connection to our analysis servers.
- Read your report — APKLint unpacks and inspects the package and lays out the results on screen.
- Your file is removed — It's deleted by an hourly cleanup job after analysis finishes.
Why use APKLint
Every tool is free with no login and no paywall. Reasonable file and input limits keep the free service stable.
A clean, focused interface with no third-party ad banners cluttering your results.
Files you upload are deleted by a scheduled hourly cleanup after analysis finishes, and never shared.
Uses androguard manifest and DEX analysis plus YARA heuristic indicators.
Start immediately — no account, login, or email required.
Runs in any modern browser, on desktop or mobile.
Frequently asked questions
What does APK Vulnerability Scanner do?
Scan an APK for security weaknesses: insecure settings, exposed components, hard-coded secrets, risky permissions, and suspicious code patterns. Not a CVE scan.
Does this find CVEs in my libraries?
No. It finds configuration and code weaknesses in the APK itself. CVE/dependency matching needs source/lockfiles — not available from a built APK here.
Is it free to use?
Yes. Every tool on APKLint is completely free, with no sign-up and no account.
How is my data handled?
Your uploaded file and its result are processed on our servers over an encrypted connection, then removed by the next hourly cleanup after analysis finishes. We never share them.
What files can I send?
An Android APK — a .apk file — up to 1 GB.