US-027US-028US-029US-116
L3 — Mobile Security (MobSF)
Android APK & iOS IPA binary analysis · OWASP MASVS compliance
Upload Binary for Analysis US-027
📦
Drop APK or IPA here
Maximum file size: 200MB · Android .apk · iOS .ipa
curl -X POST https://api-staging.socvault.io/api/v1/scans/mobile \
-H "Authorization: Bearer $API_KEY" \
-F "file=@app-release.apk"
Analysis completes in ~15 minutes · Results available via webhook
Latest Scan — AcmeCorp.apk v2.4.1 US-027, US-028
2
Critical
4
High
6
Medium
3
Low
| Finding | MASVS | Severity |
|---|---|---|
| Hardcoded API key in BuildConfig BuildConfig.STRIPE_SECRET_KEY = "sk_live_…" | MSTG-STORAGE-14 | CRITICAL |
| Cleartext HTTP traffic allowed network_security_config.xml — cleartextTrafficPermitted=true | MSTG-NETWORK-2 | CRITICAL |
| Sensitive data in SharedPreferences auth_token stored in plaintext | MSTG-STORAGE-2 | HIGH |
| Exported activity without permission com.acme.DeepLinkActivity exported=true | MSTG-PLATFORM-1 | HIGH |
| Over-privileged permissions READ_CONTACTS, CAMERA declared but unused | MSTG-PLATFORM-2 | MEDIUM |
GDPR / Compliance Mapping US-029
| Finding | GDPR Article | Risk Description | Severity |
|---|---|---|---|
| Cleartext HTTP traffic | Art. 32 — Security of processing | Personal data transmitted without encryption violates the requirement to implement appropriate technical measures | CRITICAL |
| READ_CONTACTS permission | Art. 5(1)(c) — Data minimisation | Collecting contact data without clear necessity violates the principle of data minimisation | MEDIUM |
| Auth token in SharedPreferences | Art. 32 — Security of processing | Session tokens stored in plaintext on device allow credential extraction if device is compromised | HIGH |