Ground truth on what apps do with your data.

Veracta proves what software actually does at runtime: what data is accessed, what leaves the device or environment, where it goes, and how strong the evidence is.

What you get

Proof you can inspect.

01

Runtime behavior

Privacy labels, policies, and static review describe expected practice. Veracta observes what the software actually does while it runs.

02

Decrypted traffic

Session keys come from inside the app, then recorded traffic is decrypted host-side, so pinned TLS, QUIC, HTTP/3, and bundled crypto remain visible.

03

Confirmed exfiltration

Marker-free canary values for IDs, GPS, email, phone, and clipboard separate confirmed data sharing from suspicion or capability-only findings.

04

Region attribution

Runs verify the requested country before analysis begins, so a finding is tied to the jurisdiction where the behavior was actually observed.

05

Normal app path

Android apps are installed from Google Play and run in environments that preserve normal app behavior, rather than sideloaded test builds.

06

Reviewable evidence

Requests, traces, provenance metadata, regions, and SHA-256 checksums stay attached so someone else can inspect the basis for a claim.

FAQ

Frequently asked questions

01How is this different from a proxy or MITM tool?+
A man-in-the-middle proxy fakes a certificate the app can reject, and sits in the network path where the app can detect it. Veracta captures the app's own session keys from inside the app and decrypts the traffic host-side. There's no proxy to detect and no certificate to refuse, so it works on pinned, QUIC, bundled-crypto, and anti-tamper-protected apps that defeat proxies entirely.
02What does "confirmed exfiltration" actually mean?+
Before each scan we plant unique, random, marker-free canary values for device IDs, GPS, email, phone, and clipboard. When one of those exact values, which exists nowhere else in the world, appears in an outbound request to a third party, that's proof the app collected it and sent it. We search plaintext plus roughly twenty hashed and encoded variants, and weight a plaintext match above a hashed one.
03Why does the region matter?+
An app can behave completely differently for a user in Germany versus Brazil. Veracta proves the device's traffic actually exits the country you requested before any analysis runs, using a two-layer check measured on the device and corroborated from the host. A region mismatch is a hard abort, so a finding is never misattributed to the wrong country.
04Is the evidence usable in a regulatory or legal context?+
Every run produces a complete, organized evidence directory following FAIR data principles and W3C provenance metadata, with a SHA-256 checksum for every file. A regulator or court can be handed the decrypted request that proves a claim, not just a summary.
05What about privacy and data handling on your side?+
Wherever possible, we keep your information in the secure systems we run ourselves, for storage, processing, and monitoring. Your data is kept separate from every other customer’s, so customers cannot access each other’s information. When we test our security, we use test data, not real user or customer data, and keep it inside our controlled environment. Our most recent review found no issues from the OWASP Top 10:2025.
Contact

Want to understand what software is doing with data?

Tell us what you are trying to verify, which software surface matters, and what kind of evidence you need. We will point you to the right next step.