iOS Static Security Analysis Platform
IPA Auditor is a browser-based static security analysis tool for iOS applications. It performs comprehensive security scanning of IPA files based on OWASP MASVS guidelines without requiring any server-side processing or file uploads.
π 100% Client-Side - All analysis happens in your browser. Your IPA files are never uploaded anywhere.
| Feature | Description |
|---|---|
| π Static Analysis | 50+ security checks based on OWASP MASVS guidelines |
| π‘οΈ Binary Security | PIE, ARC, Stack Canary, and encryption verification |
| π File Explorer | Browse IPA contents with syntax highlighting |
| π Secret Detection | Find hardcoded API keys, tokens, and credentials |
| π Plist Analysis | Parse and analyze Info.plist and embedded plists |
| π± Permission Audit | Review app permissions and privacy descriptions |
| π URL Scheme Analysis | Identify custom URL schemes and deep links |
| π Tracker Detection | Identify embedded analytics and tracking SDKs |
| π PDF Reports | Export detailed security assessment reports |
Comprehensive security findings categorized by severity with detailed remediation guidance based on OWASP MASVS.
Full-featured file browser with syntax highlighting, hex viewer, and string extraction for binary analysis.
IPA Auditor performs 50+ security checks across multiple categories:
- NSUserDefaults Insecure Storage
- CoreData Unencrypted Storage
- Realm Database Encryption
- SQLite Database Usage
- Keychain Secure Storage
- Plist File Write Operations
- Weak Hash Algorithms (MD5, SHA1)
- Weak Encryption (DES/3DES)
- ECB Mode Encryption
- Insecure Random Generator
- Hardcoded Secrets/Passwords
- Insecure HTTP URLs
- SSL/TLS Validation Disabled
- SSL Pinning Implementation
- ATS Configuration Analysis
- Weak TLS Versions
- Jailbreak Detection
- Anti-Debug Protection
- PIE (Position Independent Executable)
- Stack Canary Protection
- ARC (Automatic Reference Counting)
- Deprecated UIWebView Usage
- JavaScript in WebView
- Custom URL Scheme Handlers
- Universal Links Validation
- Clipboard/Pasteboard Access
- AWS S3 Bucket Exposure
- Firebase Database URLs
- Google API Key Exposure
- Hardcoded Tokens/Bearer
- Location Tracking
- Contacts Access
- Camera/Microphone Access
- Debug Logging
- Tracker/SDK Detection
Visit ipaauditor.com to use the tool directly in your browser.
# Clone the repository
git clone https://github.com/thecybersandeep/ipaauditor.git
# Navigate to the directory
cd ipaauditorSimply double-click index.html to open it in your browser. It works offline!
# Windows
start index.html
# macOS
open index.html
# Linux
xdg-open index.htmlIf you prefer using a local server:
Python:
python -m http.server 8000
# Open http://localhost:8000Node.js:
npx serve .
# Open http://localhost:3000VS Code: Install "Live Server" extension β Right-click index.html β "Open with Live Server"
-
Drop or Select your IPA file
-
Wait for the analysis to complete
-
Review findings across different tabs:
- Overview: App info, permissions, trackers
- Findings: Security issues grouped by severity
- Binary: Checksec results and libraries
- Explorer: Browse and inspect all files
-
Export a detailed PDF report
Your data never leaves your device.
- β 100% client-side processing
- β No server uploads
- β No data collection
- β No tracking
- β Works offline (after initial load)
Generate professional PDF reports containing:
- Application metadata
- Security score
- All findings with severity levels
- Binary security checks
- Permissions analysis
- Detected trackers/SDKs
- CWE and OWASP references
ipaauditor/
βββ index.html # Main application page
βββ ipa-analyzer.js # Core analysis engine
βββ lib/ # Third-party libraries
β βββ jszip.min.js # ZIP file processing
β βββ plist.min.js # Property list parsing
β βββ jspdf.umd.min.js # PDF generation
βββ start-server.bat # Windows server launcher
βββ start-server.sh # Mac/Linux server launcher
βββ README.md # This file
βββ LICENSE # CC BY-NC-ND 4.0
βββ CNAME # Custom domain config
This tool is intended for authorized security testing and educational purposes only. Users are responsible for ensuring they have proper authorization before analyzing any application. The authors are not responsible for any misuse of this tool.
Note: This is an automated pattern-matching scanner, NOT a comprehensive security audit. Results are indicative only and require manual verification by a qualified security professional.
- JSZip - ZIP file processing
- plist.js - Property list parsing
- jsPDF - PDF report generation
- Vanilla JS - No framework dependencies
Sandeep
- LinkedIn: @sandeepwawdane
- GitHub: @thecybersandeep
- ADB Auditor - Android Security Analysis Tool