Veracta · truthful actions

Ground truth on what apps do with your data.

Veracta installs any Google Play app on a real device in the country you choose, decrypts the app's own encrypted traffic, and proves exactly which personal data it collects and who it sends it to. Certificate pinning, QUIC, and anti-tamper don't stop it.

See the flagship finding

chimera · scan #VRC-7741 · com.example.social egress verified · region BR

appcom.example.social

regionBR · egress proven ✓

installfrom Google Play ✓ (not sideload)

integrityPlay Integrity: STRONG

canariesplanted · 5 fields · marker-free

capture228 TLS · 248 QUIC decrypted

tracing canaries across 20 encodings…

Findings · evidence-scored

EXFIL

GPS coordinates left the device

canary -23.55,-46.63 → ads.adexchange-3p.com · plaintext match

EXFIL

Advertising ID sent to 3rd party

canary hash (SHA-256) → track.metrics-sdk.io

SUSPECT

Clipboard read by WebView bridge

JS initiator · cross-frame origin

CAPABILITY

Microphone permission granted

API called · no canary observed leaving

01 The problem

App privacy claims are unverifiable from the outside.

The data-safety label is self-reported, the developer fills it out, and nobody checks it against what the app actually does at runtime. The truth is hidden behind encryption and changes by region.

Labels are self-reported

The developer fills out the data-safety form. Nothing verifies it against the app's real runtime behavior.

Static analysis misses runtime

Code that's fetched, decrypted, or triggered by a server flag never appears in a decompile. It only runs live.

Proxies can't read the traffic

Modern apps use TLS 1.3 and QUIC, pin certificates, and bundle their own crypto. A proxy sees ciphertext, or is refused.

Behavior is regional

An app can behave one way in Germany and another in Brazil. You can't see it without testing from inside each region.

02 How it works

Submit a Play URL and a country. Get back proof.

CHIMERA, the analysis engine, instruments the running app across four independent surfaces. Any single surface has a blind spot. Together they give full coverage, from the first network handshake at process birth.

surface 01

TLS keylog + wire

Hooks the app's crypto to emit its own session keys, then decrypts the raw capture host-side. Full URLs, headers, bodies across TLS, QUIC, and HTTP/3.

surface 02

Device probe

Attaches at process birth and hooks Java + native crypto. Sees identifier reads, location, and clipboard at time zero.

surface 03

Scriptable hooking

A Lua-driven host that attaches after launch and targets any class the app loads. Flexible, per-app instrumentation.

surface 04

WebView monitor

Listens on the Chrome DevTools Protocol inside in-app WebViews: the JavaScript truth a Java client never sees.

03 The decryption moat

We read inside the app's encryption. A proxy can't.

CHIMERA captures the app's own session keys from inside the app, then decrypts the recorded packets host-side. There is no proxy in the path to detect, and no certificate for the app to reject.

Defeats certificate pinning

Keys come from inside the app, not a fake certificate the app would reject.

Undetectable to the app

No proxy sits in the network path, so there's nothing for the app to detect.

Handles QUIC and HTTP/3

Not just classic TLS, but the protocols modern apps actually use.

Survives anti-tamper (Pairip)

Hooks synchronously before the protection arms, so it sees an unmodified process.

Proxy / MITMrefused / pinned

On wirea8 f3 91 e2 c4 7d 0b 5a 9f…

Veracta keylogsession keys captured

DecryptedPOST /v2/collect

→ body{ "adid":"a1b2…", "gps":[-23.55,-46.63] }

→ hostads.adexchange-3p.com

04 Evidence, not guesswork

Every finding is scored by how strong the proof is.

We plant unique, marker-free canaries on the device (fake IDs, GPS, email, phone, clipboard), then search every decrypted request for those exact values in plaintext and ~20 hashed and encoded forms. A capability is not an exfiltration.

Confirmed exfiltration

The exact value left the device

A canary that exists nowhere else in the world appears in an outbound request to a third party. That is proof the app collected it and sent it.

Suspected exfiltration

Strong circumstantial evidence

A canary appears alongside a JavaScript initiator, a cross-frame origin, a native egress, or a JavaScript bridge call.

Capability only

It can, but wasn't observed doing it

The API was called, but no canary was seen leaving. Timing alone never upgrades a finding. False positives are filtered out.

Flagship investigation

We mapped a dormant on-device face-recognition capability inside a major social app.

Corroborated at every layer, from application code to the native engine to the on-the-wire sync, and located precisely where the capability was gated. The investigation distinguished what reaches the vendor (profile metadata) from what stays on device (the raw biometric), with proof drawn from decrypted traffic, under a strict no-real-user, no-transmit safety discipline.

The difference between "an app might do something" and "here is precisely what it does, proven."

05 Who it's for

For the people who need proof, not assurances.

Veracta is built for investigating apps you don't control, where the developer won't cooperate and the output has to stand up to scrutiny. Each audience uses the same decrypted, region-verified evidence for a different job.

Privacy & data-protection regulators

Verify an app's real behavior against its declared data practices, in the jurisdiction where its users live, without waiting on the developer's cooperation.

Their job → Build an enforceable case from court-defensible evidence.

App-store & platform-trust teams

Check whether a submitted app's runtime behavior matches its data-safety label, at scale, and catch what static review and self-reported forms miss.

Their job → Keep mislabeled and exfiltrating apps off the store.

Enterprise supply-chain audit

Vet the mobile software your organization ships or depends on. See exactly which third-party SDKs send data, where it goes, and whether it should.

Their job → Close vendor-risk gaps before they become incidents.

Consumer-protection & privacy law firms

Turn a suspicion into an exhibit. Every finding traces to the decrypted request that proves it, with a SHA-256 checksum and full provenance.

Their job → Ground a claim in evidence, not inference.

Investigative journalists

Self-serve, no developer access required. Run a scan, get evidence-scored findings, and report what an app does with the proof to back it up.

Their job → Publish "here's precisely what it does," verifiably.

Ad-tech & measurement verification

Confirm your partners and SDKs collect only what they're contracted to. Catch unexpected identifier sharing and cookie-sync chains on the wire.

Their job → Hold the measurement chain to what was agreed.

06 Pricing

Start free on the cloud. Pay for real-device proof.

The free tier runs on cloud emulators in one region, with full self-serve evaluation. Paid scans run on real phones, in multiple regions at once, and cover apps that refuse to run anywhere but real hardware.

Free

$0 / forever

Self-serve evaluation. Cloud emulator, one region, real Play install, real decryption.

Cloud emulator scans
One region per scan
Full privacy score + findings
Play Integrity: STRONG

Real device

Paid

Usage · regions × device-time

Real rooted Pixel phones, multi-region in one fleet, full app coverage, court-defensible evidence.

Physical-device scans, all regions
Heavy native apps emulators can't run
Downloadable evidence bundle (FAIR + SHA-256)
APP 1–13 compliance grid + cross-region compare
API access & continuous monitoring

07 FAQ

Frequently asked questions

01How is this different from a proxy or MITM tool?+

A man-in-the-middle proxy fakes a certificate the app can reject, and sits in the network path where the app can detect it. Veracta captures the app's own session keys from inside the app and decrypts the traffic host-side. There's no proxy to detect and no certificate to refuse, so it works on pinned, QUIC, bundled-crypto, and anti-tamper-protected apps that defeat proxies entirely.

02What does "confirmed exfiltration" actually mean?+

Before each scan we plant unique, random, marker-free canary values for device IDs, GPS, email, phone, and clipboard. When one of those exact values, which exists nowhere else in the world, appears in an outbound request to a third party, that's proof the app collected it and sent it. We search plaintext plus roughly twenty hashed and encoded variants, and weight a plaintext match above a hashed one.

03Why does the region matter?+

An app can behave completely differently for a user in Germany versus Brazil. Veracta proves the device's traffic actually exits the country you requested before any analysis runs, using a two-layer check measured on the device and corroborated from the host. A region mismatch is a hard abort, so a finding is never misattributed to the wrong country.

04Is the evidence usable in a regulatory or legal context?+

Every run produces a complete, organized evidence directory following FAIR data principles and W3C provenance metadata, with a SHA-256 checksum for every file. A regulator or court can be handed the decrypted request that proves a claim, not just a summary. Output maps to the Australian Privacy Principles (APP 1–13), and the architecture generalizes to GDPR and similar regimes.

05Do you sideload apps?+

No. The platform installs the app from the real Google Play Store and confirms the installer was Google Play, so the app behaves exactly as it would for a normal user. Both the real phones and the cloud emulators pass Google Play Integrity at the STRONG level, so apps don't detect a test environment and hide.

06What about privacy and data handling on your side?+

Everything that can be self-hosted is, inside our own infrastructure: database, object store, orchestration, emulator, dashboard, and observability. All tenant data lives under forced row-level security, so one customer can never read another's data even through an application bug. Scans run under a strict no-real-user, no-transmit discipline, and our last OWASP Top 10:2025 assessment returned SAFE.