Why does an APK manifest need decoding?

Inside an APK the AndroidManifest.xml is not plain text. It is compiled into Android's binary XML (AXML) format, which packs tags, attributes and a string pool into a chunk-based binary layout. The tool decodes that format to recover readable values.

How does a browser read inside an APK?

An APK is a ZIP archive. The tool reads the ZIP central directory to find the AndroidManifest.xml entry, then inflates it using the browser's built-in DecompressionStream before decoding the binary XML.

No. The file is read with the FileReader API and processed entirely in your browser. This matters because APKs can contain proprietary or unreleased code; nothing is sent to a server.

Why might some values show as unknown?

A few manifests reference attribute values through resource IDs that live in the compiled resources rather than the manifest itself. Those appear as numeric references; the core fields like package, version and permissions decode directly.

Android APK Inspector

The Android APK Inspector opens an .apk file in the browser and surfaces the key facts from its manifest: the package name, version, target SDK levels and the permissions the app requests. This is the quickest way to audit an APK before sideloading it, to confirm a build’s version code, or to see exactly what an app is allowed to access — without Android Studio, aapt or apktool.

How it works

An APK is simply a ZIP archive, so the inspector starts by reading the ZIP central directory. It scans backwards from the end of the file for the End Of Central Directory record, then walks each central-directory entry until it finds AndroidManifest.xml. From that entry it locates the compressed data and, if the entry uses DEFLATE, inflates it with the browser’s DecompressionStream("deflate-raw").

The decompressed manifest is in Android’s binary XML (AXML) format. AXML is a sequence of typed chunks: a header, a string pool, and a stream of start-element chunks. The tool first reads the string pool (supporting both UTF-8 and UTF-16 encodings), then walks the start-element chunks. For each element it reads the attribute table, resolving each attribute’s value either from the string pool or from its typed data field (integers, booleans and string references).

From those elements it extracts the package, versionName and versionCode off the <manifest> tag, the minSdkVersion and targetSdkVersion off <uses-sdk>, every <uses-permission> name, and a count of <activity> declarations.

Tips and notes

Permissions like INTERNET, ACCESS_FINE_LOCATION and READ_CONTACTS reveal what an app can reach — review them before installing.
The version code is the integer Android uses to order updates; the version name is the human label such as 2.1.0.
Split APKs and bundles may keep some metadata in separate files; this tool reads the base AndroidManifest.xml.

Everything runs locally in your browser — the APK is never uploaded.