FILE 001 / TRACKERS / EVIDENCE LOG

Compiled on-device. No upload.

Issue No. 1

Your phone is
talking. To
strangers.

The average Android app you installed today ships with 7 third-party tracker SDKs baked into its bytecode. AppXpose tears the app apart on your device and shows you exactly which ones, before they start phoning home.

Get the app / FREE Read the method →

AppXpose scanning Clash of Clans, showing a 52/100 risk score and the list of third parties the app shares data with — EXHIBIT A · CLASH OF CLANS · 52/100 · MEDIUM

EXPOSED ↓

↓ EXPOSED

google.firebase.analytics DETECTED facebook.appevents DETECTED com.adjust.sdk DETECTED com.appsflyer DETECTED io.branch.referral DETECTED com.onesignal DETECTED com.mixpanel.android DETECTED com.amplitude.api DETECTED com.crashlytics DETECTED com.huawei.hms DETECTED com.flurry.android DETECTED com.unity3d.ads DETECTED com.applovin.sdk DETECTED com.ironsource DETECTED com.tapjoy DETECTED com.singular.sdk DETECTED google.firebase.analytics DETECTED facebook.appevents DETECTED com.adjust.sdk DETECTED com.appsflyer DETECTED io.branch.referral DETECTED com.onesignal DETECTED com.mixpanel.android DETECTED com.amplitude.api DETECTED com.crashlytics DETECTED com.huawei.hms DETECTED com.flurry.android DETECTED com.unity3d.ads DETECTED com.applovin.sdk DETECTED com.ironsource DETECTED com.tapjoy DETECTED com.singular.sdk DETECTED

II. The dossier

Four exhibits. Each one independently verifiable in the source code.

What's actually inside
the apps you opened today.

Exhibit 01

On-device DEX analysis

The bytecode never leaves your phone.

AppXpose unpacks the APK file directly through the Android Package Manager and reads its DEX classes in-process. Class names, method calls, and obfuscation patterns are matched against 94 curated tracker signatures, without ever uploading a single byte. The actual analysis happens in the same place the malware would: on your device.

"We can't leak what we never had."

Exhibit 02

Breach risk forecast

HIBP-checked every 72 hours.

For every app you scan, we look up the developer's known email addresses against the Have I Been Pwned database via k-anonymity (no personal data leaves your device). If a developer or one of their services has ever been part of a public breach, you find out before it becomes a problem in your inbox.

"The forecast is the warning."

Exhibit 03

Permission audit

Every dangerous request, mapped and ranked.

Every Android permission an app requests is mapped to a plain-language explanation, ranked by risk class (normal, dangerous, signature, special), and diffed against your last scan. When an app silently asks for location after an update, you see it on the next open. Not three months later when you happen to check Settings.

"Permissions you can read."

Exhibit 04

Community verdict

Anonymous votes, profanity-filtered, no algorithm games.

Other AppXpose users have already scanned the apps you have installed. Their scores, comments, and warnings are pinned next to the technical results. There are no follower counts, no engagement loops, just signal from people who came to the same question you did.

"Wisdom of the cautious."

III. The lab

Three models we are training on the corpus of scans we already have. Not yet shipped.

IN TRAINING

We are also
teaching the scanner.

Every scan AppXpose performs feeds an anonymized training corpus. We are using it to train three machine-learning models that the static DEX analyzer alone cannot replicate, including a tracker-permission linker, a mod/fake APK classifier, and a behavioural pattern recognizer that maps relationships across apps. The corpus is consent-based and contains no personal data.

M01

Tracker Permission Linker

Learns which Android permissions co-occur with which tracker SDKs, so we can flag suspicious combinations even when the SDK is obfuscated.

M02

Mod / Fake APK Classifier

Trained on our growing corpus of repackaged and counterfeit APKs. Detects sideloaded copies that pretend to be the legitimate app.

M03

Behavioural Pattern Recognizer

Surfaces non-obvious links across apps. Same dev, same servers, same SDK fingerprint, same data buyer. Maps the relationships our DEX scanner alone cannot see.

IV. Inside the app

Eight exhibits from the app itself. Swipe or use the arrows.

What you actually
see on screen.

EX. 01

The scan

Risk score, breakdown, and the verdict in seconds.

EX. 02

Hidden trackers

Every tracker SDK baked into the app, with context.

EX. 03

Where your data goes

Third parties, ad networks, attribution partners. Mapped.

EX. 04

Suspicious permissions

Spot the apps that ask for too much, delete in one tap.

EX. 05

Paywalls & monetization

Free-to-download is not free. See the full picture.

EX. 06

Who made the app

Company, devs, server locations, GDPR status.

EX. 07

Full transparency

Every claim AppXpose makes comes with reasoning.

EX. 08

GUARD alerts

Lock-screen notifications the moment something changes.

01 / 08

V. Always-on protection / GUARD

€3,79 / month · €19,99 / year

Five alerts.
Watching the apps
while you don't.

GUARD is the part of AppXpose that runs while you're not looking. It schedules background workers, diffs each app update against its previous fingerprint, and pings the breach databases on a fixed cadence. When something changes you get exactly one notification, written by a human, not a template.

Get GUARD →

Breach Alert

Every 24h

Cross-checks every developer email tied to your installed apps against the Have I Been Pwned database. New leak, instant push.

Tracker Change Alert

Every 24h

New SDKs sneak into apps via routine updates. We diff every release and tell you which trackers were just added.

Permission Change Alert

Every 24h

A flashlight app suddenly wants your contacts? You hear about it the moment the manifest changes.

App Removed Alert

Every 24h

When Google pulls an app from the Play Store, you get the story. Usually before the news writes about it.

Developer Change Alert

Every 24h

Apps get sold all the time. New owner means new privacy policy, new servers, new motives. We catch the handover.

VI. Pricing

No tiers labelled "Enterprise". No "Contact sales". No upsells.

Three plans.
Honest prices.

Free

For the curious.

€ 0 ex. tax

forever

Download →

→ 3 scans per week
→ Full scan results
→ Community verdict
→ Ad-supported

Pro

For the suspicious.

€ 2,79 ex. tax

one-time, lifetime

Buy once →

→ Unlimited scans
→ One-tap manage and delete installed apps
→ Saved scan history
→ No ads. Ever.
→ Priority refresh

RECOMMENDED

GUARD

For the responsible.

€ 3,79 ex. tax

monthly · 19,99 / year

Subscribe →

→ Everything in Pro
→ 5 background alerts
→ Daily breach checks
→ Daily app diffs
→ Cancel anytime

All prices shown without VAT. Final price including local taxes is calculated at checkout in Google Play.

Billed via Google Play. Cancel anytime in Play → Subscriptions.

VII. Frequent questions

If yours isn't here, write us. We'll add it.

What people
always ask first.

Does AppXpose upload my apps to a server?

No. The DEX bytecode analysis runs entirely on your device. We only contact our edge for cached metadata (tracker signatures, breach status), and those requests are anonymized via HMAC-signed device fingerprints. No email, no Google account, no advertising ID.

How is this different from network ad blockers?

Ad blockers stop network requests after they fire. AppXpose tells you which trackers are baked into the app itself, even ones that only fire on certain conditions. Diagnosis vs. treatment.

Why pay if scanning is local?

Only the bytecode analysis is local. Everything that makes the scan readable is server-side and AI-assisted: the paywall and monetization breakdown, the developer profile (who they are, where their servers live, GDPR posture), the risk score reasoning, the data-sharing probabilities, and the natural-language explanations next to every finding. Each scan triggers calls to LLM APIs, the HIBP proxy, the Exodus tracker database, and our cached signature store on Cloudflare D1. We also run five GUARD background workers and a community vote system. None of that runs for free. The free tier covers casual checks; Pro and GUARD cover people who want the full pipeline without rationing.

Is the source code public?

The Android client is closed-source for now. Detection signatures, risk weights, and pricing are documented openly. We plan to open the detection engine once it stops shifting weekly.

iOS version?

No. iOS's sandbox model prevents the kind of bytecode analysis AppXpose performs. It's Android-only and likely will stay that way.

VIII. Final note

Trust no app.
Verify them all.

AppXpose is free to install and free to try. Three scans a week, full results, no signup, no card. The whole thing took longer to download than to use.

Open Play Store ↗ Read the method

END OF FILE 001

⊕ FILED · INDEPENDENT · BERLIN

Your phone is talking. To strangers.

What's actually inside the apps you opened today.

On-device DEX analysis

Breach risk forecast

Permission audit

Community verdict

We are also teaching the scanner.

What you actually see on screen.

The scan

Hidden trackers

Where your data goes

Suspicious permissions

Paywalls & monetization

Who made the app

Full transparency

GUARD alerts

Five alerts. Watching the apps while you don't.

Three plans. Honest prices.

What people always ask first.

Does AppXpose upload my apps to a server?

How is this different from network ad blockers?

Why pay if scanning is local?

Is the source code public?

iOS version?

Trust no app. Verify them all.

Your phone is
talking. To
strangers.

What's actually inside
the apps you opened today.

We are also
teaching the scanner.

What you actually
see on screen.

Five alerts.
Watching the apps
while you don't.

Three plans.
Honest prices.

What people
always ask first.

Trust no app.
Verify them all.