app-flag-inspector
v1.1.0
Published
CLI to decompile Android APK & iOS IPA files and detect security flags like FLAG_SECURE, DRM, root detection, SSL pinning — with autofix patching support
Maintainers
Keywords
Readme
🔍 app-flag-inspector
Decompile → Detect → Patch Android APK & iOS IPA security flags in one command.
A zero-config CLI utility that detects FLAG_SECURE, DRM protection, root detection, SSL pinning, and other security flags that cause black screens on BrowserStack App Live, screen mirroring tools, and automated testing environments.
Quick Start
# Inspect an APK — zero install, just run
npx app-flag-inspector myapp.apk
# Inspect + auto-patch FLAG_SECURE
npx app-flag-inspector inspect myapp.apk --autofix
# Inspect an IPA
npx app-flag-inspector myapp.ipaZero dependencies to manage. The tool auto-installs Homebrew and apktool if they're missing — just run it.
Installation
# Use directly with npx (recommended — no install needed)
npx app-flag-inspector <command>
# Or install globally
npm install -g app-flag-inspectorPrerequisites
| Tool | Required For | Auto-Installed? |
| --------------------------- | ------------------ | -------------------------------------------------------------------------- |
| Homebrew | Installing apktool | ✅ Yes — installed automatically if missing |
| apktool | Decompiling APKs | ✅ Yes — installed via Homebrew automatically |
| Android SDK Build Tools | recompile only | ❌ No — install via Android Studio |
| zipalign | recompile only | ❌ No — included with Android SDK Build Tools |
| apksigner | recompile only | ❌ No — included with Android SDK Build Tools |
For
inspectandinspect --autofix, you don't need to install anything manually — the tool handles it. Forrecompile, you need Android Studio's SDK Build Tools on your PATH.
Commands
inspect (default)
Decompiles the app and scans for security flags. No modifications are made (unless --autofix is used).
npx app-flag-inspector inspect <file.apk|file.ipa> [options]
# Shortcut — just pass the file
npx app-flag-inspector myapp.apk| Option | Description |
| -------------------- | ------------------------------------------------------------- |
| -o, --output <dir> | Custom output directory for decompiled files |
| --keep | Keep decompiled output after inspection (default: cleaned up) |
| --json | Output results as JSON (for CI/CD pipelines) |
| --autofix | Automatically patch and remove high-severity flags |
Example output:
🔍 App Flag Inspector — APK Analysis
File: /path/to/myapp.apk
Size: 45.23 MB
📱 App Info
Package: com.example.myapp
Min SDK: 24
Target SDK: 34
Debuggable: No
🚩 Security Flags Detected: 3
┌─────────────────────────┬──────────┬────────────────────┬──────────────────────────────┬────────┬────────────┐
│ Flag │ Severity │ Method │ File │ Line │ Patchable │
├─────────────────────────┼──────────┼────────────────────┼──────────────────────────────┼────────┼────────────┤
│ FLAG_SECURE │ HIGH │ setFlags │ smali_classes9/com/app/... │ 480 │ Yes │
│ Root Detection │ MEDIUM │ Various │ 12 file(s) │ - │ No │
│ SSL/Certificate Pinning │ MEDIUM │ Various │ 8 file(s) │ - │ No │
└─────────────────────────┴──────────┴────────────────────┴──────────────────────────────┴────────┴────────────┘
💡 1 flag(s) can be auto-patched. Run with --autofix:
npx app-flag-inspector inspect myapp.apk --autofixinspect --autofix
Scans and patches high-severity flags in the decompiled smali code. The patched source is kept so you can recompile it.
npx app-flag-inspector inspect myapp.apk --autofixWhat it patches:
FLAG_SECUREviaWindow.setFlags()/Window.addFlags()— sets0x2000→0x0SurfaceView.setSecure(true)— sets0x1→0x0
What it does NOT patch (reported only):
- DRM / MediaDrm
- Root / jailbreak detection
- SSL / certificate pinning
- ScreenCaptureCallback (API 34+)
Example output:
🔧 Autofix — Patching high-severity flags
✔ FLAG_SECURE patched
smali_classes9/com/zehnder/entergy/EntergyBaseFragment.smali:478
- const/16 v1, 0x2000
+ const/16 v1, 0x0
✅ 1 flag(s) patched successfully.
✔ Verification complete — all high-severity patchable flags removed
📂 Patched decompiled source kept at: /path/to/decompiled_myapp
To rebuild the APK, run:
npx app-flag-inspector recompile myapp.apkrecompile
Patches FLAG_SECURE, recompiles, aligns, and signs the APK — all in one step.
npx app-flag-inspector recompile <file.apk> [options]| Option | Description |
| --------------------- | ------------------------------------------- |
| -o, --output <file> | Output path for patched APK |
| --no-sign | Skip signing (you'll need to sign manually) |
| --keystore <path> | Path to your keystore file |
| --alias <name> | Key alias (default: mykey) |
⚠️ Requires Android SDK Build Tools (
zipalign,apksigner) from Android Studio. After installing, add to your PATH:export PATH=$PATH:$ANDROID_HOME/build-tools/<version>
Examples:
# Auto-patch and sign with a debug keystore
npx app-flag-inspector recompile myapp.apk
# Use your own keystore
npx app-flag-inspector recompile myapp.apk --keystore release.jks --alias mykey
# Recompile without signing
npx app-flag-inspector recompile myapp.apk --no-signcheck-deps
Verify all dependencies are installed.
npx app-flag-inspector check-deps🔍 Checking dependencies...
✔ installed apktool (required)
✔ installed zipalign (optional — for recompile)
✘ not found apksigner (optional — for recompile)
Install: Included with Android SDK Build Tools
✔ installed keytool (optional — for recompile)What It Detects
| Flag / Pattern | Platform | Severity | Auto-Patchable |
| ------------------------------------------- | -------- | --------- | -------------- |
| FLAG_SECURE (setFlags / addFlags) | Android | 🔴 HIGH | ✅ Yes |
| SurfaceView.setSecure() | Android | 🔴 HIGH | ✅ Yes |
| ScreenCaptureCallback (API 34+) | Android | 🟡 MEDIUM | ❌ No |
| DRM Protection (MediaDrm) | Android | 🔴 HIGH | ❌ No |
| Root / Tamper Detection | Android | 🟡 MEDIUM | ❌ No |
| SSL / Certificate Pinning | Android | 🟡 MEDIUM | ❌ No |
| Screenshot Prevention (secure text overlay) | iOS | 🔴 HIGH | ❌ No |
| Jailbreak Detection | iOS | 🟡 MEDIUM | ❌ No |
CI/CD Integration
Use --json for machine-readable output:
npx app-flag-inspector inspect myapp.apk --json > report.jsonExample in a GitHub Actions workflow:
- name: Check APK security flags
run: |
npx app-flag-inspector inspect app/build/outputs/apk/debug/app-debug.apk --json > flags.json
# Fail if FLAG_SECURE is found
if jq -e '.findings[] | select(.flag == "FLAG_SECURE")' flags.json > /dev/null 2>&1; then
echo "::error::FLAG_SECURE detected in APK"
exit 1
fiHow It Works
- Decompile — Uses
apktoolto decompile the APK into smali bytecode - Scan — Walks smali files method-by-method, checking if
const 0x2000feeds intoWindow.setFlags()/addFlags()within the same method (no false positives from unrelated code) - Report — Displays findings with file locations, severity, and whether they can be auto-patched
- Autofix (optional) — Patches
0x2000→0x0in-place, then re-scans to verify - Cleanup — Removes decompiled files (unless
--keepor--autofixis used)
For recompile:
- Patch — Replaces
0x2000with0x0in smali code nearWindow.setFlags()/addFlags()calls - Rebuild — Uses
apktool bto recompile the patched smali back into an APK - Align & Sign — Runs
zipalignandapksignerto produce an installable APK
Auto-Install Chain
When you run the tool for the first time, it automatically sets up everything needed:
apktool missing?
└─→ brew missing?
│ └─→ Install Homebrew automatically
│ └─→ Add brew to PATH
└─→ brew install apktool
└─→ Continue with inspectionNo manual setup required for inspect and inspect --autofix.
⚠️ Important Notes
- Recompiling may break apps that have certificate pinning, root detection, or tamper checks — the re-signed APK will have a different certificate.
- This tool is for debugging/testing only. Do not distribute patched APKs.
- IPA support is basic — iOS apps are compiled to native ARM, so deep binary analysis requires additional tools.
- The
inspectcommand (without--autofix) is read-only and makes no modifications to the original file. --autofixmodifies the decompiled source only — your original APK is never touched.
License
MIT
