Upload an APK or IPA. KodFixer decompiles it, runs 67+ SAST checks, hunts for hardcoded secrets, maps every API endpoint, and scores the risk — in under 30 seconds.
$ Free tier: 3 scans/month · No credit card
$ kodfixer scan app-release.apk
Decompiling binary...
Running 67 SAST patterns...
Scanning for secrets...
Extracting endpoints...
CRITICAL SQL Injection (CWE-89) — MainActivity.java:42
CRITICAL Hardcoded AWS Key — BuildConfig.java:8
HIGH Cert Pinning Bypass — NetworkHelper.java:15
HIGH Cleartext HTTP — ApiClient.java:23
MEDIUM Log Leakage — Utils.java:91
12 findings · 3 critical · 4 high · Risk: 8.5/10
67+
SAST Rules
<30s
Avg Scan Time
16
Secret Patterns
APK/IPA
Binary Support
How it works
Drop your .apk, .aab, or .ipa file. We accept up to 500MB.
Decompilation, SAST scanning, secret detection, endpoint mapping, and AI assessment run in parallel.
Severity-ranked findings with affected code, CWE references, exploit scenarios, and fix guidance.
Capabilities
APK, AAB, and IPA files are decompiled with apktool, jadx, and plistutil. Full source recovery from production binaries.
SQL injection, XSS, XXE, path traversal, insecure crypto, certificate pinning bypass, root detection, and 60+ more patterns.
AWS keys, Firebase configs, Stripe tokens, JWT secrets, private keys, database strings — found and severity-classified automatically.
Every HTTP endpoint extracted from decompiled source. Categorized as production, staging, internal, or third-party.
LLM-driven vulnerability assessment with exploit scenarios, BOLA detection, and remediation guidance for every finding.
Weighted 1-10 risk score combining manifest flags, SAST findings, secrets exposure, endpoint security, and platform-specific checks.
Pricing
Free
For individual developers
Pro
For teams shipping mobile apps
Enterprise
For security teams at scale
Upload your first APK or IPA — results in under a minute.