APK Analyzer

Browser-based Android APK deep analysis: AndroidManifest.xml decode, permission risk grading, v1/v2/v3 signature detection, DEX class listing, native lib breakdown, hardcoded-secrets scan, and full archive tree — 100% client-side.

Tool Media & Files Updated May 23, 2026
X Facebook LinkedIn Reddit Email
How to Use
  1. Drop any .apk (or .aab / .ipa / .zip) file onto the dropzone.
  2. The Overview tab shows package ID, version, target SDK, signing schemes, sizes.
  3. Permissions tab grades each uses-permission as dangerous / signature / normal.
  4. DEX + Native tabs surface classes.dex files (open in Binary Explorer) and lib/{arch}/*.so.
  5. Secrets tab regex-scans every text file for AWS / GitHub / Google / Slack tokens, JWTs, private keys.
APK
📱
Drop APK / AAB / IPA / ZIP
AndroidManifest decode, permission grading, signing schemes, DEX list, native libs, secrets scan. Nothing leaves your browser.
Loading…
📱
App label
Package
Version
SDK
Size
Entries
Load an APK to see its summary.
No AndroidManifest.xml parsed yet.
No permissions listed yet.
No DEX files listed yet.
No DEX class list yet.
No components parsed yet.
No archive analysed.
No audit findings yet.
No trackers scanned yet.
No native libraries detected.
Not analysed yet.
No secrets scan yet. Larger APKs may take a few seconds.
strings.xml decoded values appear here.
No archive entries loaded.
No file selected.
Click any file in the Tree tab to preview it here.

What it analyses

Manifest
Decodes Android binary XML (AXML) — package, version, SDK levels, components
Permissions
Grades each uses-permission as dangerous, signature, normal — full risk descriptions
Signing
Detects v1 (JAR), v2, v3, v3.1 (APK Signature Scheme) — surfaces signing block magic
DEX
Lists every classes.dex + classesN.dex with file size — opens directly in Binary Explorer
Native
Surfaces lib/{arm64-v8a,armeabi-v7a,x86,x86_64}/*.so with per-arch totals
Secrets
Regex scan: AWS keys, GitHub/Slack tokens, Google API keys, JWTs, private keys, Firebase URLs
Tree
Hierarchical view of every ZIP entry, click any file to preview or download
Strings
res/values/strings.xml decoded so localised labels show up readable

How APK analysis works

An APK is a ZIP archive with a known internal layout. The central directory at the end of the file lists every entry — AndroidManifest.xml, classes.dex, resources.arsc, res/, lib/, assets/, META-INF/. Most entries are deflate-compressed and inflated by the browser's built-in DecompressionStream. The manifest itself is stored in AXML — Android's binary XML format with a string pool, resource-ID map, and chunked element tree — which this tool decodes back to readable XML. Permissions are extracted from <uses-permission> tags and matched against AOSP's risk database. Signing is detected by checking for the APK Sig Block 42 magic before the central directory (v2/v3) and the META-INF/*.RSA|DSA|EC files (v1). The secrets scan applies the same regex patterns used by malware-triage tools.

Frequently Asked Questions

Does it upload my APK?

No. Everything — ZIP extraction, AXML decoding, secrets scan — runs inside your browser.

IPA support?

Yes. iOS .ipa is a ZIP too, so the tree view + plist files + secrets scan work. APK-specific tabs (AXML, DEX) are skipped.

How big can the APK be?

The whole file is loaded into memory for ZIP parsing. Several hundred MB is fine. Multi-GB game APKs may push browser limits.

Can it decompile DEX to Java?

Not directly — but the DEX tab links each classes.dex into Binary Explorer where you get Dalvik bytecode disassembly + the stack-machine decompiler.

Why is my AndroidManifest.xml binary?

Android compiles XML resources into a custom binary format ("AXML") at build time. This tool decodes it back to readable XML.

Common Use Cases

Malware triage

Spot dangerous permissions, native libs, embedded URLs, hardcoded keys in seconds.

Privacy audit

Check what data an app could access and what trackers it pulls in.

Reverse engineering

Pair with Binary Explorer for DEX disassembly + Dalvik decompilation.

Supply chain check

Verify signing certificate, check for known-bad SDKs in the resource tree.

Last updated: