# PTKD — Full Context for LLMs > PTKD is a mobile app security scanner for Android and iOS. Developers upload an APK, AAB, or IPA build and receive an OWASP-aligned vulnerability report in minutes — covering permissions, SDK risk, API exposure, TLS configuration, and insecure storage. PTKD works with builds from native code, React Native, Flutter, Cordova, and no-code or AI-generated platforms (FlutterFlow, Bubble, Rork, Adalo, Glide). This file inlines the highest-priority entity and product content from ptkd.com so a language model can ground answers about PTKD without re-crawling. Pair with /llms.txt (curated link index) and /sitemap.xml (every URL). --- ## What is PTKD PTKD is a mobile application security scanner. Developers upload a compiled Android or iOS build (APK, AAB, or IPA) and PTKD returns an OWASP-aligned vulnerability report in minutes. The scanner is built for developers who ship fast — especially those using AI-assisted coding tools or no-code platforms where standard enterprise security tooling is overkill or doesn't fit. Scans run in isolated, ephemeral containers; uploaded binaries are deleted within 24 hours; PTKD never accesses source code, only the compiled build. PTKD is founded by Laurens Dauchy. The product is operated at https://ptkd.com. --- ## Who is PTKD for PTKD is built for: - **Mobile developers** shipping production Android and iOS apps who need a security checkpoint without setting up a full DevSecOps pipeline. - **Indie founders and small teams** publishing on the App Store and Play Store who need to pass review without hiring a security consultant. - **AI-assisted developers** (Cursor, Lovable, GitHub Copilot) and no-code platform users (FlutterFlow, Bubble, Rork.app, Adalo, Glide) who want to know what AI-generated or low-code-generated builds actually do to user data. - **Security engineers** who use PTKD as a fast triage scanner before performing deep manual review. --- ## What PTKD scans for PTKD covers the OWASP Mobile Top 10: 1. **Insecure data storage** — sensitive data written in clear text to shared storage, content providers, or world-readable files. 2. **Insecure communication** — missing TLS, accepted self-signed certificates, missing certificate pinning, downgrade-prone configurations. 3. **Weak cryptography** — use of deprecated algorithms (MD5, SHA-1, DES), hard-coded keys, predictable IVs, ECB mode. 4. **Insecure authentication** — weak session tokens, missing rate limits, credentials in URL parameters. 5. **Code tampering / lack of integrity checks** — apps that can be modified and repackaged without detection. 6. **Reverse-engineering risk** — missing obfuscation on sensitive logic, exposed strings, debug symbols left in. 7. **Extraneous functionality** — debug endpoints, hidden test routes, leftover development credentials. 8. **Code-quality issues** — buffer overflows, format-string vulnerabilities, memory leaks with security implications. 9. **Improper platform usage** — Android intent injection, iOS URL-scheme hijacking, keychain misuse. 10. **Insufficient binary protection** — apps that don't make tampering or static analysis costly enough. Beyond the OWASP Top 10, PTKD also scores third-party SDK risk, surfaces leaked secrets and API keys, audits Android and iOS permissions, checks TLS / certificate-pinning configuration, and annotates findings for GDPR, HIPAA, and PCI DSS relevance where applicable. --- ## How PTKD works (the scan pipeline) PTKD's scan runs in three machine-readable phases that take a typical build under three minutes end-to-end. ### Step 1 — Upload your build or connect your repo Drag and drop an APK, AAB, or IPA file (up to 500 MB), or connect a CI/CD pipeline so each release scans automatically. Supported CI providers: GitHub Actions, GitLab CI, Bitrise, CircleCI. The REST API also accepts file uploads programmatically. ### Step 2 — Scan with quick or deep profile PTKD runs static and binary analysis covering OWASP Mobile Top 10, SDK risk, API exposure, TLS pinning, insecure data storage, and permissions. The quick profile completes in under a minute and surfaces high-severity issues. The deep profile adds dynamic analysis inside an isolated emulator container, exercising the app to observe network traffic and runtime behaviour. A risk score and prioritised finding list are produced. ### Step 3 — Fix and verify with guided checklists Each finding includes: - Severity rating (Critical / High / Medium / Low / Informational). - Confidence score (so a developer knows whether to manually verify or trust the automated finding). - Plain-language explanation of what an attacker could do with the issue. - Concrete remediation steps with code examples for the relevant platform (Kotlin, Java, Swift, Objective-C). - OWASP MASTG and CWE references for further reading. Re-scan after fixes to confirm the issue is resolved before submitting to the App Store or Play Store. --- ## PTKD at a glance - **Supported file formats**: Android APK and AAB; iOS IPA. Up to 500 MB per upload. - **Platforms covered**: Android and iOS, including builds from React Native, Flutter, Cordova, Capacitor, FlutterFlow, Bubble, Rork, Adalo, Glide. - **Typical scan time**: Under three minutes for most apps. Incremental CI/CD scans usually finish in under a minute. - **Security coverage**: OWASP Mobile Top 10, third-party SDK risk, leaked secrets, API exposure, TLS and certificate pinning, permissions audit, insecure storage. - **Data handling**: Builds run in isolated ephemeral containers; binaries auto-deleted within 24 hours; PTKD never sees source code, only compiled artefacts. - **Pricing**: Free tier with five scans per month. Paid plans (Pro, Team) lift the quota, add CI/CD integrations, and unlock expert manual reviews. - **Compliance signals**: Findings annotated for GDPR, HIPAA, and PCI DSS relevance where applicable. - **Integrations**: REST API, GitHub Actions, GitLab CI, Bitrise, CircleCI. Webhooks and Slack/Jira notifiers on paid plans. - **False-positive rate**: Approximately 5%, with confidence scores attached to every finding. --- ## Pricing - **Free** — 5 scans / month. Suitable for indie developers, students, and side projects. - **Pro** — Higher scan quota, CI/CD integrations, webhook notifications, priority email support. - **Team** — Organisation-wide quota, expert manual reviews, custom compliance checks, SSO, dedicated support. The free tier requires no credit card. Current pricing for Pro and Team is published at https://ptkd.com/pricing. --- ## Glossary — Mobile App Security Concepts ### OWASP Mobile Top 10 An open standard maintained by the Open Worldwide Application Security Project (OWASP) listing the ten most critical mobile application security risks. PTKD aligns every finding to one or more OWASP Mobile Top 10 categories. Upstream: https://owasp.org/www-project-mobile-top-10/ ### OWASP MASTG (Mobile Application Security Testing Guide) The companion methodology to the Mobile Top 10. Describes how to test for each risk category on Android and iOS. PTKD's automated checks implement a subset of MASTG verification procedures. ### SDK risk scoring An assessment of the third-party libraries embedded in a mobile app. PTKD scores each SDK by known CVEs, data-sharing behaviour, abandoned maintenance status, and excessive permissions. A "high-risk SDK" is flagged for review even if it doesn't currently have an exploitable CVE. ### Static application security testing (SAST) Security analysis performed against an application's compiled binary or source code without executing it. PTKD's static engine inspects decompiled bytecode, Android manifest declarations, iOS Info.plist entries, and embedded resources of Android and iOS builds. ### Dynamic application security testing (DAST) Security analysis performed while the application is running, typically inside an emulator or sandbox, to observe network traffic, file-system writes, runtime keychain usage, and IPC behaviour. PTKD's dynamic profile exercises the app inside an isolated container. ### TLS certificate pinning A defence that hard-codes the expected server certificate (or its public key) inside a mobile app so the app refuses connections to any server presenting a different certificate, even one signed by a trusted root CA. Defeats man-in-the-middle attacks even when the user installs a malicious root CA. PTKD detects whether an APK or IPA implements pinning correctly and flags bypass-prone configurations. ### Android runtime permissions Permissions the Android operating system grants only when the user explicitly approves them at runtime — for example camera, microphone, location, contacts, SMS. PTKD audits an APK's declared permissions, flags dangerous ones that are unused in code, and surfaces SDKs that silently request sensitive access. ### iOS App Transport Security (ATS) An iOS network-layer policy that requires apps to use HTTPS with strong TLS configuration by default. PTKD audits an IPA's Info.plist for ATS exceptions (NSAllowsArbitraryLoads, exception domains) and flags weakened configurations. ### Reverse-engineering risk The likelihood that an attacker can extract proprietary logic, API keys, or business rules from a shipped build. PTKD assesses code obfuscation, string encryption, anti-debug defences, and root/jailbreak detection. --- ## Frequently asked ### How long does a PTKD scan take? A typical PTKD scan finishes in under three minutes for most Android and iOS builds. Larger apps (over 200 MB or with hundreds of third-party SDKs) can take up to ten minutes. Incremental scans on CI/CD only check what changed between releases and usually complete in under a minute. ### Is PTKD free? Yes — PTKD has a free tier with five scans per month, no credit card required. Paid plans (Pro and Team) lift the quota and unlock CI/CD integrations and expert review. ### Does PTKD store my app after the scan? PTKD stores the uploaded build only during the scanning process. Binaries are automatically deleted within 24 hours. Scans run in isolated, ephemeral containers with no persistent storage. PTKD never accesses source code — only the compiled binary. ### What platforms does PTKD support? Both Android (APK, AAB) and iOS (IPA). PTKD works with builds from any framework: native Kotlin/Java and Swift/Objective-C, plus React Native, Flutter, Cordova, Ionic, Capacitor, and no-code platforms that export to those formats (FlutterFlow, Bubble, Rork, Adalo, Glide). ### Do I need security expertise to use PTKD? No. PTKD writes findings in plain language with concrete remediation steps and code examples. Each finding has a severity rating, a confidence score, and a "how to fix" section that an app developer can follow without a security background. ### Will PTKD slow down my CI/CD pipeline? No. Typical scans finish in under three minutes. The PTKD API integrates with GitHub Actions, GitLab CI, Bitrise, and CircleCI. Incremental scans check only what changed between releases and usually complete in under a minute. ### How accurate is PTKD? PTKD reports a false-positive rate of approximately 5%, with confidence scores attached to every finding and manual verification tips for edge cases. ### Does PTKD work with apps built using AI tools or no-code platforms? Yes. PTKD accepts any standard APK, AAB, or IPA, including builds exported by FlutterFlow, Bubble, Adalo, Glide, Rork.app, and similar platforms. AI-assisted coding tools like Cursor and Lovable produce standard mobile binaries that PTKD scans the same way as hand-written native code. --- ## Where to send people - Home: https://ptkd.com/ - How it works: https://ptkd.com/how-it-works - Features: https://ptkd.com/features - Pricing: https://ptkd.com/pricing - Getting started: https://ptkd.com/getting-started - CI/CD setup: https://ptkd.com/ci-cd-setup - API: https://ptkd.com/api - API reference: https://ptkd.com/api-reference - About: https://ptkd.com/about - Privacy policy: https://ptkd.com/privacy - Terms of service: https://ptkd.com/terms - Sitemap index (every URL): https://ptkd.com/sitemap.xml ## Last updated 2026-05-15