VANTRACE
How It Works Tools Report Team FAQ
Android APK Security Platform

_

6-tool parallel static analysis pipeline that maps every vulnerability to exact source code, enriches with CWE and OWASP data, then delivers AI-powered True/False Positive verdicts.

Platform returns in
--Days
--Hours
--Mins
--Secs
✓ You are on the list. We will reach out when the platform is live.
Scroll to explore
0Vulnerability Types
0Analysis Tools
~60%Noise Reduced by Dedup
1–8minFull Scan Time
Analysis Engine

6 Tools. One Pipeline.

Industry-standard scanners running in parallel via Celery workers for maximum coverage and minimal wait.

🛡️
MobSF
External · REST API
Mobile Security Framework — comprehensive static analysis of manifest, code, certificates, network config and permissions.
External Tool
🐛
AndroBugs
External · Subprocess
Pattern-based scanner detecting SQL injection, command injection, crypto failures and hardcoded secrets in Android code.
External Tool
📐
PMD
External · Custom Ruleset
Static analyser with VANTRACE custom Android security ruleset covering 5 targeted vulnerability categories.
5 Custom Rules
📊
RiskInDroid
External · ML Scoring
Machine-learning permission risk scorer — computes a 0 to 100 risk score from dangerous permission combinations.
External Tool
🔬
Quark Engine
External · Behaviour Rules
API call-sequence analysis that detects malicious behaviour through method-call chains rather than code text alone.
External Tool
🧩
Framework Detector
Custom · Built for VANTRACE
Original VANTRACE tool — detects React Native, Flutter, Cordova, Xamarin and Unity via file signatures and import scanning.
Custom Built
Capabilities

Beyond Simple Scanning.

From raw tool output to developer-ready remediation at the source code level.

01 🎯
Source Code Traceability
8-strategy engine pinpoints every finding to exact file, class, method and line in decompiled Java and Kotlin. Results are confidence-scored so you know when the match is definitive versus heuristic.
02 🤖
AI Powered Verdict
Local Ollama LLM evaluates each finding against its code context. True or False Positive — zero cloud dependency, fully private.
03 🧹
Smart Deduplication
SHA-256 fingerprints every finding across 7 fields. Eliminates cross-tool duplicates and cuts noise by ~60%.
04 📋
CWE and OWASP Enrichment
Every finding gets CWE ID, OWASP Mobile Top 10, CVSS score and remediation guidance — automatically on every scan.
05
Real-Time Pipeline
Live progress streaming via Django channels and Celery. Watch all 6 tools run simultaneously. Full scan in 1 to 8 minutes.
06 🔒
Secure by Design
JWT auth, UUID-isolated storage, per-user upload scoping and atomic DB transactions throughout the pipeline.
Coverage

13 Vulnerability Types.

Every scan maps findings to CWE, OWASP Mobile Top 10 and CVSS scores automatically.

SQL Injection
CWE-89 · CVSS 9.8
Command Injection
CWE-78 · CVSS 9.8
Hardcoded Secret
CWE-798 · CVSS 8.1
Broken Access Control
CWE-284 · CVSS 7.5
Cryptographic Failure
CWE-327 · CVSS 7.4
Certificate Risk
CWE-321 · CVSS 7.4
Network Security
CWE-319 · CVSS 6.5
Insecure Data Storage
CWE-312 · CVSS 6.5
Security Misconfiguration
CWE-489 · CVSS 6.5
Permission Risk
CWE-284 · CVSS 6.0
Improper Logging
CWE-532 · CVSS 5.5
Privacy Risk
CWE-359 · CVSS 5.3
Framework Detection
CWE-693 · Info
More via MobSF
Hundreds of sub-rules
Process

How It Works.

From APK upload to actionable security report in minutes.

1
📱
Upload APK
Drag and drop your APK file. SHA-256 dedup check prevents redundant scans.
2
⚙️
Parallel Scan
All 6 tools launch simultaneously via Celery workers. Live progress streams back.
3
🎯
Source Trace
8-strategy engine maps every finding to exact file, class and line number.
4
🤖
AI Verdict
Ollama LLM evaluates each finding for True/False Positive classification.
5
📊
Report
Full CWE/OWASP-enriched report with remediation guidance and suppression controls.
Architecture

Scan Pipeline.

Every uploaded APK flows through this automated sequence.

📱 APK Upload & Validation
Extension check · ZIP magic bytes · SHA-256 dedup · UUID path isolation
⚙️ 6-Tool Parallel Analysis
All tools run simultaneously via Celery workers
MobSFAndroBugsPMDRiskInDroidQuark EngineFramework Detector
🧹 Deduplication & Enrichment
SHA-256 fingerprint across 7 fields · CWE / OWASP / CVSS auto-mapping
🎯 Source Code Traceability
8 strategies · File · Class · Method · Line · Confidence score
🤖 AI Verdict (Ollama · llama3.2)
True Positive / False Positive · Suggest Suppress · Local · Private
📊 Security Report Ready
Interactive findings · Batch suppress · PDF export · Full audit trail
Sample Output

What a Report Looks Like.

Real findings from an anonymised sample scan. Click "Simulate Scan" to watch the pipeline run.

MobSF
Waiting...
AndroBugs
Waiting...
PMD
Waiting...
RiskInDroid
Waiting...
Quark Engine
Waiting...
Framework Detector
Waiting...
16 Findings Detected
8 after deduplication · 2 false positives removed by AI · Report ready
com.example.bankapp_v2.1.apk — VANTRACE Security Report
SeverityToolVulnerabilityFileCWEAI Verdict
CriticalAndroBugsSQL Injectiondb/DatabaseHelper.java:142CWE-89✓ True Positive
HighMobSFHardcoded API Keyconfig/Constants.java:23CWE-798✓ True Positive
HighPMDInsecure Randomcrypto/EncryptionUtils.java:67CWE-330✗ False Positive
HighMobSFCertificate Pinning Absentnetwork/ApiClient.java:31CWE-321✓ True Positive
MediumMobSFDebug Mode EnabledAndroidManifest.xml:8CWE-489✓ True Positive
MediumAndroBugsCleartext Trafficres/xml/network_security_config.xml:4CWE-319✓ True Positive
LowPMDImproper Loggingutils/Logger.java:88CWE-532✓ True Positive
InfoFrameworkReact Native Detectedassets/index.android.bundleCWE-693ℹ Info
Analytics

Findings Breakdown.

Typical severity distribution from a sample scan of 16 raw findings, 8 after deduplication.

0 Findings
Critical1
High3
Medium2
Low1
Info1
After AI — False Positives removed-2
Built With

Tech Stack.

Open-source tools and frameworks powering every layer of VANTRACE.

Django 4.2
React 18
PostgreSQL
Redis
Celery
Ollama · llama3.2
MobSF
AndroBugs
PMD
Quark Engine
RiskInDroid
Docker
Python 3.10
JavaScript ES2024
Comparison

VANTRACE vs Alternatives.

FeatureVANTRACE ✦Manual ReviewStandalone Tools
Unified 6-tool pipeline
Source code traceability⚠ Slow
AI True/False Positive verdict
CWE + OWASP auto-mapping⚠ Manual⚠ Partial
Deduplication across tools
Real-time pipeline progressN/A
Scan time per APK1–8 minHoursHours
Batch finding suppression
The Builders

Group 19.

University of Dodoma · CS 418 · Academic Year 2025/2026

👨‍💻
Team Member
Full-Stack Developer
Backend · API · Pipeline
🧑‍💻
Team Member
Frontend Developer
React · UI/UX · Dashboard
🔐
Team Member
Security Researcher
Tools · Traceability · AI
📊
Team Member
Systems Architect
Database · Celery · DevOps

Supervised by Dr. Ngondya · College of Informatics and Virtual Education

FAQ

Common Questions.

VANTRACE supports APK files up to 200 MB. Most production apps are well within this limit. The upload pipeline validates the ZIP structure and magic bytes before accepting any file.

Typically 1 to 8 minutes depending on APK size and complexity. All 6 tools run in parallel via Celery workers, so the bottleneck is the slowest tool rather than the sum of all tools.

APKs are stored under a UUID-isolated path scoped to your user account. Each user can only access their own uploads. Files can be deleted at any time from the dashboard.

VANTRACE works with any APK targeting Android 5.0 (SDK 21) through Android 15 (SDK 35). The platform reads minSdkVersion and targetSdkVersion from the manifest and flags deprecated SDK targets automatically.

No. All AI analysis uses Ollama running locally on the server with the llama3.2 model. No finding data, source code or APK content is sent to any external API or cloud service.

Yes. Individual findings can be suppressed with one click. Batch suppression is also available for findings matching the same rule or tool. Suppressed findings are stored and can be restored at any time from the findings panel.