Every check PTKD runs, with a real exploit scenario, the impact, and how to fix it, mapped to the OWASP Mobile Top 10 and MASVS.
PTKD-CRED-SECRET Hardcoded secret in binary M1PTKD-NET-CLEARTEXT Cleartext network traffic permitted M5PTKD-NET-USERCA Network config trusts user-installed CAs M5PTKD-NET-ATS App Transport Security disabled (NSAllowsArbitraryLoads) M5PTKD-IOS-DEBUGGABLE iOS build is debuggable (get-task-allow = true) M7PTKD-CFG-DEBUGGABLE Application is debuggable M8PTKD-CFG-TESTONLY Application marked test-only M8PTKD-NET-TRUSTALL TLS validation appears disabled (trust-all / accept-all hostnames) M5PTKD-SIGN-V1 APK signed with the legacy v1 (JAR) scheme M8PTKD-SUPPLY-CVE Vulnerable third-party dependency M2PTKD-DYN-CLEARTEXT Cleartext HTTP traffic at runtime M5PTKD-DYN-NOPINNING TLS interception succeeded (no certificate pinning) M5PTKD-DYN-SECRET-TRANSIT Hardcoded secret sent on the wire M1PTKD-DYN-STORAGE-SECRET Secret written to device storage M9PTKD-NET-ATS-MEDIA App Transport Security disabled for media M5PTKD-CRYPTO-WEAK Weak cryptographic primitive M10PTKD-CFG-SHAREDUID Deprecated android:sharedUserId in use M8PTKD-CFG-EXPORTED Exported component without a permission guard M8PTKD-WEBVIEW-FILEACCESS WebView allows file access from web content M4PTKD-STO-BACKUP Application data is backed up M9PTKD-STO-FILESHARING iTunes file sharing enabled M9PTKD-WEBVIEW-JSI WebView JavaScript bridge exposed M4PTKD-PRIV-FIREBASE Firebase Realtime Database endpoint embedded M9PTKD-BIN-NOPIE Executable is not position-independent (no PIE/ASLR) M7PTKD-DYN-WEAKTLS Weak TLS version negotiated at runtime M5PTKD-DYN-AUTH-IN-URL Credential passed in a URL M1PTKD-DYN-PII-THIRD-PARTY Device/user PII sent to a third party M6PTKD-DYN-EXTERNAL-SENSITIVE Sensitive data written to external storage M9PTKD-DYN-LOG-SENSITIVE Sensitive data written to the log M9PTKD-NET-HTTP-URL Cleartext (http://) endpoints in the binary (review) M5PTKD-NET-ATS-WEB App Transport Security disabled in web content M5PTKD-IOS-APS-DEV Development APNs (push) environment M8PTKD-IOS-WILDCARD-ID Wildcard application identifier M8PTKD-NET-ATS-EXCEPTION App Transport Security insecure exception domains M5PTKD-CFG-CUSTOMPERM Custom permission with a weak protection level M8PTKD-WEBVIEW-DEBUG WebView remote debugging enabled M8PTKD-BIN-NOENCRYPT iOS binary is not encrypted (cryptid = 0) M7PTKD-PRIV-PERMS Dangerous runtime permissions requested M6PTKD-BIN-NOCANARY Executable built without stack canaries M7PTKD-DYN-INSECURE-COOKIE Session cookie without Secure/HttpOnly M5