Application Package Scanning
Scan macOS, iOS, Android, Windows, and Linux application packages for security issues.
Quick Start
cyscan app MyApp.app # macOS app bundle
cyscan app MyApp.ipa # iOS TestFlight / App Store build
cyscan app MyApp.apk # Android APK
cyscan app Installer.pkg # macOS installer
cyscan app setup.exe # Windows executable
cyscan app package.deb # Debian package
cyscan app package.rpm # RPM package
cyscan app --format json MyApp.app # JSON output
cyscan app --fail-below 80 MyApp.ipa # CI gate
Supported Formats
| Format | Platform | What's checked |
|---|---|---|
.app | macOS | Code signing, entitlements, sandbox, ATS, Hardened Runtime, notarization, privacy manifest, binary secrets, framework signing, min OS version |
.ipa | iOS | Provisioning profile (dev vs dist), ATS, privacy manifest, min iOS version, binary secrets, embedded frameworks |
.pkg | macOS | Installer script analysis, signing, notarization |
.apk | Android | Debuggable flag, backup, cleartext traffic, 13 dangerous permissions, signing, DEX secrets, min SDK |
.aab | Android | Same as APK (App Bundle) |
.exe | Windows | Binary secrets, HTTP URLs |
.msi | Windows | Binary secrets, HTTP URLs |
.deb | Linux | Maintainer script analysis, SUID binaries |
.rpm | Linux | Scriptlet analysis |
macOS .app Checks (12+)
| Check | Severity | What it detects |
|---|---|---|
| Code Signing | Critical | Unsigned or invalid signature |
| App Sandbox | High | Missing sandbox entitlement |
| Dangerous Entitlements | Critical-High | disable-library-validation, allow-unsigned-executable-memory, get-task-allow, debugger |
| App Transport Security | High | NSAllowsArbitraryLoads = true |
| URL Schemes | Medium | Registration of http/https/file schemes |
| Hardened Runtime | High | Not enabled |
| Library Validation | High | Disabled |
| Framework Signing | High | Unsigned embedded frameworks |
| Binary Secrets | Critical | AWS keys, Stripe keys, private keys, OpenAI keys in Mach-O strings |
| Privacy Manifest | High | Missing PrivacyInfo.xcprivacy (required since Spring 2024) |
| Provisioning Profile | High | Development profile in release build |
| Notarization | High | Not notarized by Apple |
| Minimum OS Version | Medium | Below macOS 13 (Ventura) |
Android APK Checks
| Check | Severity | What it detects |
|---|---|---|
| Debuggable | Critical | android:debuggable=true |
| Backup Allowed | High | android:allowBackup=true |
| Cleartext Traffic | High | android:usesCleartextTraffic=true |
| Min SDK Version | Medium | Below API 28 (Android 9) |
| Dangerous Permissions | High-Critical | SEND_SMS, READ_SMS, CALL_PHONE, INSTALL_PACKAGES, SYSTEM_ALERT_WINDOW, etc. |
| APK Signing | Critical | Invalid or missing signature |
| DEX Secrets | Critical | AWS keys, Stripe keys, Firebase keys in compiled bytecode |
Installer Script Analysis (.pkg / .deb / .rpm)
Installer scripts (preinstall, postinstall, preinst, postinst, etc.) are analyzed for:
| Pattern | Severity | Why it's dangerous |
|---|---|---|
curl | bash | Critical | Downloads and executes arbitrary code at install time |
chmod 777 | High | Sets world-writable permissions |
| Hardcoded passwords | Critical | Credentials in plain text |
sudo / elevated privileges | Medium | Unnecessary root operations |
| SUID binaries in package | High | Privilege escalation vectors |
Example Output
App: MyApp (app)
Bundle ID: com.example.myapp
Version: 2.1.0
Frameworks: 5
Security Score: 72/100 [FAIR]
Passed: 8 Failed: 4 Total: 12
[ PASS ] [CRIT] Code Signing
[ FAIL ] [HIGH] App Sandbox
App is NOT sandboxed
[ PASS ] [HIGH] App Transport Security (ATS)
[ FAIL ] [CRIT] Hardcoded secret: AWS Access Key
AWS Access Key found embedded in binary
[ FAIL ] [HIGH] Privacy Manifest (PrivacyInfo.xcprivacy)
MISSING — Apple requires for App Store
[ PASS ] [HIGH] Apple Notarization
...