๐ฏ๐๐๐๐๐ ๐ฎ๐ณDay 10 of #100VibeProjects ๐
Built a local web tool that does static security analysis of Android APKs โ upload an APK and get a report covering permissions, hardcoded secrets, SDK fingerprinting, cert pinning, and crypto posture.
The interesting part: the methodology came from reverse-engineering the WhiteHouse app teardown that went viral last week. Applied the same five-gate analysis framework to a real banking app.
Found an expired certificate pin (silently disables TLS pinning for all users), a session replay SDK with no confirmed masking rules, and four Adobe tracking SDKs doing cross-device user stitching.
The tool runs entirely locally. No data leaves your machine. APK deleted after analysis.
Stack: Python ยท Flask ยท androguard ยท 380 lines
๐ Blog: mrdee.in
https://mrdee.in/writing/vibecoding-day010-offline-apk-security-analyzer/
๐ป GitHub Repo: https://github.com/mr-dinesh/Offline-APK-Analyzer
#VibeCoding #AppSec #AndroidSecurity #MobileSecurity #Python #Flask #DFIR #InfoSec #ReverseEngineering #CyberSecurity
Vibecoding-Day010-Create offline web tool for static security analysis of Android APK files
Building an Offline APK Security Analyzer in Flask Project #10 of the 100 Vibe Coding Projects challenge Iโve been doing APK security analysis manually for years โ pulling the file, running jadx, grepping through decompiled source, eyeballing the manifest. It works, but itโs slow and the output lives in a terminal window that disappears the moment you close it. This weekโs project: wrap that entire methodology into a local web tool. Upload an APK, get a structured risk report in your browser. No internet required, nothing stored, APK deleted the moment analysis completes.