A security nutrition label for links — a fully on-device URL scanner that performs over 100 deterministic checks in ≈2 seconds.
LegitURL is a lightweight mobile app that analyzes the trustworthiness of any URL using a transparent, heuristic-driven approach. All scans are conducted locally and completed in ~2 seconds. No cloud analysis, no data leaks. just fast, explainable results.
- Instant risk scoring – assigns 🟩/🟧/🟥 based on 100+ deterministic checks
- Security-focused – detects silent redirects, CSP misconfigurations, suspicious TLS certificates, and tracking behavior
- Explainable results – every finding is traceable to a rule; no black-box logic
- Privacy-first design – a single HTTPS request, no third-party traffic, zero analytics
- Exportable reports – generate PDFs or LLM-ready JSON for external review
"LegitURL offers a unique approach to link analysis — blending pedagogy and precision in a tool designed for everyone."
Excerpt from the article
[...]
But encryption is not authentication.
Rendering is not endorsement.
Even seemingly benign links can conceal redirect chains, cloaked infrastructure, or misconfigured policies — all while wearing the lock like a badge.
I often tell non-technical users to imagine a website as a shop, and their browser as a guide or bodyguard.
That guide will help them get inside, translate unknown languages, and smooth over bumps in the experience.
But how many of us would willingly enter a shop with crumbling walls, broken stairs, sticky notes slapped on our chest, and strangers watching our every move, while the bodyguard just smiles and quietly patches the walls?
[...]
Read the full article page 258.
LegitURL was also featured on ZATAZ, in an article by Damien Bancal, highlighting the tool's unique approach to phishing and scam link detection.
| Score | Description |
|---|---|
| 🟥 High risk | Multiple critical signals: expired/mismatched certs, missing CSP, scam patterns, cloaking, etc. |
| 🟧 Moderate risk | Mixed or partial protection. Often seen with major brands but warrants caution. |
| 🟩 Low risk | Clean redirect flow, strong TLS, proper headers, no tracking or obfuscation detected. |
| End-users | Download via the App Store |
| Developers | Open LegitURL.xcodeproj in Xcode and build directly. |
| Signals & Logs |  |
| Inline script findings |  |
More screenshots
| Cookie view |  |
| CSP directives |  |
| HTML report export |  |
| LLM JSON export |  |
-
Offline static parsing
Detects homograph attacks, encoded words, scam phrases, entropy anomalies, and more. -
Sandboxed HTTPS fetch
Retrieves headers, HTML body, TLS certificate, cookies, and inline JavaScript. -
Deterministic scoring engine
Findings set bit-flags → weighted penalties → a single final score with full traceability.
See TECHNICAL_OVERVIEW.md for detailed logic and implementation
- Cookie bit-flag pyramid
- CSP / header correlation
- HTML
<meta refresh>detection
- Correlate CSP SHA to inline
- Subresource-Integrity (SRI) hash checks
- Consolidated CSP generator
- Implement OpenSSL probe to retrieve certificate chain and reason for failed TLS handshake
GNU Affero GPL v3 – see LICENSE for details. Issues welcome.