Overview
IPA Inspector is a self-hosted iOS application security analysis platform deployed entirely within your AWS account. Upload IPA files through a browser-based interface and receive a detailed security report in under two minutes - no third-party services, no data egress.
SECURITY SCANNING - 12 DIMENSIONS
Binary Hardening: PIE, stack canary, ARC, Objective-C restrictions Entitlements: dangerous capabilities, keychain sharing exposure App Transport Security (ATS): NSAllowsArbitraryLoads, exception domains Privacy Permissions: undeclared NSUsageDescription strings Privacy Manifest: PrivacyInfo.xcprivacy completeness check Hardcoded Secrets: API keys, tokens, credentials in binary and bundles Weak Cryptography: MD5/SHA1/DES/RC4 usage detection URL Schemes: hijackable custom URL scheme exposure Third-Party SDKs: known risky SDKs and tracking frameworks Background Modes: unnecessary background execution privileges Payment Compliance: StoreKit and in-app purchase integrity checks Review Evasion: dynamic code loading, obfuscation patterns
VERSION DIFF ANALYSIS
Upload two IPA builds (old vs new) to get a side-by-side comparison: permission additions and removals, new or removed third-party SDKs, entitlement changes, and binary size delta - essential for pre-release security review and compliance audits.
AI-POWERED REMEDIATION
Every finding includes an AI-generated remediation guide produced by Amazon Bedrock (Nova). Guidance covers severity rationale, realistic attack scenarios, and concrete fix recommendations with references to Apple documentation and OWASP Mobile Top 10.
ARCHITECTURE - FULLY PRIVATE
IPA Inspector is deployed via AWS CloudFormation into your own account:
- Compute: AWS Fargate (ARM64 Graviton, 4 vCPU / 8 GB)
- Storage: Amazon S3 (IPA files, auto-deleted after 7 days)
- Database: Amazon RDS PostgreSQL (reports stored 24 hours)
- AI: Amazon Bedrock Nova Lite
- Access: Application Load Balancer (internal or internet-facing)
IPA files are uploaded directly from the browser to S3 via presigned URLs - they never pass through any intermediary server. All analysis runs inside your VPC.
REQUIREMENTS
- AWS account with Amazon Bedrock Nova Lite enabled in us-east-1
- Sufficient Fargate quota (1 task, 4 vCPU)
- Deployment via included CloudFormation template (~15 minutes)
Highlights
- 12-dimensional iOS security analysis covering OWASP Mobile Top 10 and Apple guidelines - fully private, data never leaves your AWS account.
- Version diff analysis: compare two IPA builds to detect permission changes, new SDKs, entitlement additions, and binary size deltas.
- AI-powered fix recommendations generated by Amazon Bedrock Nova, grounded in OWASP documentation and Apple security best practices.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Dimension | Description | Cost/month |
|---|---|---|
IPA Inspector Deployment License | One private deployment of IPA Inspector in your AWS account. Includes unlimited scans for the duration of the contract period. | $299.00 |
Vendor refund policy
All sales are final. Due to the nature of software deployment licenses, we do not offer refunds after the contract is activated and container images have been accessed. If you experience technical issues preventing deployment, contact us within 7 days of purchase for assistance. For support: yuki@beijingzhiyun.com
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
AWS ECS Fargate - CloudFormation Deployment
- Amazon ECS
Container image
Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.
Version release notes
fix some bugs
Additional details
Usage instructions
PREREQUISITES
- Bedrock Model Access: Go to Amazon Bedrock > Model access. Enable and confirm "Access granted" for Claude Sonnet (Anthropic) and Amazon Nova Pro before launching the stack.
- IAM Permissions: Deploying role requires ec2:, iam:, cloudformation:, rds:, s3:, lambda:, bedrock:, elasticloadbalancing:, autoscaling:, cloudwatch:, kms:DescribeKey, kms:CreateGrant, logs:*. AdministratorAccess is acceptable.
- Service Quotas: EC2: 8+ vCPUs (On-Demand Standard); RDS: 1 DB instance; VPC: 1 VPC + 2 NAT Gateways; Lambda: 10+ concurrent executions.
- Supported regions: us-east-1 (recommended), us-west-2, ap-northeast-1, ap-southeast-1.
DEPLOYMENT
- Subscribe > Continue to Configuration > Continue to Launch > Launch CloudFormation.
- Key parameters: ComputeMode (EC2 or ECS), InstanceType (default t3.large), DbInstanceClass (default db.t3.medium), DbMultiAz (true recommended), AlertEmail, IpaFileRetentionDays (default 7).
- Acknowledge both IAM capabilities checkboxes. Submit. Stack creation takes ~20 minutes.
- After CREATE_COMPLETE, find ApplicationUrl in CloudFormation Outputs.
- Open ApplicationUrl in a browser. Complete the first-run wizard to create an administrator account. Enable MFA.
MONITORING APPLICATION HEALTH
- EC2 Status: EC2 Console > Instances > select instance tagged Project:IPADiffHelper > Status checks tab. Both checks must show "Passed." Auto Scaling replaces unhealthy instances within 5 minutes.
- ALB Health: EC2 Console > Load Balancers > ipa-inspector-alb > Target groups. All targets must show "Healthy." If unhealthy, check CloudWatch Logs group /ipa-inspector/app.
- API Health Check: curl -I https://<ApplicationUrl>/api/health - expect HTTP 200 with {"status":"healthy","database":"connected","queue":"reachable","bedrock":"available"}.
- CloudWatch Dashboard: Open CloudWatchDashboardUrl from Outputs. Subscribe to SnsTopicArn for automated alerts. Pre-configured alarms: CPU >80%, API latency p95 >5s, queue depth >100, DB connections >80%.
IAM ROLES CREATED BY THIS TEMPLATE
- IPAInspectorAppRole: Used by EC2/ECS application tier. Permissions: S3 read/write, SQS send/receive, Secrets Manager read, CloudWatch write. Scoped to this stack's resource ARNs only.
- IPAInspectorAnalyzerRole: Used by Lambda analyzer. Permissions: Bedrock InvokeModel (Claude Sonnet, Nova Pro), S3 read, RDS IAM auth, SQS receive/delete, CloudWatch logs write. Scoped to this stack only.
- IPAInspectorRDSMonitoringRole: Enables RDS Enhanced Monitoring. Trusts rds.amazonaws.com; writes OS metrics to CloudWatch Logs.
DATA ENCRYPTION & SENSITIVE DATA LOCATIONS
- S3 (IPA files): SSE-S3/AES-256. Location: S3BucketName output. Auto-deleted after IpaFileRetentionDays (default 7). HTTPS-only enforced.
- RDS (results, users): AWS-managed KMS key aws/rds. Location: RdsEndpoint output. Auto-rotated annually (KMS console > AWS managed keys > aws/rds > Key rotation tab). App connects via IAM auth tokens - no static passwords.
- EBS volumes: AWS-managed KMS key aws/ebs. Auto-rotated annually.
- Secrets Manager: Credentials stored as "ipa-inspector/db-password" and "ipa-inspector/app-secrets." Retrieved at runtime via IAM role only.
- All traffic TLS 1.2+ enforced. IPA binaries never leave your AWS account.
ESTIMATED AWS COSTS (us-east-1) EC2 2x t3.large ~$130/mo | RDS db.t3.medium Multi-AZ ~$90/mo | NAT Gateway 2x AZ ~$80/mo | ALB ~$22/mo | Bedrock ~$0.50-2.00/scan | S3+Lambda+SQS+CloudWatch ~$30/mo. Quota increases: no charge.
UPGRADING CloudFormation > select stack > Update > Replace current template. Rolling update; no data migration required. After update verify /api/health returns HTTP 200.
Support: support@valuebridge.hk | valuebridge.hk/docs/ipa-inspector
Support
Vendor support
Email support with 2 business day response time. Includes deployment assistance and bug reports.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
