Secrets & API Keys
AWS, Firebase, Stripe, JWT tokens
Malware Indicators
C2 domains, SMS fraud, overlay attacks
Weak Cryptography
DES, RC4, ECB mode, MD5/SHA1
Manifest Issues
Debug mode, exported components
Certificate Pinning
Bypass patterns, missing pinning
WebView Risks
JS interfaces, file access, XSS
Insecure Storage
World-readable prefs, unencrypted DBs
Anti-Tamper
Missing debug/tamper protection
SDK Inventory
30+ SDKs mapped to known CVEs
Intent Fuzzing
adb commands for exported components