sdkguard-ai
v3.1.0
Published
Analyze Android APK and iOS IPA files for outdated SDKs. Generates a shareable HTML report with version gaps, breaking changes, risk scores, and QA test cases. Zero external LLM calls.
Downloads
121
Maintainers
Readme
SDKGuard-AI — v3.1.0
Analyzes Android APK and iOS IPA files for outdated third-party SDKs, CVE vulnerabilities, and upgrade risk.
Generates shareable HTML + JSON reports with version gaps, breaking changes, risk scores, and QA test cases.
Zero external LLM calls. All analysis is deterministic code.
# Run instantly without installing
npx sdkguard-ai MyApp.apk
# Or install globally
npm install -g sdkguard-ai
sdkguard MyApp.apkWhat's New in v2.1.0
| Feature | Details |
|---|---|
| 🐦 Flutter APK support | Detects Flutter apps via libflutter.so, scans DEX for plugin registrations, looks up versions on pub.dev |
| 📋 JSON report | Every analysis saves both .html and .json — ready for CI/CD, dashboards, integrations |
| 🔒 CVE / Vulnerability scanning | Checks every detected SDK against the OSV database (free, no API key) — shows severity, affected range, fix version |
| 🔍 Improved analysis accuracy | Tighter detection patterns eliminate false positives; AXML parser extracts package name & version from binary AndroidManifest |
| 📦 Auto-detection (no registry needed) | IPA: every .framework is auto-detected and looked up on CocoaPods. Flutter: every plugin is auto-detected and looked up on pub.dev |
| 📱 App metadata in report | Package name, version, platform, Min SDK / Min iOS shown in the report hero |
How It Works
APK / IPA
│
▼
Extract SDKs ──────────────────────────────────────────────────────────────────────┐
Android: DEX string scan · .properties files · AXML manifest parser │
iOS: .framework/Info.plist (binary + XML plist) · auto-detect all frameworks │
Flutter: libflutter.so detection · DEX plugin error strings · class descriptors │
│ │
▼ │
Fetch Latest Versions │
Android SDKs → GitHub Releases / Google Maven / Maven Central │
iOS SDKs → CocoaPods trunk API │
Flutter → pub.dev API │
Unknown iOS → CocoaPods auto-lookup by framework name │
│ │
▼ │
Check CVEs (OSV API — osv.dev) │
Per SDK: severity · CVSS score · affected version range · fix version │
│ │
▼ │
Parse Changelogs (GitHub Releases API) │
Breaking changes · deprecated APIs · permission changes — regex only, no LLM │
│ │
▼ │
Score Risk · Generate QA Test Cases │
│ │
▼ │
Build Reports │
HTML — self-contained, shareable, printable to PDF │
JSON — structured, CI/CD-ready │
└──────────────────────────────────────────────────────────────────────────────────┘What It Detects
Registered SDKs (full changelog + risk analysis)
| Category | SDKs | |---|---| | Analytics | Firebase Analytics, Mixpanel, Amplitude, Segment, Microsoft Clarity, Qualtrics | | Crash Reporting | Firebase Crashlytics, Sentry, Bugsnag | | Push Notifications | Firebase Cloud Messaging, OneSignal | | Attribution | Adjust, AppsFlyer | | Deep Linking | Branch | | Engagement / CRM | Braze, Intercom, CleverTap, MoEngage | | Ads | Google AdMob, AppLovin MAX, IronSource | | Security | ZDefend (Zimperium) |
Auto-detected SDKs (version lookup only)
| Platform | What | Source |
|---|---|---|
| iOS | Every .framework inside the IPA not in the registry | CocoaPods trunk API |
| Flutter (Android) | Every plugin registered in DEX (GeneratedPluginRegistrant) | pub.dev API |
No registry entry needed — these are discovered dynamically from the binary.
Reports
HTML Report
A single self-contained file — open in any browser, no internet required. Share as a file or print to PDF.
| Section | Description | |---|---| | Hero banner | App name, bundle ID, version, platform, 🐦 Flutter badge (if applicable), Min SDK / Min OS | | Summary stats | SDKs detected / Outdated / Up to date / Unknown / CVEs Found / QA Test Cases | | Security (CVE) | All vulnerabilities regardless of SDK status — severity, fix version, advisory links | | Outdated SDK cards | Installed vs latest, version gap, risk score, release notes link | | Breaking changes | Parsed from GitHub release notes | | Permission changes | New/removed Android permissions or iOS entitlements | | Deprecated APIs | With migration hints | | QA Test Cases | Auto-generated P0/P1 per SDK | | Master QA Checklist | Interactive checkboxes per priority | | Up to Date / Unknown | Status for all remaining SDKs |
JSON Report
Saved alongside the HTML as <name>-<timestamp>.json. Structure:
{
"generatedAt": "2025-01-01T00:00:00.000Z",
"app": {
"name": "MyApp",
"bundleId": "com.example.myapp",
"version": "1.2.3",
"platform": "android",
"minSdk": 21,
"filename": "MyApp.apk",
"fileSizeMB": 45.2
},
"summary": {
"total": 8,
"outdated": 3,
"current": 4,
"unknown": 1,
"vulns": 2,
"tests": 12
},
"sdks": [
{
"name": "Firebase Analytics",
"status": "outdated",
"installedVersion": "21.0.0",
"latestVersion": "22.1.0",
"versionGap": "1 major, 1 minor",
"risk": { "level": "HIGH", "score": 9, "label": "High Risk" },
"vulnerabilities": [...],
"breakingChanges": [...],
"testCases": [...],
"releaseUrl": "https://..."
}
]
}Flutter Support
SDKGuard automatically detects Flutter apps and scans for plugins:
- Detection — presence of
libflutter.soinlib/*/ - Plugin extraction — scans DEX for:
- Error strings:
"Error registering plugin <pub_name>, <ClassName>" - Class descriptors:
L<package>/Flutter*Plugin; - Asset paths:
flutter_assets/packages/<name>/
- Error strings:
- Version lookup — pub.dev API (
pub.dev/api/packages/<name>) - Report — shows 🐦 Flutter badge in hero; plugins listed under "Flutter Plugin" category
Note: Flutter compiles all Dart code into native blobs (kernel_blob.bin, vm_snapshot_data). Plugin versions are generally not embedded in the binary — status shows as "unknown" with the latest pub.dev version for reference.
CVE / Vulnerability Scanning
Every detected SDK is checked against the OSV database (open-source, free, no API key):
- Severity — CRITICAL / HIGH / MEDIUM / LOW (from CVSS v3/v4 or GitHub Advisory)
- CVE ID — links to NVD or OSV advisory
- Affected range — which versions are vulnerable
- Fix version — minimum version to upgrade to (green highlight)
- Applies regardless of status — a "current" SDK can still have CVEs
Installation
Option A — npx (no install needed)
npx sdkguard-ai MyApp.apkOption B — global install
npm install -g sdkguard-ai
sdkguard MyApp.apkOption C — from source
git clone https://github.com/subrahmanyammarella/sdkguard-ai
cd sdkguard-ai
npm install
node bin/sdkguard.js MyApp.apkCLI Usage
USAGE
sdkguard <file.apk|file.ipa> [options] Analyze an APK or IPA file
sdkguard check <sdk-name> <version> Check a single SDK version
sdkguard list List all supported SDKs
sdkguard --mcp Run as MCP server (Claude Desktop)
OPTIONS
-o, --output <path> Save HTML report to this path (default: temp file)
--no-open Don't open the report in the browser after saving
-h, --help Show this help
EXAMPLES
sdkguard MyApp.apk
sdkguard MyApp.ipa -o ~/Desktop/report.html
sdkguard check clevertap 5.2.1
sdkguard listTerminal output example:
SDKGuard · Analyzing MyApp.apk (45.1 MB)
SDKs detected : 8
Outdated : 3 ⚠️
Up to date : 4
Version unknown: 1
CVEs found : 2 🔒
QA test cases : 7
Outdated SDKs:
🔴 Firebase Analytics 21.0.0 → 22.1.0 (1 major, 1 minor)
🟡 Sentry 6.0.0 → 7.3.0 (1 major, 3 minor)
🟢 Adjust 4.33.0 → 4.38.1 (5 patch)
⚠️ CVEs in detected SDKs:
🔒 Sentry: CVE-2023-28117 [HIGH] — Sentry's Python SDK unintentionally exposes...
📄 HTML Report : /tmp/sdkguard-MyApp-1234567890.html (48.2 KB)
📋 JSON Report : /tmp/sdkguard-MyApp-1234567890.json
🌐 Opened in browserAdd to Claude Desktop (MCP)
Open ~/Library/Application Support/Claude/claude_desktop_config.json and add:
If installed via npm:
{
"mcpServers": {
"sdkguard-ai": {
"command": "npx",
"args": ["sdkguard-ai", "--mcp"]
}
}
}If running from source:
{
"mcpServers": {
"sdkguard-ai": {
"command": "node",
"args": ["/absolute/path/to/SDKGuard-AI/bin/sdkguard.js", "--mcp"]
}
}
}Restart Claude Desktop. The tools are now available in every conversation.
MCP Tools Reference
| Tool | Input | What it does |
|---|---|---|
| analyze_path | file_path | Primary — analyze APK/IPA from file path directly |
| analyze_app | file_base64, filename | Analyze APK/IPA from base64-encoded content |
| check_sdk_version | sdk_name, current_version | Quick version check for one SDK |
| list_supported_sdks | — | Lists all supported SDKs by category |
Sample Claude prompts
Analyze /Users/me/Downloads/MyApp.apk for outdated SDKs
Check this IPA: ~/Desktop/MyApp.ipa — any CVEs or outdated SDKs?
Is firebase-analytics 20.1.0 outdated?
What SDKs can you detect?Risk Scoring
Calculated deterministically — no LLM involved.
| Finding | Weight | |---|---| | Breaking change | +3 per finding | | Permission change | +4 per finding | | Config change | +1 per finding | | Deprecated API | +1 per finding | | HIGH severity finding | +3 bonus | | Each major version behind | +2 per major | | Each minor version behind | +0.5 per minor |
| Score | Level | Action | |---|---|---| | 0 | ✅ Up to date | — | | 1–3 | 🟢 Low | Safe with smoke tests | | 4–7 | 🟡 Medium | Regression testing recommended | | 8–12 | 🔴 High | QA sprint before upgrading | | 13+ | 🚨 Critical | Upgrade blocker |
Version Detection Sources
| Platform | SDK family | Source |
|---|---|---|
| Android | Firebase, Google AdMob | Google Maven (dl.google.com/dl/android/maven2) |
| Android | Most SDKs | GitHub Releases API |
| Android | Maven-only | Maven Central search API |
| iOS | Registered SDKs | GitHub Releases / CocoaPods trunk |
| iOS | Auto-detected frameworks | CocoaPods trunk API (by framework name) |
| Flutter | All plugins | pub.dev API |
Version extraction from binary (Android):
- Root
.propertiesfiles — Gradle embeds exact per-artifact versions (highest accuracy) META-INF/*.properties— Maven group/artifact/version coordinatesartifact:versionstrings in DEX — some SDKs embed these as build-time constants- Binary string scan of DEX files — fallback
Requirements
- Node.js 18+
- No API keys required
- Internet connection for version/CVE lookups (cached per run)
