DEV Community: orange black

How Does Duolingo Monetize? I Decompiled the Android App (v6.79.5)

orange black — Tue, 26 May 2026 07:05:46 +0000

I wanted to know how Duolingo makes money on Android -- ads vs Super subscription, which SDKs they use, and how aggressive the free tier is. So I decompiled Duolingo 6.79.5 (164 MB APK, 11 DEX files, 242 activities).

TL;DR

IronSource mediation sits at the center -- Unity Ads, Vungle, Moloco, AdMob, Facebook, and Pangle all plug in around it
Facebook Audience Network ships as a 5 MB hidden DEX in assets (same trick as CamScanner)
7+ ad networks for free users; Google Play Billing for Super/Plus (no RevenueCat found)
Kotlin + Jetpack Compose for the main app; Unity for some game modules (chess, etc.)
Staging APIs (android-api-stage, goals-api-stage-*) are hardcoded in the production build
Adjust + Sentry (+ Firebase) for attribution and crashes

How Duolingo Makes Money

Subscriptions (Super / Plus)

Duolingo uses Google Play Billing directly -- ProxyBillingActivity, PlusPurchaseFlowActivity, strings for gems and family plans. Deep links hit duolingo.com/settings/super.

I did not find RevenueCat or Superwall in the DEX. Subscription logic appears first-party on top of Google's billing library.

Ads (free tier)

Free users hit a mediation-heavy stack:

Network	Role
IronSource	Mediation hub (most SDK surface area)
Unity Ads	Mediated demand + game ad units
Google AdMob	Google demand, MRAID native templates
Facebook AN	Hidden `audience_network.dex`
Pangle (TikTok)	Rewarded, interstitial, app open
Vungle	Video
Moloco	Programmatic / MRAID / VAST

Duolingo-owned ad screens include CustomNativeAdActivity, FullscreenNetworkNativeAdActivity, and PlusPromoVideoActivity -- ads show up at session end and league flows, not random webviews.

The hidden Facebook DEX (again)

assets/audience_network.dex  ~5 MB

Meta's SDK is not fully embedded in the main multidex load. It is loaded from assets when needed -- a common pattern to protect cold start on huge apps.

Tech Stack (what they built with)

Layer	Choice
UI	Kotlin + Jetpack Compose (thousands of references)
Games	Unity (`UnityActivity`, chess promo assets)
Network	OkHttp, Retrofit
Media	ExoPlayer, Lottie, Rive
Attribution	Adjust
Crashes	Sentry (`duolingo-sentry.sentry.io`) + Firebase
Support	Zendesk

Min SDK 29 -- they have dropped pre-Android 10 devices.

Staging servers in production

Same class of mistake as other big apps:

android-api-stage.duolingo.com
goals-api-stage.duolingo.com (+ stage-2, stage-3)
infra-edge-gateway-stage-cf.duolingo.com

Useful if you are researching API behavior; risky if those hosts expose looser auth.

Duolingo vs CamScanner (quick compare)

I decompiled CamScanner earlier:

	CamScanner	Duolingo
Mediation lead	AdMob + PubMatic bidding	IronSource + Unity
UI	Native + Flutter	Compose + Unity games
Ad networks	6	7+
Hidden Meta DEX	Yes	Yes

Education apps and utility apps converge on the same playbook: many networks, one mediator, lazy-load Meta.

What I left out of this post

The full report includes 60+ first-party API hosts, complete permission breakdown, schools/DET endpoints, and module-level Activity mapping. This post is the highlights.

I run AppXray -- send any Google Play link, get a full reverse-engineering report (PDF + Markdown) in ~2 hours. $29 for one app, $19/app for batches.

Free samples: CamScanner teardown

Questions about Duolingo's stack? Comment below.

What Ad Networks Does CamScanner Use? I Decompiled the APK to Find Out

orange black — Thu, 14 May 2026 12:47:03 +0000

AppXray — One Link In, Full Report Out | Black Orange

Send a Google Play link, get a full reverse-engineering report — architecture, APIs, SDKs, ad networks, permissions. Delivered in 2 hours.

appxray.blackorange.org

I wanted to know what ad networks CamScanner uses and how they monetize a 100M+ download scanning app. So I reverse-engineered the APK.

Here's what I found inside CamScanner v7.16.5 (306 MB, 12 DEX files, 369 activities).

TL;DR

6 ad networks running at the same time
Header bidding + waterfall hybrid — not just AdMob
Facebook Audience Network loaded as a hidden DEX file at runtime
6 staging/test servers exposed in the production build
Hybrid Flutter + Native architecture using Alibaba's FlutterBoost
34 third-party SDKs total

The Ad Stack: 6 Networks Running Simultaneously

Most indie apps use AdMob alone. CamScanner runs six ad networks in parallel:

Network	Role
Google AdMob	Primary SDK, all ad formats
Pangle (ByteDance/TikTok)	Secondary — 14 Activity classes registered, big in Asia
Facebook Audience Network	Loaded dynamically as a separate DEX at runtime
PubMatic OpenBid	Header bidding via OpenRTB 2.5
Vungle	Video ads (rewarded + interstitial)
Google Ad Manager	DoubleClick — for premium/direct-sold inventory

The interesting part isn't the list — it's how they combine them.

Header Bidding + Waterfall Hybrid

PubMatic runs real-time auctions (OpenRTB 2.5) in parallel with AdMob's waterfall. This means:

AdMob waterfall handles most impressions
PubMatic bids in real-time, winning when its CPM beats the waterfall floor
Result: higher effective eCPM than either method alone

If you're only running AdMob, you're leaving 30-50% of ad revenue on the table.

Hidden DEX Loading for Facebook Ads

This one surprised me. Facebook Audience Network isn't bundled in the main APK. Instead, there's a file called audience_network.dex (5 MB) sitting in the assets/ folder, loaded at runtime via DexClassLoader.

Why? Cold start optimization. CamScanner avoids loading 5 MB of Facebook ad code on every app launch — it only loads when a Facebook ad placement is triggered.

Server-Controlled Ad Config

Two remote config sources control ad behavior:

cs8.intsig.net/ad — likely controls placement logic and frequency
ScannerRewardRatio.xml hosted remotely — controls rewarded ad payout ratios

This means they can A/B test ad strategies, change placements, and adjust frequency caps without shipping an app update.

What's CamScanner Built With?

The tech stack is a hybrid:

Core app: Native Android (Java/Kotlin) — scanning, document management
New features: Flutter via Alibaba's FlutterBoost — AI chat, document processing
OCR: Google ML Kit (on-device)
Crash monitoring: Sentry + ByteDance APMPlus (dual monitoring for global + China)
Attribution: AppsFlyer (they're running paid user acquisition)
Analytics: Firebase Analytics

The Flutter + Native hybrid with FlutterBoost is worth noting — it's Alibaba's framework that lets you mix Flutter screens with native Activities seamlessly. If you're considering adding Flutter to an existing native app, this is a proven pattern at scale.

The Security Mistake: Staging Servers in Production

I found 6 staging/sandbox API endpoints hardcoded in the release build:

api-cs-sandbox.intsig.net
api-center-sandbox.intsig.net
api-algo-sandbox.camscanner.com
ai-cn-sandbox.camscanner.com
cs1-sandbox.intsig.net
b103-sandbox.camscanner.com

These are internal test servers that should have been stripped from the production build. They could potentially expose debug interfaces or less-secured services. Don't make this mistake in your own app.

Key Numbers

Metric	Value
Total size	306 MB (27 split APKs)
DEX files	12 (85.5 MB bytecode)
Activities	369
Third-party SDKs	34
Ad networks	6
Auth providers	7+
Permissions	35
Supported languages	27

What I Didn't Include Here

The full report goes deeper: complete API endpoint list (18 first-party + 14 third-party), full SDK breakdown by category, permission-by-permission analysis with risk levels, build configuration details, and technical implementation specifics like the dynamic DEX loading mechanism.

I do this as a service. Send me any Google Play link and I'll send you a full reverse-engineering report (PDF + Markdown) within 2 hours. $29 for one app, $19/each for 3-10 apps.

Free sample report (CamScanner full version): appxray.blackorange.org

Have questions about what I found? Drop a comment — happy to discuss.