The latest articles on DEV Community by orange black (@orange_black_1c98182920bb). https://dev.to/orange_black_1c98182920bb https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3931265%2Fb0dcbd27-545e-462a-bde1-32888cfa1a63.jpg https://dev.to/orange_black_1c98182920bb en orange black Thu, 14 May 2026 12:47:03 +0000 https://dev.to/orange_black_1c98182920bb/i-reverse-engineered-camscanner-heres-whats-inside-3nec https://dev.to/orange_black_1c98182920bb/i-reverse-engineered-camscanner-heres-whats-inside-3nec <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__body"> <h2 class="fs-xl lh-tight"> <a href="https://appxray.blackorange.org/" rel="noopener noreferrer" class="c-link"> AppXray — One Link In, Full Report Out | Black Orange </a> </h2> <p class="truncate-at-3"> Send a Google Play link, get a full reverse-engineering report — architecture, APIs, SDKs, ad networks, permissions. Delivered in 2 hours. </p> <div class="color-secondary fs-s flex items-center"> appxray.blackorange.org </div> </div> </div> </div> <p>I wanted to know what ad networks CamScanner uses and how they monetize a 100M+ download scanning app. So I reverse-engineered the APK.</p> <p>Here's what I found inside CamScanner v7.16.5 (306 MB, 12 DEX files, 369 activities).</p> <h2> TL;DR </h2> <ul> <li> <strong>6 ad networks</strong> running at the same time</li> <li>Header bidding + waterfall hybrid — not just AdMob</li> <li>Facebook Audience Network loaded as a <strong>hidden DEX file</strong> at runtime</li> <li>6 staging/test servers <strong>exposed in the production build</strong> </li> <li>Hybrid Flutter + Native architecture using Alibaba's FlutterBoost</li> <li>34 third-party SDKs total</li> </ul> <h2> The Ad Stack: 6 Networks Running Simultaneously </h2> <p>Most indie apps use AdMob alone. CamScanner runs <strong>six ad networks in parallel</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Network</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td>Google AdMob</td> <td>Primary SDK, all ad formats</td> </tr> <tr> <td>Pangle (ByteDance/TikTok)</td> <td>Secondary — 14 Activity classes registered, big in Asia</td> </tr> <tr> <td>Facebook Audience Network</td> <td>Loaded dynamically as a separate DEX at runtime</td> </tr> <tr> <td>PubMatic OpenBid</td> <td>Header bidding via OpenRTB 2.5</td> </tr> <tr> <td>Vungle</td> <td>Video ads (rewarded + interstitial)</td> </tr> <tr> <td>Google Ad Manager</td> <td>DoubleClick — for premium/direct-sold inventory</td> </tr> </tbody> </table></div> <p>The interesting part isn't the list — it's <strong>how they combine them</strong>.</p> <h3> Header Bidding + Waterfall Hybrid </h3> <p>PubMatic runs real-time auctions (OpenRTB 2.5) <strong>in parallel</strong> with AdMob's waterfall. This means:</p> <ul> <li>AdMob waterfall handles most impressions</li> <li>PubMatic bids in real-time, winning when its CPM beats the waterfall floor</li> <li>Result: higher effective eCPM than either method alone</li> </ul> <p>If you're only running AdMob, you're leaving 30-50% of ad revenue on the table.</p> <h3> Hidden DEX Loading for Facebook Ads </h3> <p>This one surprised me. Facebook Audience Network isn't bundled in the main APK. Instead, there's a file called <code>audience_network.dex</code> (5 MB) sitting in the <code>assets/</code> folder, loaded at runtime via DexClassLoader.</p> <p>Why? Cold start optimization. CamScanner avoids loading 5 MB of Facebook ad code on every app launch — it only loads when a Facebook ad placement is triggered.</p> <h3> Server-Controlled Ad Config </h3> <p>Two remote config sources control ad behavior:</p> <ul> <li> <code>cs8.intsig.net/ad</code> — likely controls placement logic and frequency</li> <li> <code>ScannerRewardRatio.xml</code> hosted remotely — controls rewarded ad payout ratios</li> </ul> <p>This means they can A/B test ad strategies, change placements, and adjust frequency caps <strong>without shipping an app update</strong>.</p> <h2> What's CamScanner Built With? </h2> <p>The tech stack is a hybrid:</p> <ul> <li> <strong>Core app</strong>: Native Android (Java/Kotlin) — scanning, document management</li> <li> <strong>New features</strong>: Flutter via Alibaba's FlutterBoost — AI chat, document processing</li> <li> <strong>OCR</strong>: Google ML Kit (on-device)</li> <li> <strong>Crash monitoring</strong>: Sentry + ByteDance APMPlus (dual monitoring for global + China)</li> <li> <strong>Attribution</strong>: AppsFlyer (they're running paid user acquisition)</li> <li> <strong>Analytics</strong>: Firebase Analytics</li> </ul> <p>The Flutter + Native hybrid with FlutterBoost is worth noting — it's Alibaba's framework that lets you mix Flutter screens with native Activities seamlessly. If you're considering adding Flutter to an existing native app, this is a proven pattern at scale.</p> <h2> The Security Mistake: Staging Servers in Production </h2> <p>I found <strong>6 staging/sandbox API endpoints hardcoded in the release build</strong>:</p> <ul> <li><code>api-cs-sandbox.intsig.net</code></li> <li><code>api-center-sandbox.intsig.net</code></li> <li><code>api-algo-sandbox.camscanner.com</code></li> <li><code>ai-cn-sandbox.camscanner.com</code></li> <li><code>cs1-sandbox.intsig.net</code></li> <li><code>b103-sandbox.camscanner.com</code></li> </ul> <p>These are internal test servers that should have been stripped from the production build. They could potentially expose debug interfaces or less-secured services. Don't make this mistake in your own app.</p> <h2> Key Numbers </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Total size</td> <td>306 MB (27 split APKs)</td> </tr> <tr> <td>DEX files</td> <td>12 (85.5 MB bytecode)</td> </tr> <tr> <td>Activities</td> <td>369</td> </tr> <tr> <td>Third-party SDKs</td> <td>34</td> </tr> <tr> <td>Ad networks</td> <td>6</td> </tr> <tr> <td>Auth providers</td> <td>7+</td> </tr> <tr> <td>Permissions</td> <td>35</td> </tr> <tr> <td>Supported languages</td> <td>27</td> </tr> </tbody> </table></div> <h2> What I Didn't Include Here </h2> <p>The full report goes deeper: complete API endpoint list (18 first-party + 14 third-party), full SDK breakdown by category, permission-by-permission analysis with risk levels, build configuration details, and technical implementation specifics like the dynamic DEX loading mechanism.</p> <p><strong>I do this as a service.</strong> Send me any Google Play link and I'll send you a full reverse-engineering report (PDF + Markdown) within 2 hours. $29 for one app, $19/each for 3-10 apps.</p> <p>Free sample report (CamScanner full version): <a href="https://appxray.blackorange.org" rel="noopener noreferrer">appxray.blackorange.org</a></p> <p><em>Have questions about what I found? Drop a comment — happy to discuss.</em></p> android mobile security adtech