npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

app-flag-inspector

v1.1.0

Published

CLI to decompile Android APK & iOS IPA files and detect security flags like FLAG_SECURE, DRM, root detection, SSL pinning — with autofix patching support

Readme

🔍 app-flag-inspector

Decompile → Detect → Patch Android APK & iOS IPA security flags in one command.

A zero-config CLI utility that detects FLAG_SECURE, DRM protection, root detection, SSL pinning, and other security flags that cause black screens on BrowserStack App Live, screen mirroring tools, and automated testing environments.

npm version license

Quick Start

# Inspect an APK — zero install, just run
npx app-flag-inspector myapp.apk

# Inspect + auto-patch FLAG_SECURE
npx app-flag-inspector inspect myapp.apk --autofix

# Inspect an IPA
npx app-flag-inspector myapp.ipa

Zero dependencies to manage. The tool auto-installs Homebrew and apktool if they're missing — just run it.

Installation

# Use directly with npx (recommended — no install needed)
npx app-flag-inspector <command>

# Or install globally
npm install -g app-flag-inspector

Prerequisites

| Tool | Required For | Auto-Installed? | | --------------------------- | ------------------ | -------------------------------------------------------------------------- | | Homebrew | Installing apktool | ✅ Yes — installed automatically if missing | | apktool | Decompiling APKs | ✅ Yes — installed via Homebrew automatically | | Android SDK Build Tools | recompile only | ❌ No — install via Android Studio | | zipalign | recompile only | ❌ No — included with Android SDK Build Tools | | apksigner | recompile only | ❌ No — included with Android SDK Build Tools |

For inspect and inspect --autofix, you don't need to install anything manually — the tool handles it. For recompile, you need Android Studio's SDK Build Tools on your PATH.

Commands

inspect (default)

Decompiles the app and scans for security flags. No modifications are made (unless --autofix is used).

npx app-flag-inspector inspect <file.apk|file.ipa> [options]

# Shortcut — just pass the file
npx app-flag-inspector myapp.apk

| Option | Description | | -------------------- | ------------------------------------------------------------- | | -o, --output <dir> | Custom output directory for decompiled files | | --keep | Keep decompiled output after inspection (default: cleaned up) | | --json | Output results as JSON (for CI/CD pipelines) | | --autofix | Automatically patch and remove high-severity flags |

Example output:

🔍 App Flag Inspector — APK Analysis

  File: /path/to/myapp.apk
  Size: 45.23 MB

📱 App Info

  Package:    com.example.myapp
  Min SDK:    24
  Target SDK: 34
  Debuggable: No

🚩 Security Flags Detected: 3

┌─────────────────────────┬──────────┬────────────────────┬──────────────────────────────┬────────┬────────────┐
│ Flag                    │ Severity │ Method             │ File                         │ Line   │ Patchable  │
├─────────────────────────┼──────────┼────────────────────┼──────────────────────────────┼────────┼────────────┤
│ FLAG_SECURE             │ HIGH     │ setFlags           │ smali_classes9/com/app/...   │ 480    │ Yes        │
│ Root Detection          │ MEDIUM   │ Various            │ 12 file(s)                   │ -      │ No         │
│ SSL/Certificate Pinning │ MEDIUM   │ Various            │ 8 file(s)                    │ -      │ No         │
└─────────────────────────┴──────────┴────────────────────┴──────────────────────────────┴────────┴────────────┘

💡 1 flag(s) can be auto-patched. Run with --autofix:
   npx app-flag-inspector inspect myapp.apk --autofix

inspect --autofix

Scans and patches high-severity flags in the decompiled smali code. The patched source is kept so you can recompile it.

npx app-flag-inspector inspect myapp.apk --autofix

What it patches:

  • FLAG_SECURE via Window.setFlags() / Window.addFlags() — sets 0x20000x0
  • SurfaceView.setSecure(true) — sets 0x10x0

What it does NOT patch (reported only):

  • DRM / MediaDrm
  • Root / jailbreak detection
  • SSL / certificate pinning
  • ScreenCaptureCallback (API 34+)

Example output:

🔧 Autofix — Patching high-severity flags

  ✔ FLAG_SECURE patched
    smali_classes9/com/zehnder/entergy/EntergyBaseFragment.smali:478
    - const/16 v1, 0x2000
    + const/16 v1, 0x0

  ✅ 1 flag(s) patched successfully.

✔ Verification complete — all high-severity patchable flags removed

  📂 Patched decompiled source kept at: /path/to/decompiled_myapp
     To rebuild the APK, run:
     npx app-flag-inspector recompile myapp.apk

recompile

Patches FLAG_SECURE, recompiles, aligns, and signs the APK — all in one step.

npx app-flag-inspector recompile <file.apk> [options]

| Option | Description | | --------------------- | ------------------------------------------- | | -o, --output <file> | Output path for patched APK | | --no-sign | Skip signing (you'll need to sign manually) | | --keystore <path> | Path to your keystore file | | --alias <name> | Key alias (default: mykey) |

⚠️ Requires Android SDK Build Tools (zipalign, apksigner) from Android Studio. After installing, add to your PATH:

export PATH=$PATH:$ANDROID_HOME/build-tools/<version>

Examples:

# Auto-patch and sign with a debug keystore
npx app-flag-inspector recompile myapp.apk

# Use your own keystore
npx app-flag-inspector recompile myapp.apk --keystore release.jks --alias mykey

# Recompile without signing
npx app-flag-inspector recompile myapp.apk --no-sign

check-deps

Verify all dependencies are installed.

npx app-flag-inspector check-deps
🔍 Checking dependencies...

  ✔ installed  apktool (required)
  ✔ installed  zipalign (optional — for recompile)
  ✘ not found  apksigner (optional — for recompile)
                Install: Included with Android SDK Build Tools
  ✔ installed  keytool (optional — for recompile)

What It Detects

| Flag / Pattern | Platform | Severity | Auto-Patchable | | ------------------------------------------- | -------- | --------- | -------------- | | FLAG_SECURE (setFlags / addFlags) | Android | 🔴 HIGH | ✅ Yes | | SurfaceView.setSecure() | Android | 🔴 HIGH | ✅ Yes | | ScreenCaptureCallback (API 34+) | Android | 🟡 MEDIUM | ❌ No | | DRM Protection (MediaDrm) | Android | 🔴 HIGH | ❌ No | | Root / Tamper Detection | Android | 🟡 MEDIUM | ❌ No | | SSL / Certificate Pinning | Android | 🟡 MEDIUM | ❌ No | | Screenshot Prevention (secure text overlay) | iOS | 🔴 HIGH | ❌ No | | Jailbreak Detection | iOS | 🟡 MEDIUM | ❌ No |

CI/CD Integration

Use --json for machine-readable output:

npx app-flag-inspector inspect myapp.apk --json > report.json

Example in a GitHub Actions workflow:

- name: Check APK security flags
  run: |
    npx app-flag-inspector inspect app/build/outputs/apk/debug/app-debug.apk --json > flags.json
    # Fail if FLAG_SECURE is found
    if jq -e '.findings[] | select(.flag == "FLAG_SECURE")' flags.json > /dev/null 2>&1; then
      echo "::error::FLAG_SECURE detected in APK"
      exit 1
    fi

How It Works

  1. Decompile — Uses apktool to decompile the APK into smali bytecode
  2. Scan — Walks smali files method-by-method, checking if const 0x2000 feeds into Window.setFlags() / addFlags() within the same method (no false positives from unrelated code)
  3. Report — Displays findings with file locations, severity, and whether they can be auto-patched
  4. Autofix (optional) — Patches 0x20000x0 in-place, then re-scans to verify
  5. Cleanup — Removes decompiled files (unless --keep or --autofix is used)

For recompile:

  1. Patch — Replaces 0x2000 with 0x0 in smali code near Window.setFlags() / addFlags() calls
  2. Rebuild — Uses apktool b to recompile the patched smali back into an APK
  3. Align & Sign — Runs zipalign and apksigner to produce an installable APK

Auto-Install Chain

When you run the tool for the first time, it automatically sets up everything needed:

apktool missing?
  └─→ brew missing?
  │     └─→ Install Homebrew automatically
  │     └─→ Add brew to PATH
  └─→ brew install apktool
  └─→ Continue with inspection

No manual setup required for inspect and inspect --autofix.

⚠️ Important Notes

  • Recompiling may break apps that have certificate pinning, root detection, or tamper checks — the re-signed APK will have a different certificate.
  • This tool is for debugging/testing only. Do not distribute patched APKs.
  • IPA support is basic — iOS apps are compiled to native ARM, so deep binary analysis requires additional tools.
  • The inspect command (without --autofix) is read-only and makes no modifications to the original file.
  • --autofix modifies the decompiled source only — your original APK is never touched.

License

MIT