A powerful command-line tool for analyzing Flutter Android apps to discover security issues, secrets, API endpoints, and more. FlutterGuard runs completely offline on your machine—no cloud services, no tracking, just local analysis.
FlutterGuard CLI analyzes Flutter app APK files and extracts:
- 🔑 Secrets & API Keys — Finds hardcoded passwords, tokens, and credentials
- 🌐 Network Details — Extracts URLs, domains, API endpoints, and Firebase configs
- 📦 Dependencies — Lists all Flutter packages with direct links to pub.dev
- 📋 App Metadata — Package name, version, SDK info, and permissions
- 🔍 Third-Party Services — Detects bundled SDKs, CDNs, and analytics libraries
- 📜 Certificate Info — Analyzes signing certificates and flags self-signed ones
- 📁 Complete Breakdown — Organized assets, resources, and full decompiled source code
One-line install for Linux/macOS:
curl -sSL https://raw.githubusercontent.com/flutterguard/flutterguard-cli/main/install.sh | bashOne-line install for Windows (PowerShell):
irm https://raw.githubusercontent.com/flutterguard/flutterguard-cli/main/install.ps1 | iexThe script will automatically detect your OS/architecture, download the latest release, and install it to your PATH.
Option 1: Download Pre-Built Binary
Step 1: Download from Releases:
| Platform | Download Link |
|---|---|
| Linux (x64) | flutterguard-cli-linux-amd64 |
| Linux (ARM64) | flutterguard-cli-linux-arm64 |
| macOS (Intel) | flutterguard-cli-darwin-amd64 |
| macOS (Apple Silicon) | flutterguard-cli-darwin-arm64 |
| Windows (x64) | flutterguard-cli-windows-amd64.exe |
Step 2: Install it on your system:
Linux/macOS:
# Make executable
chmod +x flutterguard-cli-*
# Install to PATH
sudo mv flutterguard-cli-* /usr/local/bin/flutterguard-cli
# Verify
flutterguard-cli --versionWindows:
- Rename the downloaded file to
flutterguard-cli.exe - Move it to a directory in your PATH (e.g.,
C:\Windows\System32) - Or keep it anywhere and add that directory to your PATH
# Verify
flutterguard-cli.exe --versionOption 2: Build From Source
Requirements:
- Go 1.24+ (Download Go)
- Git
Steps:
# Clone the repository
git clone https://github.com/flutterguard/flutterguard-cli.git
cd flutterguard-cli
# Build
go build -o flutterguard-cli
# Install (optional)
sudo mv flutterguard-cli /usr/local/bin/
# Verify
flutterguard-cli --versionOption 3: Package Managers (Coming Soon)
We're working on adding support for popular package managers:
- Homebrew (macOS/Linux):
brew install flutterguard-cli - Snap (Linux):
snap install flutterguard-cli - Chocolatey (Windows):
choco install flutterguard-cli - AUR (Arch Linux):
yay -S flutterguard-cli - Scoop (Windows):
scoop install flutterguard-cli
Stay tuned for updates!
FlutterGuard works standalone, but these tools provide richer analysis:
- AAPT2 — Enhanced APK metadata extraction
- Linux:
sudo apt install aapt - macOS: Included with Android SDK
- Windows: Download from Android SDK
- Linux:
- JADX — Advanced Java decompilation
- Download: github.com/skylot/jadx/releases
- Or via Homebrew:
brew install jadx
- OpenSSL — Detailed certificate inspection (usually pre-installed on Linux/macOS)
Analyze a Flutter app APK and save organized results to a directory:
flutterguard-cli --apk app.apk --outDir ./resultsThis creates a folder named after the app's package (e.g., results/com.example.app/) containing all findings, assets, and decompiled code.
Add --verbose to see real-time progress updates:
flutterguard-cli --apk app.apk --outDir ./results --verboseJSON format (default, good for automation):
flutterguard-cli --apk app.apk --format jsonText format (human-readable summary):
flutterguard-cli --apk app.apk --format textStructured directory (most comprehensive):
flutterguard-cli --apk app.apk --outDir ~/my-analysisBy default, FlutterGuard runs completely offline. Enable network features for:
- Domain DNS validation
- pub.dev package information enrichment
flutterguard-cli --apk app.apk --outDir ./results --enable-network-and-dns-checksWhen using --outDir, FlutterGuard creates an organized directory structure:
results/
└── com.example.app/
├── summary.md ← Start here! Overview with clickable links
├── analysis.json ← Full structured data (JSON)
├── emails.txt ← Email addresses found
├── domains.txt ← Domain names and hosts
├── urls.txt ← All URLs discovered
├── api_endpoints.txt ← API endpoints with HTTP methods
├── packages.txt ← Flutter packages with pub.dev links
├── permissions.txt ← Android permissions (⚠️ = dangerous)
├── services.txt ← Third-party SDKs detected
├── hardcoded_keys.txt ← Potential secrets and API keys
├── assets/ ← App resources by file type
│ ├── json/
│ ├── png/
│ ├── xml/
│ ├── ttf/
│ └── ...
└── decompiled/ ← Complete APK contents
├── AndroidManifest.xml
├── classes.dex
├── lib/ ← Native libraries (.so files)
├── res/ ← App resources
├── assets/ ← Embedded assets
└── META-INF/ ← Signing certificates
Tip: Open summary.md in any markdown viewer—it includes a table of contents with links to all findings.
FlutterGuard is written in Go rather than Dart because:
- Single Compiled Binary: Users get a standalone executable with zero dependencies—just download and run, no runtime required.
- Cross-Platform Distribution: Go compiles easily to Windows, macOS, and Linux with a single codebase, making it simpler for users across different systems.
- Performance: Go offers native compilation speed and efficiency ideal for analyzing large APK files and intensive security scanning operations.
- CLI Excellence: Go is purpose-built for command-line tools with strong standard library support for file I/O, process execution, and signal handling.
- Ecosystem: Direct access to powerful tools like JADX and aapt2 without the overhead of a UI framework designed for mobile apps.
While Dart excels at building Flutter mobile and web apps, Go is the better choice for a developer tool that needs to be lightweight, fast, and dependency-free.
Contributions are welcome! Whether it's bug fixes, new features, or documentation improvements.
# Fork and clone the repository
git clone https://github.com/YOUR_USERNAME/flutterguard-cli.git
cd flutterguard-cli
# Download dependencies
go mod download
# Build the project
go build -o build/flutterguard-cli
# Run tests
go test ./...- 🔍 New detection patterns for secrets and suspicious code
- 🛠️ Integration with additional analysis tools
- 📊 New report formats (HTML, PDF, CSV)
- 🐛 Bug fixes and performance improvements
- 📚 Documentation and examples
- 🌍 Internationalization support
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes with clear commit messages
- Add tests for new functionality
- Run
go test ./...andgo vet ./... - Submit a pull request with a clear description
- Follow standard Go formatting (
gofmt,go vet) - Use descriptive names for functions and variables
- Comment exported functions and complex logic
- Keep functions focused and reasonably sized
- Write tests for new features
Found a bug? Open an issue with:
- Description of what you tried to do
- What happened vs. what you expected
- Your OS, Go version, and FlutterGuard version
- Steps to reproduce (if possible)
MIT License - see the LICENSE file for details.
Built for the Flutter and Android security community