Safeguard Documentation Center
Enterprise Software Supply Chain Manager (ESSCM)IntegrationsFile Uploads

APK Upload

Upload Android APK files for scanning

APK Upload

Upload Android APK files to Safeguard for SBOM generation and vulnerability scanning of mobile applications.

What Gets Scanned

When you upload an APK file, Safeguard analyzes:

ComponentDescription
Native libraries.so files and native dependencies
Java/Kotlin dependenciesJAR files and Android libraries
Third-party SDKsAdvertising, analytics, crash reporting SDKs
AndroidManifest.xmlPermissions, components, metadata
Build configurationGradle dependencies, build tools
Embedded resourcesCertificates, configuration files

Upload Workflow

Step 1: Navigate to Integrations

Go to Integrations from the sidebar and filter by Upload.

Step 2: Select APK Upload

Click Connect on the Upload APK card.

Step 3: Upload File

  1. Enter a Name for this upload
  2. Optionally add a Description
  3. Drag and drop your APK file, or click Browse to select
  4. Supported: .apk files up to 500MB

Step 4: Configure Project

  1. Set the Project Name (defaults to APK name)
  2. Set the Version (auto-detected from APK if available)
  3. Click Upload to begin scanning

Scan Results

After scanning, you'll see:

  • Dependencies - All third-party libraries and SDKs
  • Vulnerabilities - Known CVEs in dependencies
  • Licenses - License information for components
  • Security findings - Potential security issues

Supported APK Types

TypeSupport
Standard APK Full support
Split APKs Upload base APK
Android App Bundle (AAB) Convert to APK first
Debug APK Supported
Release APK Supported

Best Practices

Use Release Builds

  • Release builds provide the most accurate representation of production dependencies
  • Debug builds may include additional testing libraries

Regular Scanning

  • Scan APKs before each release
  • Set up automated scanning in your CI/CD pipeline
  • Re-scan existing apps when new vulnerabilities are disclosed

Include All Variants

  • If your app has multiple build flavors, scan each variant
  • Different flavors may include different dependencies

Common Dependencies Detected

CategoryExamples
NetworkingOkHttp, Retrofit, Volley
Image loadingGlide, Picasso, Coil
AnalyticsFirebase Analytics, Mixpanel, Amplitude
Crash reportingCrashlytics, Sentry, Bugsnag
AdvertisingGoogle Ads, Facebook Ads, Unity Ads
UI frameworksMaterial Components, Jetpack Compose
DatabaseRoom, SQLite, Realm

Troubleshooting

"Invalid APK file"

  • Ensure the file is a valid Android APK
  • Check that the file isn't corrupted
  • Verify the file extension is .apk

"APK too large"

  • Maximum file size is 500MB
  • Consider uploading a split APK (base only)
  • Remove debug symbols if included

"Scan incomplete"

  • Some obfuscated APKs may have limited dependency detection
  • Native libraries may require additional analysis
  • Encrypted resources cannot be fully analyzed

CSAF/VEX Upload

Upload CSAF and VEX files for vulnerability analysis

Manifest File Upload

Upload package manifest files for SBOM generation

On this page

APK UploadWhat Gets ScannedUpload WorkflowStep 1: Navigate to IntegrationsStep 2: Select APK UploadStep 3: Upload FileStep 4: Configure ProjectScan ResultsSupported APK TypesBest PracticesUse Release BuildsRegular ScanningInclude All VariantsCommon Dependencies DetectedTroubleshooting"Invalid APK file""APK too large""Scan incomplete"