A
AppXpose Get the app ↗
Technical transparency

How AppXpose actually works.

Privacy claims are easy to make and hard to verify. So here's the full pipeline. Every step, every data flow, every thing we don't touch.

01

You pick an app

AppXpose lists every app installed on your device. You choose one. Nothing happens until you tap.

02

We unpack the APK locally

The Android Package Manager hands us the installed APK. We read its DEX bytecode and manifest in-process. Bytes never leave your phone.

03

Pattern match against 90+ tracker signatures

Class names, method calls, package paths matched against a curated signature database (Exodus plus our own). Every hit gets a confidence score.

04

Cross-check breach + permissions

We pull the latest cached metadata from our server (HMAC-signed, 30-day TTL) and combine it with the local results. Permissions are mapped to readable explanations.

05

You see a score and a story

Not just a number. What was found, why it matters, and what changed since the last scan. You can save the report, share it, or vote.

What we collect, and what we don't.

Two lists. They should be enough to know whether you trust us.

We never collect

  • Email addresses or accounts
  • Google Advertising ID
  • IMEI, phone number, SIM data
  • Location, contacts, photos
  • App content or messages
  • Persistent identifiers across reinstalls

We do collect

  • A device fingerprint hash (rotates on reinstall)
  • Quota counter (3 scans/week for free tier)
  • Anonymous community votes (no author identity)
  • Crash reports if you opt in (Firebase Crashlytics)

The architecture, briefly.

┌─ Your Phone ─────────────────────────────┐
│ AppXpose (Kotlin + Compose) │
│ • DEX bytecode reader │
│ • Tracker signature matcher │
│ • Local cache (Room DB, v9 keys) │
│ • SharedPrefs: scan history flag │
└──────────────┬───────────────────────────┘
HMAC-SHA256 signed, no auth
┌─ Cloudflare Edge ────────────────────────┐
│ Worker + D1 database │
│ • Cached tracker signatures (5 min TTL) │
│ • Quota counter (per device fingerprint) │
│ • HIBP proxy (breach checks) │
│ • Community votes (anonymous) │
└──────────────────────────────────────────┘

Everything between your phone and our edge is HTTPS plus HMAC. The HMAC key rotates per app version. The "device fingerprint" is a one-way hash of stable hardware characteristics. It cannot be reversed into a person, and it changes when you reinstall the app or factory reset.

Found something we missed?

Security claims should be falsifiable. If you see a gap, ping us. We'll fix it and credit you in the next release notes.

mahere@appxpose.app