Veracta · truthful actions

Ground truth on what apps do with your data.

Veracta proves what software actually does at runtime: what data is accessed, what leaves the device or environment, where it goes, and how strong the evidence is.

We analyze runtime behavior across Android apps, Chrome extensions, and VS Code extensions.

Choose the role closest to you
Proof What you get

The same proof engine powers every path.

Whether you are preparing evidence, shipping software, or investigating in the public interest, the question is the same: what did the app actually do with data, where did it happen, and how do we know?

01

Runtime behavior

Privacy labels, policies, and static review describe expected practice. Veracta observes what the software actually does while it runs.

02

Decrypted traffic

Session keys come from inside the app, then recorded traffic is decrypted host-side, so pinned TLS, QUIC, HTTP/3, and bundled crypto remain visible.

03

Confirmed exfiltration

Marker-free canary values for IDs, GPS, email, phone, and clipboard separate confirmed data sharing from suspicion or capability-only findings.

04

Region attribution

Runs verify the requested country before analysis begins, so a finding is tied to the jurisdiction where the behavior was actually observed.

05

Normal app path

Android apps are installed from Google Play and run in environments that preserve normal app behavior, rather than sideloaded test builds.

06

Reviewable evidence

Requests, traces, provenance metadata, regions, and SHA-256 checksums stay attached so someone else can inspect the basis for a claim.

FAQ

Frequently asked questions

01How is this different from a proxy or MITM tool?+
A man-in-the-middle proxy fakes a certificate the app can reject, and sits in the network path where the app can detect it. Veracta captures the app's own session keys from inside the app and decrypts the traffic host-side. There's no proxy to detect and no certificate to refuse, so it works on pinned, QUIC, bundled-crypto, and anti-tamper-protected apps that defeat proxies entirely.
02What does "confirmed exfiltration" actually mean?+
Before each scan we plant unique, random, marker-free canary values for device IDs, GPS, email, phone, and clipboard. When one of those exact values, which exists nowhere else in the world, appears in an outbound request to a third party, that's proof the app collected it and sent it. We search plaintext plus roughly twenty hashed and encoded variants, and weight a plaintext match above a hashed one.
03Why does the region matter?+
An app can behave completely differently for a user in Germany versus Brazil. Veracta proves the device's traffic actually exits the country you requested before any analysis runs, using a two-layer check measured on the device and corroborated from the host. A region mismatch is a hard abort, so a finding is never misattributed to the wrong country.
04Is the evidence usable in a regulatory or legal context?+
Every run produces a complete, organized evidence directory following FAIR data principles and W3C provenance metadata, with a SHA-256 checksum for every file. A regulator or court can be handed the decrypted request that proves a claim, not just a summary. Output maps to the Australian Privacy Principles (APP 1–13), and the architecture generalizes to GDPR and similar regimes.
05Do you sideload apps?+
No. The platform installs the app from the real Google Play Store and confirms the installer was Google Play, so the app behaves exactly as it would for a normal user. Both the real phones and the cloud emulators pass Google Play Integrity at the STRONG level, so apps don't detect a test environment and hide.
06What about privacy and data handling on your side?+
Everything that can be self-hosted is, inside our own infrastructure: database, object store, orchestration, emulator, dashboard, and observability. All tenant data lives under forced row-level security, so one customer can never read another's data even through an application bug. Scans run under a strict no-real-user, no-transmit discipline, and our last OWASP Top 10:2025 assessment returned SAFE.
Contact

Want to understand what software is doing with data?

Tell us what you are trying to verify, which software surface matters, and what kind of evidence you need. We will point you to the right next step.