Evidence-backed SDK discovery from the app package outward.
SDK Analyzer reviews the visible contents of published mobile app packages and turns scattered technical signals into a human-readable inventory of SDKs, libraries, frameworks, and native components.
Published package
The app package is collected from the public distribution channel when available.
Static extraction
We unpack visible bundle, manifest, framework, code, resource, and native artifacts.
Evidence signals
Package names, declarations, binary metadata, strings, and native files are correlated.
AI interpretation
AI helps classify and explain evidence. It does not replace the underlying signals.
Human review
Findings are checked for confidence, caveats, and customer-readable context.
SDK report
The final report shows what was visible, why it matters, and what remains uncertain.
Findings start from artifacts found in the package, not from a generic vendor list.
AI helps translate technical signals into readable purpose, confidence, and caveats.
Platform path
iOS
We review the app bundle and embedded artifacts that are visible in the packaged app.
- App bundle structure and embedded frameworks
- Info.plist and configuration metadata
- Mach-O binaries, visible symbols, and strings
- Native libraries and cross-platform runtime artifacts
Platform path
Android
We review APK contents across the base package and relevant split packages when available.
- APK and split APK package contents
- AndroidManifest.xml declarations
- DEX/package namespace evidence
- Native .so libraries, resources, and strings
We separate detection evidence from interpretation.
A good SDK report should not be a black box or a keyword dump. We preserve the evidence trail, assess how strong each signal is, and explain what the detected component commonly does in plain English.
Evidence
Where the signal appeared: bundle, manifest, framework, namespace, string, or native file.
Confidence
How strongly the available signals support the SDK or library identification.
Caveats
What static analysis can and cannot prove about runtime behavior or data collection.
Static analysis is powerful, but it has boundaries.
Reports are written to be useful without overstating certainty. When a technical limit affects visibility, we call it out instead of pretending the package tells the whole story.
Static analysis shows what is bundled or declared, not every behavior that occurs at runtime.
Server-side SDKs, remote configuration, and dynamically loaded code may not be visible in the package.
Obfuscation, stripped native binaries, app variants, and cross-platform runtimes can reduce attribution certainty.
Some libraries are transitive dependencies, so reports distinguish evidence strength from interpretation.
Built for buyers who need more than a guess.
SDK Analyzer turns low-level mobile package signals into a concise report with evidence, confidence levels, business context, and limitations.