# AppXray Decompilation Report

## CamScanner — com.intsig.camscanner

| Field | Value |
|---|---|
| **Package Name** | `com.intsig.camscanner` |
| **App Name** | CamScanner |
| **Version** | 7.16.5.2604220000 (code: 71651) |
| **Min SDK** | 21 (Android 5.0 Lollipop) |
| **Target SDK** | 35 (Android 15) |
| **Total Size** | 306 MB (XAPK with 27 split APKs) |
| **DEX Files** | 12 (85.5 MB total bytecode) |
| **Architecture** | Hybrid — Native Android + Flutter modules |
| **Report Date** | 2026-05-13 |

---

## 1. App Architecture

### Component Summary

| Component | Count |
|---|---|
| Activities | 369 |
| Services | 26 |
| Broadcast Receivers | 28 |
| Content Providers | 19 |

### Architecture Highlights

- **Hybrid stack**: Core app is native Android (Java/Kotlin), with Flutter modules for newer features (AI chat, document processing UIs).
- **Flutter integration** via `FlutterBoost` (`com.idlefish.flutterboost`) — Alibaba's Flutter-Native hybrid framework.
- **Multi-DEX**: 12 DEX files indicate a very large codebase (~85 MB of bytecode).
- **Split APKs**: 27 config splits for per-language resources and per-ABI native libraries (arm64_v8a, armeabi).

### Key Activities (Third-Party)

| Activity | Source |
|---|---|
| `com.bytedance.sdk.openadsdk.activity.TTRewardVideoActivity` | Pangle (TikTok) Rewarded Ads |
| `com.bytedance.sdk.openadsdk.activity.TTInterstitialActivity` | Pangle Interstitial Ads |
| `com.bytedance.sdk.openadsdk.activity.TTFullScreenVideoActivity` | Pangle Fullscreen Video |
| `com.google.android.gms.ads.AdActivity` | Google AdMob |
| `com.facebook.ads.AudienceNetworkActivity` | Facebook Audience Network |
| `com.pubmatic.sdk.webrendering.ui.POBFullScreenActivity` | PubMatic OpenBid |
| `com.vungle.ads.VungleActivity` | Vungle Ads |
| `com.facebook.FacebookActivity` | Facebook Login |
| `com.google.android.gms.auth.api.signin.internal.SignInHubActivity` | Google Sign-In |
| `com.microsoft.identity.common.internal.providers.oauth2.AuthorizationActivity` | Microsoft Identity |
| `com.dropbox.core.android.AuthActivity` | Dropbox Auth |
| `com.evernote.client.android.login.EvernoteLoginActivity` | Evernote Integration |
| `com.android.billingclient.api.ProxyBillingActivity` | Google Play Billing |
| `com.cmic.gen.sdk.view.GenLoginAuthActivity` | China Mobile Auth (号码认证) |
| `com.vk.api.sdk.ui.VKConfirmationActivity` | VK (Russia) Social Auth |

### Services

| Service | Purpose |
|---|---|
| `com.google.firebase.messaging.FirebaseMessagingService` | Push notifications |
| `com.google.firebase.components.ComponentDiscoveryService` | Firebase initialization |
| `com.google.android.gms.ads.AdService` | Ad background service |
| `com.google.mlkit.common.internal.MlKitComponentDiscoveryService` | ML Kit initialization |
| `com.bytedance.apm6.APMService` | ByteDance APM monitoring |
| `com.bytedance.sdk.openadsdk.multipro.aidl.BindService` | Pangle multi-process ads |
| `androidx.work.impl.background.systemjob.SystemJobService` | WorkManager background tasks |
| `androidx.room.MultiInstanceInvalidationService` | Room DB sync |

---

## 2. SDK & Third-Party Libraries

### Ad Networks (6 detected)

| SDK | Package | Notes |
|---|---|---|
| **Google AdMob** | `com.google.android.gms.ads` | Primary ad SDK, includes MRAID v3 support |
| **Pangle (TikTok/ByteDance)** | `com.bytedance.sdk.openadsdk` | Full-format support: rewarded, interstitial, fullscreen, app open, native |
| **Facebook Audience Network** | `com.facebook.ads` | Separate DEX in assets (`audience_network.dex`, 5 MB) |
| **PubMatic OpenBid** | `com.pubmatic.sdk` | Header bidding / OpenRTB 2.5 integration |
| **Vungle** | `com.vungle.ads` | Video ads, has mediation adapter (`com.vungle.mediation`) |
| **Google Ad Manager** | `com.google.ads` | DoubleClick ad serving (`googleads.g.doubleclick.net`) |

### Ad Mediation Evidence

- PubMatic OpenBid SDK present — indicates **header bidding** setup alongside waterfall.
- Multiple ad network activity classes registered — suggesting **mediation** with AdMob as primary.
- Facebook Audience Network loaded as separate DEX at runtime — **dynamic ad loading** strategy.

### Analytics & Attribution (4 detected)

| SDK | Package | Purpose |
|---|---|---|
| **AppsFlyer** | `com.appsflyer` | Mobile attribution (MMP), ad revenue tracking, deep linking |
| **Firebase Analytics** | `com.google.firebase` | Event logging, user properties |
| **Google ML Kit** | `com.google.mlkit` | On-device ML (likely OCR / document scanning) |
| **ByteDance APMPlus** | `com.bytedance.apm6` | Crash monitoring, performance metrics (Volcengine) |

### Crash & Error Monitoring (2 detected)

| SDK | Package | Notes |
|---|---|---|
| **Sentry** | `io.sentry` | Full Sentry SDK including Flutter plugin (`io.sentry.flutter`), session replay, profiling |
| **ByteDance APMPlus** | `apmplus.ap-southeast-1.volces.com` | Volcengine crash collection, ANR monitoring |

### Cloud & Auth Integrations (6 detected)

| SDK | Purpose |
|---|---|
| **Google Sign-In** | OAuth2 authentication |
| **Microsoft Identity (ADAL/MSAL)** | Enterprise SSO, OneDrive integration |
| **Facebook Login** | Social authentication |
| **Dropbox Core SDK** | Cloud storage sync |
| **Evernote SDK** | Note export/import |
| **VK SDK** | Russian market social auth |

### Payments

| SDK | Purpose |
|---|---|
| **Google Play Billing** (`com.android.billingclient`) | In-app purchases and subscriptions |

### UI & Utilities

| SDK | Purpose |
|---|---|
| **Flutter** (`io.flutter`) | Cross-platform UI for newer modules |
| **FlutterBoost** (`com.idlefish.flutterboost`) | Native-Flutter hybrid navigation |
| **Lottie** (`com.airbnb.lottie`) | JSON-based animations |
| **Glide** (`com.bumptech.glide`) | Image loading and caching |
| **PAG** (`com.example.flutter_pag_plugin`) | Portable Animated Graphics (Tencent) |
| **AndroidX Camera** | CameraX API for document scanning |
| **AndroidX Room** | Local SQLite database ORM |
| **AndroidX WorkManager** | Background task scheduling |
| **Netty** (`io.netty`) | Async networking |

### China-Specific SDKs

| SDK | Purpose |
|---|---|
| **China Mobile Auth** (`com.cmic.gen`) | Phone number one-tap login |
| **WeChat SDK** (`com.intsig.wxapi`) | WeChat sharing/login |
| **Feishu/Lark** | Mini-program deep linking |
| **Huawei AppGallery** | Huawei store distribution support |
| **Samsung SDraw** | Samsung pen/drawing integration |

---

## 3. API Endpoints

### First-Party APIs (intsig.net / camscanner.com)

| Endpoint | Purpose |
|---|---|
| `api-cs.intsig.net/user/cs` | User authentication & management |
| `api-cs.intsig.net/api/domain` | Domain/config resolution |
| `api.intsig.net/purchase` | Purchase & subscription management |
| `api-center.intsig.net/apis` | Central API gateway |
| `api-center.intsig.net/apis/corp` | Enterprise API gateway |
| `api-corp-cn.intsig.net` | China enterprise services |
| `api-algo.camscanner.com` | Algorithm services (OCR, enhancement) |
| `ai-us.camscanner.com/aichat` | AI Chat feature (US region) |
| `cs-ai-cn.camscanner.com/ai_doc` | AI document processing (CN region) |
| `cs-ai-cn.camscanner.com/aichat` | AI Chat feature (CN region) |
| `cs8.intsig.net/sync` | Document cloud sync |
| `cs8.intsig.net/ad` | Server-side ad configuration |
| `cs8.intsig.net/edapi` | Document editing API |
| `cs-msg-us.intsig.net/msg` | Push messaging service |
| `d2100.intsig.net/sync` | Secondary sync server |
| `d2149.intsig.net/app` | App configuration |
| `auth.intsig.net/GenKey/ActivateBySerialNo` | License activation |
| `api-web-pkg.camscanner.com` | Web package distribution |
| `resource.intsig.net/appdata/camscanner/android/ScannerRewardRatio.xml` | Ad reward configuration |

### Sandbox / Staging Endpoints (exposed in production)

| Endpoint | Notes |
|---|---|
| `api-cs-sandbox.intsig.net` | Staging user API |
| `api-center-sandbox.intsig.net` | Staging gateway |
| `api-algo-sandbox.camscanner.com` | Staging algorithm service |
| `ai-cn-sandbox.camscanner.com` | Staging AI service |
| `cs1-sandbox.intsig.net` | Staging sync/ad/read services |
| `b103-sandbox.camscanner.com` | Staging business service |

> SECURITY NOTE: 6 sandbox/staging endpoints are hardcoded in the production build. This could indicate debug code left in release, or intentional environment switching.

### Third-Party Service Endpoints

| Endpoint | Service |
|---|---|
| `api16-access-sg.pangle.io/api/ad/union/sdk/get_ads/` | Pangle ad requests (Singapore) |
| `api16-access-ttp.tiktokpangle.us/service/2/app_log/` | Pangle event logging (US) |
| `ads.pubmatic.com` | PubMatic ad requests |
| `ow.pubmatic.com/openrtb/2.5` | PubMatic OpenRTB bidding |
| `adx.ads.vungle.com/api/ads` | Vungle ad exchange |
| `config.ads.vungle.com` | Vungle remote config |
| `googleads.g.doubleclick.net` | Google Ad Manager serving |
| `admob-gmats.uc.r.appspot.com` | AdMob mediation test suite |
| `fundingchoicesmessages.google.com/a/consent` | Google CMP (consent) |
| `apmplus.ap-southeast-1.volces.com` | ByteDance APM (Southeast Asia) |
| `databyterangers.com.cn` | ByteDance data collection (China) |
| `accounts.google.com/o/oauth2/revoke` | Google OAuth token revocation |
| `api.twitter.com` | Twitter sharing integration |
| `graph-video.facebook.com` | Facebook video API |

---

## 4. Permissions Analysis

### Total: 35 permissions

#### High Sensitivity

| Permission | Risk | Usage Context |
|---|---|---|
| `CAMERA` | HIGH | Core feature — document scanning |
| `ACCESS_FINE_LOCATION` | HIGH | Likely for ad targeting / geo-tagging scans |
| `ACCESS_COARSE_LOCATION` | MEDIUM | Ad targeting |
| `READ_EXTERNAL_STORAGE` | MEDIUM | Import existing documents/photos |
| `WRITE_EXTERNAL_STORAGE` | MEDIUM | Save scanned documents |
| `READ_MEDIA_IMAGES` | MEDIUM | Android 13+ media access |
| `USE_BIOMETRIC` / `USE_FINGERPRINT` | MEDIUM | App lock / document protection |

#### Ad & Tracking Related

| Permission | Purpose |
|---|---|
| `ACCESS_ADSERVICES_AD_ID` | Android Privacy Sandbox ad ID |
| `ACCESS_ADSERVICES_ATTRIBUTION` | Privacy Sandbox attribution |
| `ACCESS_ADSERVICES_TOPICS` | Privacy Sandbox Topics API |
| `AD_ID` (`com.google.android.gms.permission.AD_ID`) | Google Advertising ID |
| `BIND_GET_INSTALL_REFERRER_SERVICE` | Install attribution (AppsFlyer) |

#### Connectivity & System

| Permission | Purpose |
|---|---|
| `INTERNET` | Network access |
| `ACCESS_NETWORK_STATE` | Check connectivity |
| `ACCESS_WIFI_STATE` | WiFi network info |
| `BLUETOOTH` / `BLUETOOTH_ADMIN` / `BLUETOOTH_SCAN` / `BLUETOOTH_CONNECT` | Printer connectivity |
| `WAKE_LOCK` | Background processing |
| `FOREGROUND_SERVICE` | Long-running tasks (scanning, sync) |
| `POST_NOTIFICATIONS` | Android 13+ notification permission |
| `VIBRATE` | Haptic feedback |
| `BILLING` (`com.android.vending.BILLING`) | In-app purchases |

#### Vendor-Specific

| Permission | Purpose |
|---|---|
| `com.huawei.appmarket.service.commondata.permission.GET_COMMON_DATA` | Huawei store integration |
| `com.samsung.android.mapsagent.permission.READ_APP_INFO` | Samsung device optimization |
| `com.sony.mobile.permission.SYSTEM_UI_VISIBILITY_EXTENSION` | Sony UI compatibility |
| `com.google.android.c2dm.permission.RECEIVE` | Firebase Cloud Messaging (legacy) |

---

## 5. Ad Network Deep Dive

### Detected Ad Formats

| Format | AdMob | Pangle | Facebook AN | PubMatic | Vungle |
|---|---|---|---|---|---|
| Banner | Yes | Yes | Yes | Yes | -- |
| Interstitial | Yes | Yes | Yes | Yes | Yes |
| Rewarded Video | Yes | Yes | Yes | -- | Yes |
| Native | Yes | Yes | Yes | Yes | Yes |
| App Open | Yes | Yes | -- | -- | -- |
| Fullscreen Video | -- | Yes | -- | -- | Yes |

### Monetization Strategy Indicators

1. **AdMob as primary mediator** — Core ad SDK with all formats.
2. **PubMatic header bidding** — Running OpenRTB 2.5 parallel bidding alongside AdMob waterfall.
3. **Pangle (ByteDance) heavy integration** — 14 activity classes, full format coverage. Likely high fill rate for Asian traffic.
4. **Facebook AN loaded dynamically** — Separate DEX (`audience_network.dex`) loaded at runtime, reducing cold start impact.
5. **Server-controlled ad config** — `cs8.intsig.net/ad` and `ScannerRewardRatio.xml` indicate server-side ad placement and reward ratio control.
6. **Google CMP** — `fundingchoicesmessages.google.com/a/consent` for GDPR/CCPA consent management.

---

## 6. Metadata & Build Configuration

| Property | Value |
|---|---|
| **Build Type** | App Bundle (split APKs) |
| **Supported ABIs** | arm64-v8a, armeabi |
| **Supported Languages** | 27 (ar, de, en, es, et, fi, fr, hi, hu, in, it, ja, ko, ms, nl, pl, pt, ru, sv, th, tr, uk, vi, zh, + more) |
| **Flutter Version** | Present (hybrid integration) |
| **ProGuard/R8** | Enabled (heavy obfuscation detected in Sentry, AppsFlyer, OkHttp packages) |
| **AndroidX** | Full migration (camera, room, work, browser, webkit, window) |
| **Google Play Integrity** | Referenced (`IntegrityErrorCode`) |
| **Deep Links** | Custom scheme via `com.intsig.router`, short URLs via `cc.co` |

### Notable Build Artifacts

- `audience_network.dex` (5 MB) in assets — Facebook AN loaded as plugin
- `DroidSansFallbackFull.ttf` (5 MB) — Full CJK font bundled
- `PubMatic_Logo.svg` — PubMatic branding asset
- Flutter assets directory with shader precompilation
- PAG animation files for UI animations

---

## Summary

CamScanner is a **large-scale hybrid Android app** (native + Flutter) with a sophisticated monetization stack featuring **6 ad networks** running a combination of **waterfall + header bidding**. The app maintains deep integrations with cloud storage providers (Dropbox, Evernote, OneDrive) and supports authentication across 7+ identity providers including China-specific services. The presence of staging endpoints in the production build and the dynamic loading of Facebook AN as a separate DEX file are notable architectural decisions.

---

*Generated by AppXray — [blackorange.org](https://blackorange.org)*