Launch Vectors
Launch Vectors

The CI quality gate
your mobile team
is missing.

Launch Vectors analyzes every pull request in real time - catching regressions, CVEs, and crash risk before code merges. Start with nothing but your APK. No installation. No source code. Predictive, not reactive.

Become a design partnerAnalyze your app free

No credit card. No integration. Drop an APK and get a risk score in 90 seconds.

No source access required < 90s to first report iOS & Android
Launch Vectors · Risk Monitor

Current Analysis

65risk
Signal v8.10.3
org.thoughtcrime.securesms · build 168702 · APK 107.1 MB
Medium risk

Findings

  • Cjackson-databind - GHSA-27xj-rqx5-2255, polymorphic deserialization gadget chain.
  • COkHttp certificate validation - GHSA-3cqm-mf7h-prrj, can accept the wrong certificate.
  • CProtocol Buffers (Java) - GHSA-4gg5-vx3j-xwc7, uncontrolled resource consumption.
  • I73 critical SDK CVEs across Jackson, OkHttp, Protobuf, Gson, Okio.
73
Critical CVEs
103
Open findings
3
Live
Public data · May 2026
3
Apps tracked publicly
155
Open findings
84
Critical CVEs identified

“Our goal for every design partner: catch at least 1–2 regressions in the first 30 days before they ship.”

Publicly monitored: Microsoft Teams · Signal · F-Droid

The problem

Mobile releases are irreversible.

You can't roll back an iOS app. Every bad release is a 48–72 hour blast radius minimum, and a flood of 1-star reviews you can't undo. The cost of fixing bugs post-release is 60–100× what it costs to catch them pre-merge.

Crashlytics
Tells you what broke - after it already shipped.
Sentry
Tells you when users hit errors - after it already shipped.
Launch Vectors
Tells you what's about to break - before the code merges.
77%

of mobile teams require emergency hotfixes every 3–5 releases.

72h

Minimum blast radius per bad release. No rollback on mobile.

100×

More expensive to fix bugs post-release than pre-merge.

$2.07T

Mobile commerce market. The stakes have never been higher.

Three real incidents we'd classify in 15 minutes
Try it now

See what we see.

Drop in your last release - no account, no source code, no integration required. Takes 90 seconds. Get a Risk Score, app size breakdown, SBOM, CVE flags, and release-over-release diff. Design partners get everything on top of this.

Drag an IPA, APK, or AAB here

or

accepted: .apk, .ipa, .aab · max 500.0 MB

  • Scoring + SBOM + CVE-flagged findings in one report
  • Release-over-release diff once you've uploaded a prior version
  • Bundles processed in a private sandbox; raw bytes deleted within 24h

Liked what you saw? Design partners get per-PR risk scores, a CI gate that blocks high-risk merges, and a live performance monitor across crash rate, startup time, ANR rate, and more. Become a design partner →

Bundle Report·signal-android v8.10.3
medium· 65

Bundle size

107.1 MB

New permissions

0 added

SDK CVEs

2 components flagged

Findings total

103

Top contributing factors

  • sdk cve count+35 · 78
  • binary finding count+30 · 103
  • tracking sdks+0 · 0
  • critical module touched+0 · no
How the product scales with you

Two tiers. Same scoring engine.

Start self-serve with a single bundle upload. Become a design partner to unlock telemetry, per-PR analysis, the CI gate, and a model that learns your codebase.

Self-serve

Binary-only

Drop in a bundle. Get a report.

Inputs: IPA / APK / AAB

  • Risk score + factors
  • App size breakdown
  • SBOM with CVE flags
  • Release-over-release diff
  • Security & privacy findings
  • Public-app watchlist
  • Bundle Report on every build
Try it now
Design PartnerPremium

The data flywheel

Every PR scored. Every regression labeled. The model learns your codebase.

Inputs: Bundle + telemetry + GitHub App + source access

  • Telemetry connector - Crashlytics, Sentry, or Embrace
  • Performance monitor - crash-free, ANR, startup, memory, battery, with Z-score anomaly detection + Slack/PagerDuty alerts
  • GitHub Check Run on every PR - 🟢 Low / 🟡 Medium / 🔴 High within 60 seconds
  • CI Quality Gate - blocks merges when risk exceeds policy
  • Historical similarity - "this release looks like the one you rolled back in March"
  • Subsystem volatility heatmap - 30/90-day churn map of fragile areas
  • Per-customer calibration - score sharpens as your team labels past releases
  • On-prem deploy option - your data never leaves your cloud
Become a design partner
What you get

Six operational lenses on every release.

Mobile SBOM + CVE flags

CycloneDX-format SBOM from any bundle. SDK fingerprints cross-referenced against OSV and GitHub Advisory in real time.

Release diff analysis

Compare every new bundle against the prior version: new permissions, new SDKs, native libs, size delta, exported components, minimum-OS change.

Privacy & security review

Tracking-SDK detection vs Apple privacy manifest. Cleartext-traffic, exported components, hardcoded secrets - flagged with evidence.

8-metric rollout monitor

Crash-free, ANR-free, cold start, hang rate, battery, data, OOM, memory growth. Industry-anchored absolute thresholds + Z-score regression detection.

Subsystem volatility

Path-glob-mapped subsystems with 30/90-day churn. Heatmap shows where the noise lives - and which subsystems correlate with past regressions.

Historical similarity

Cosine similarity to past releases with your team's outcome labels. Surfaces 'this looks like the one we rolled back last quarter.'

CI quality gate

Block builds when risk exceeds your policy.

The same gate works on a binary upload from CI or on a PR webhook. Versioned policy file lives in your repo.

.mobile-risk-ai.yml
versioned in your repo
version: 1
gate:
  verdict:
    high: fail
    medium: warn
    low: pass
  factors:
    sdk_cve_count:        { warn_at: 4, fail_at: 8 }
    permissions_added:    { warn_at: 1, fail_at: 2 }
    critical_module_touched:
      fail_at: 1
    release_drift:
      warn_at: 0.20
      fail_at: 0.40
  flags:
    new_permission:        warn
    sdk_cve:               fail
    hardcoded_secret:      fail
  allow_bypass_label: "risk:approved"
  on_unavailable: warn
  timeout_seconds: 90
.github/workflows/risk-gate.yml
binary or PR mode
name: Mobile Risk Gate
on:
  pull_request:
    types: [opened, synchronize, reopened]
  workflow_dispatch:

jobs:
  gate:
    runs-on: ubuntu-latest
    steps:
      # gate the PR
      - uses: launchvectors/mobile-risk-ai-action@v1
        with:
          api-token: ${{ secrets.MOBILE_RISK_AI_TOKEN }}
          config: .mobile-risk-ai.yml

      # also gate on the built bundle
      - uses: launchvectors/mobile-risk-ai-action@v1
        with:
          api-token: ${{ secrets.MOBILE_RISK_AI_TOKEN }}
          bundle-path: app/build/outputs/bundle/release/app.aab
Built right

Boringly serious architecture.

Java + Spring Boot services. Python for scoring. Postgres + ClickHouse for data. Designed so the on-prem path stays open for production buyers.

Binary analyzer

iOS + Android bundle parsing, SBOM, findings, diff

Postgres

Canonical state + analysis results

ClickHouse

Telemetry + perf time series

Python scoring

Heuristic v1; trained models in Phase 2

GitHub App

Least-privilege, source-tier only

Telemetry pollers

Crashlytics · Firebase Perf · Play Vitals · MetricKit

Encryption everywhere

At rest + in transit. GitHub OAuth + RBAC at the gateway.

SOC2 roadmap

Managed services with SOC2 controls; full audit planned post-pilot.

Bundles never redistributed

We analyze and store findings; raw bytes auto-delete after 90 days.

The team

Built by engineers who've lived this problem.

Both founders shipped mobile apps to tens of millions of users and built the internal tooling that enterprises rely on.

Amit Rao

Amit Rao

Founder & CTO

Developer ToolsiOS / Android / MacOS / WindowsIIT Bombay

15+ years in mobile app engineering & 20+ years of software engineering experience. Built static and binary analysis tools at Microsoftto detect runtime & security defects across the Windows codebase.

  • Ring / Amazon - Technical lead (2020–2025), managing Ring Mobile Foundation teams on iOS/Android. Led Pan/Tilt/Zoom in Alexa mobile apps.
  • Microsoft - Developer on Windows 7 / Windows Server 2008; developed static analysis tools & technology at Microsoft Research.
  • Intuit - iOS Staff Engineer; all App Store releases for Mint iOS (1.6M daily users, top-10 Finance). Built TouchID for Mint, Crashlytics integration and CI/CD automation.
  • Pixie Bytes - Founder & CTO; bootstrapped studio shipping AI-native iOS, Android, and macOS apps.
  • B.Tech IIT Bombay · M.S. Computer Engineering, University of Cincinnati (compilers & distributed systems).
Abhi Sachdev

Abhi Sachdev

Founder

Product & GTMMarketplacesIIT Bombay

Product leader with an engineering background, track record scaling mobile and marketplace businesses from pre-IPO to $60B+ valuation. Built products used by hundreds of millions - and knows exactly where mobile release failures hurt revenue.

  • DoorDash · Director of Product. 5 years shipping products that millions of gig workers and consumers ran their livelihoods on - where a crashed release wasn't a support ticket, it was a gig worker who couldn't access their paycheck. Ran three of DoorDash's most operationally complex surfaces - Financial Products, DoorDash for Work, and DoorDash for Occasions - overseeing multi-billion-dollar GMV portfolios across a PM org that grew from 15 to 150+.
  • Groupon. Led mobile-first marketplace products when 72% of all transactions were on mobile - 50M customers, 177M app downloads. Built early conviction that mobile wasn't a secondary surface. It was the business.
  • Intuit. Won the Scott Cook Founder's Innovation Award for taking GoPayment from mediocre to NPS > 50 and 4+ stars on both app stores - by treating mobile quality as a product discipline, not a testing problem.
  • Columbia MBA · B.Tech Aerospace Engineering, IIT Bombay.
Design partners

We're building this with you, not for you.

We're looking for mobile engineering teams to work with hands-on as we build the data flywheel. Design partners shape the product, get early access, and help validate what 'good' looks like in their release pipeline.

Who we're looking for

The right fit

  • 5–25 mobile engineers shipping iOS + Android
  • Active GitHub or GitLab PR workflow
  • Using Crashlytics, Sentry, or Embrace
  • Bi-weekly or faster release cadence
  • Have felt the hotfix pain firsthand
What you get

Partner benefits

  • Design partner pilot deployed in your actual repos - not a sandbox, your real code
  • Per-PR risk scores in your GitHub PRs within 60 seconds of open
  • CI gate you control - advisory mode during onboarding, blocking when you're ready
  • Historical calibration - we onboard your last 20 releases with your team's outcome labels
  • Direct line to founding team - biweekly, you shape what gets built
What we need from you

Your commitment

  • GitHub + Crashlytics/Sentry read access
  • One engineer point of contact for setup
  • 30-day active pilot window
  • Bi-weekly 30-min check-in during pilot
  • Candid feedback - what works, what doesn't
Limited - 3–5 partners only

Apply to be a design partner

Tell us your team size, mobile stack, and the last time a release caused a hotfix. No deck required.

Apply now
Now in design-partner pilot

Start with a bundle. Grow into the full platform.

Not ready to commit? Drop in your last release and see what we see in under 90 seconds. Design partners get the full platform - telemetry, PR-level analysis, and a CI gate that blocks bad merges before they ship.

Become a design partnerAnalyze your app first
Our goal for every design partner: catch at least 1–2 regressions in the first 30 days before they ship.