Decompile β Detect β Patch Android APK & iOS IPA security flags in one command.
A zero-config CLI utility that detects FLAG_SECURE, DRM protection, root detection, SSL pinning, and other security flags that cause black screens on BrowserStack App Live, screen mirroring tools, and automated testing environments.
# Inspect an APK β zero install, just run
npx app-flag-inspector myapp.apk
# Inspect + auto-patch FLAG_SECURE
npx app-flag-inspector inspect myapp.apk --autofix
# Inspect an IPA
npx app-flag-inspector myapp.ipaZero dependencies to manage. The tool auto-installs Homebrew and apktool if they're missing β just run it.
# Use directly with npx (recommended β no install needed)
npx app-flag-inspector <command>
# Or install globally
npm install -g app-flag-inspector| Tool | Required For | Auto-Installed? |
|---|---|---|
| Homebrew | Installing apktool | β Yes β installed automatically if missing |
| apktool | Decompiling APKs | β Yes β installed via Homebrew automatically |
| Android SDK Build Tools | recompile only |
β No β install via Android Studio |
| zipalign | recompile only |
β No β included with Android SDK Build Tools |
| apksigner | recompile only |
β No β included with Android SDK Build Tools |
For
inspectandinspect --autofix, you don't need to install anything manually β the tool handles it. Forrecompile, you need Android Studio's SDK Build Tools on your PATH.
Decompiles the app and scans for security flags. No modifications are made (unless --autofix is used).
npx app-flag-inspector inspect <file.apk|file.ipa> [options]
# Shortcut β just pass the file
npx app-flag-inspector myapp.apk| Option | Description |
|---|---|
-o, --output <dir> |
Custom output directory for decompiled files |
--keep |
Keep decompiled output after inspection (default: cleaned up) |
--json |
Output results as JSON (for CI/CD pipelines) |
--autofix |
Automatically patch and remove high-severity flags |
Example output:
π App Flag Inspector β APK Analysis
File: /path/to/myapp.apk
Size: 45.23 MB
π± App Info
Package: com.example.myapp
Min SDK: 24
Target SDK: 34
Debuggable: No
π© Security Flags Detected: 3
βββββββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ¬βββββββββ¬βββββββββββββ
β Flag β Severity β Method β File β Line β Patchable β
βββββββββββββββββββββββββββΌβββββββββββΌβββββββββββββββββββββΌβββββββββββββββββββββββββββββββΌβββββββββΌβββββββββββββ€
β FLAG_SECURE β HIGH β setFlags β smali_classes9/com/app/... β 480 β Yes β
β Root Detection β MEDIUM β Various β 12 file(s) β - β No β
β SSL/Certificate Pinning β MEDIUM β Various β 8 file(s) β - β No β
βββββββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββββββββ΄βββββββββββββββββββββββββββββββ΄βββββββββ΄βββββββββββββ
π‘ 1 flag(s) can be auto-patched. Run with --autofix:
npx app-flag-inspector inspect myapp.apk --autofix
Scans and patches high-severity flags in the decompiled smali code. The patched source is kept so you can recompile it.
npx app-flag-inspector inspect myapp.apk --autofixWhat it patches:
FLAG_SECUREviaWindow.setFlags()/Window.addFlags()β sets0x2000β0x0SurfaceView.setSecure(true)β sets0x1β0x0
What it does NOT patch (reported only):
- DRM / MediaDrm
- Root / jailbreak detection
- SSL / certificate pinning
- ScreenCaptureCallback (API 34+)
Example output:
π§ Autofix β Patching high-severity flags
β FLAG_SECURE patched
smali_classes9/com/zehnder/entergy/EntergyBaseFragment.smali:478
- const/16 v1, 0x2000
+ const/16 v1, 0x0
β
1 flag(s) patched successfully.
β Verification complete β all high-severity patchable flags removed
π Patched decompiled source kept at: /path/to/decompiled_myapp
To rebuild the APK, run:
npx app-flag-inspector recompile myapp.apk
Patches FLAG_SECURE, recompiles, aligns, and signs the APK β all in one step.
npx app-flag-inspector recompile <file.apk> [options]| Option | Description |
|---|---|
-o, --output <file> |
Output path for patched APK |
--no-sign |
Skip signing (you'll need to sign manually) |
--keystore <path> |
Path to your keystore file |
--alias <name> |
Key alias (default: mykey) |
β οΈ Requires Android SDK Build Tools (zipalign,apksigner) from Android Studio. After installing, add to your PATH:export PATH=$PATH:$ANDROID_HOME/build-tools/<version>
Examples:
# Auto-patch and sign with a debug keystore
npx app-flag-inspector recompile myapp.apk
# Use your own keystore
npx app-flag-inspector recompile myapp.apk --keystore release.jks --alias mykey
# Recompile without signing
npx app-flag-inspector recompile myapp.apk --no-signVerify all dependencies are installed.
npx app-flag-inspector check-depsπ Checking dependencies...
β installed apktool (required)
β installed zipalign (optional β for recompile)
β not found apksigner (optional β for recompile)
Install: Included with Android SDK Build Tools
β installed keytool (optional β for recompile)
| Flag / Pattern | Platform | Severity | Auto-Patchable |
|---|---|---|---|
FLAG_SECURE (setFlags / addFlags) |
Android | π΄ HIGH | β Yes |
SurfaceView.setSecure() |
Android | π΄ HIGH | β Yes |
ScreenCaptureCallback (API 34+) |
Android | π‘ MEDIUM | β No |
DRM Protection (MediaDrm) |
Android | π΄ HIGH | β No |
| Root / Tamper Detection | Android | π‘ MEDIUM | β No |
| SSL / Certificate Pinning | Android | π‘ MEDIUM | β No |
| Screenshot Prevention (secure text overlay) | iOS | π΄ HIGH | β No |
| Jailbreak Detection | iOS | π‘ MEDIUM | β No |
Use --json for machine-readable output:
npx app-flag-inspector inspect myapp.apk --json > report.jsonExample in a GitHub Actions workflow:
- name: Check APK security flags
run: |
npx app-flag-inspector inspect app/build/outputs/apk/debug/app-debug.apk --json > flags.json
# Fail if FLAG_SECURE is found
if jq -e '.findings[] | select(.flag == "FLAG_SECURE")' flags.json > /dev/null 2>&1; then
echo "::error::FLAG_SECURE detected in APK"
exit 1
fi- Decompile β Uses
apktoolto decompile the APK into smali bytecode - Scan β Walks smali files method-by-method, checking if
const 0x2000feeds intoWindow.setFlags()/addFlags()within the same method (no false positives from unrelated code) - Report β Displays findings with file locations, severity, and whether they can be auto-patched
- Autofix (optional) β Patches
0x2000β0x0in-place, then re-scans to verify - Cleanup β Removes decompiled files (unless
--keepor--autofixis used)
For recompile:
- Patch β Replaces
0x2000with0x0in smali code nearWindow.setFlags()/addFlags()calls - Rebuild β Uses
apktool bto recompile the patched smali back into an APK - Align & Sign β Runs
zipalignandapksignerto produce an installable APK
When you run the tool for the first time, it automatically sets up everything needed:
apktool missing?
βββ brew missing?
β βββ Install Homebrew automatically
β βββ Add brew to PATH
βββ brew install apktool
βββ Continue with inspection
No manual setup required for inspect and inspect --autofix.
- Recompiling may break apps that have certificate pinning, root detection, or tamper checks β the re-signed APK will have a different certificate.
- This tool is for debugging/testing only. Do not distribute patched APKs.
- IPA support is basic β iOS apps are compiled to native ARM, so deep binary analysis requires additional tools.
- The
inspectcommand (without--autofix) is read-only and makes no modifications to the original file. --autofixmodifies the decompiled source only β your original APK is never touched.
MIT