iOS Static Security Analysis Platform
IPA Auditor is a browser-based static security analysis tool for iOS applications. It performs comprehensive security scanning of IPA files based on OWASP MASVS guidelines without requiring any server-side processing or file uploads.
π 100% Client-Side - All analysis happens in your browser. Your IPA files are never uploaded anywhere.
| Feature | Description |
|---|---|
| π Static Analysis | 50+ security checks based on OWASP MASVS guidelines |
| π‘οΈ Binary Security | PIE, ARC, Stack Canary, and encryption verification |
| π File Explorer | Browse IPA contents with syntax highlighting |
| π Secret Detection | Find hardcoded API keys, tokens, and credentials |
| π Plist Analysis | Parse and analyze Info.plist and embedded plists |
| π± Permission Audit | Review app permissions and privacy descriptions |
| π URL Scheme Analysis | Identify custom URL schemes and deep links |
| π Tracker Detection | Identify embedded analytics and tracking SDKs |
| π PDF Reports | Export detailed security assessment reports |
Comprehensive security findings categorized by severity with detailed remediation guidance based on OWASP MASVS.
Full-featured file browser with syntax highlighting, hex viewer, and string extraction for binary analysis.
IPA Auditor performs 50+ security checks across multiple categories:
- NSUserDefaults Insecure Storage
- CoreData Unencrypted Storage
- Realm Database Encryption
- SQLite Database Usage
- Keychain Secure Storage
- Plist File Write Operations
- Weak Hash Algorithms (MD5, SHA1)
- Weak Encryption (DES/3DES)
- ECB Mode Encryption
- Insecure Random Generator
- Hardcoded Secrets/Passwords
- Insecure HTTP URLs
- SSL/TLS Validation Disabled
- SSL Pinning Implementation
- ATS Configuration Analysis
- Weak TLS Versions
- Jailbreak Detection
- Anti-Debug Protection
- PIE (Position Independent Executable)
- Stack Canary Protection
- ARC (Automatic Reference Counting)
- Deprecated UIWebView Usage
- JavaScript in WebView
- Custom URL Scheme Handlers
- Universal Links Validation
- Clipboard/Pasteboard Access
- AWS S3 Bucket Exposure
- Firebase Database URLs
- Google API Key Exposure
- Hardcoded Tokens/Bearer
- Location Tracking
- Contacts Access
- Camera/Microphone Access
- Debug Logging
- Tracker/SDK Detection
Visit ipaauditor.com to use the tool directly in your browser.
# Clone the repository
git clone https://github.com/thecybersandeep/ipaauditor.git
# Navigate to the directory
cd ipaauditor
# Open in browser (no server required)
# Simply open index.html in your browser-
Drop or Select your IPA file
-
Wait for the analysis to complete
-
Review findings across different tabs:
- Overview: App info, permissions, trackers
- Findings: Security issues grouped by severity
- Binary: Checksec results and libraries
- Explorer: Browse and inspect all files
-
Export a detailed PDF report
Your data never leaves your device.
- β 100% client-side processing
- β No server uploads
- β No data collection
- β No tracking
- β Works offline (after initial load)
Generate professional PDF reports containing:
- Application metadata
- Security score
- All findings with severity levels
- Binary security checks
- Permissions analysis
- Detected trackers/SDKs
- CWE and OWASP references
This tool is intended for authorized security testing and educational purposes only. Users are responsible for ensuring they have proper authorization before analyzing any application. The authors are not responsible for any misuse of this tool.
Note: This is an automated pattern-matching scanner, NOT a comprehensive security audit. Results are indicative only and require manual verification by a qualified security professional.
- JSZip - ZIP file processing
- plist.js - Property list parsing
- jsPDF - PDF report generation
- Vanilla JS - No framework dependencies
Sandeep
- LinkedIn: @sandeepwawdane
- GitHub: @thecybersandeep
- ADB Auditor - Android Security Analysis Tool




