§ Product · Atomic App Scanner

Automated security scanning for every release.

Our assessment rigour, productised. Automated security scanning for every release you ship.

The Atomic App Scanner is our assessment practice, productised. Upload an Android release and it decompiles the build, walks the bytecode end to end, and runs all 54 checks — exactly as the app ships, the way an attacker would read it.

  • No source code, no agent, no SDK, no CI wiring
  • Severity-graded findings stream back live as each check completes
  • Every result names the exact class, method, and smali / Java location
  • Each finding pinned to the exact code, with a concrete fix and one-click false-positive suppression
  • Export SARIF / CSV, or pull results over the API
Start free — 3 scans Sign in

// no credit card · upload a build and read the findings

§ Coverage

The periodic table of mobile risk.

Fifty-four checks across all eight categories of mobile risk — from hardcoded secrets to taint-tracked PII leaks. Each finding is graded, evidenced, and pinned to the exact code.

critical high medium low info
01 STORAGE
St

Insecure data storage

  • World-readable files & prefs
  • Secrets in SharedPreferences
  • External-storage leaks
02 CRYPTO
Cr

Broken cryptography

  • Weak ciphers & modes
  • Hardcoded keys / IVs
  • Cipher + signature key reuse
03 AUTH
Au

Auth & secrets

  • Hardcoded credentials
  • Gitleaks secret rules
  • Exposed API tokens
04 NETWORK
Nt

Network security

  • Cleartext traffic allowed
  • Permissive network config
  • Disabled cert pinning
05 PLATFORM
Pf

Platform & IPC

  • Exported components
  • Insecure WebViews
  • Implicit-intent PII leaks
06 CODE
Cd

Vulnerable code

  • CVE libraries via OSV
  • Outdated dependencies
  • Dangerous API usage
07 PRIVACY
Pv

Privacy & PII

  • PII written to logs
  • Tracking in notifications
  • Over-broad permissions
08 RESILIENCE
Rs

Tamper resilience

  • Missing root/debug checks
  • No anti-tamper
  • Unprotected signing
§ Method

From upload to verdict, in three moves.

01 Intake

Upload an APK

Drop your release into the dashboard, or push it through the API — no agent, no SDK, no CI wiring, nothing to install.

02 Analysis

Take it apart

The scanner decompiles your release and walks its bytecode end to end, running all 54 checks across the app exactly as it ships.

03 Readout

Read the findings

Severity-graded findings stream back live — each with the exact location and a concrete fix. Export SARIF or CSV.

Scan your next release free.

Three full scans, all 54 checks, no card. Need depth a scanner can't reach? Let's talk.

Start free — 3 scans