LegitURL

A security nutrition label for links — a fully on-device URL scanner that performs over 100 deterministic checks in ≈2 seconds.

Quick 8-second demo: paste link → score → security findings

Overview

LegitURL is a lightweight mobile app that analyzes the trustworthiness of any URL using a transparent, heuristic-driven approach. All scans are conducted locally and completed in ~2 seconds. No cloud analysis, no data leaks. just fast, explainable results.

See the examples for sanitized case studies of real-world phishing links, complete with PDF exports, structured JSON, and LLM reasoning outputs.

Key features:

Instant risk scoring – assigns 🟩/🟧/🟥 based on 100+ deterministic checks
Security-focused – detects silent redirects, CSP misconfigurations, suspicious TLS certificates, and tracking behavior
Explainable results – every finding is traceable to a rule; no black-box logic
Privacy-first design – a single HTTPS request, no third-party traffic, zero analytics
Exportable reports – generate PDFs or LLM-ready JSON for external review

Media Coverage

Cyberdefense Magazine (July 2025)

Excerpt from the article

[...]
But encryption is not authentication.
Rendering is not endorsement.
Even seemingly benign links can conceal redirect chains, cloaked infrastructure, or misconfigured policies — all while wearing the lock like a badge.
I often tell non-technical users to imagine a website as a shop, and their browser as a guide or bodyguard.
That guide will help them get inside, translate unknown languages, and smooth over bumps in the experience.
But how many of us would willingly enter a shop with crumbling walls, broken stairs, sticky notes slapped on our chest, and strangers watching our every move, while the bodyguard just smiles and quietly patches the walls?
[...]

Read the full article page 258.

ZATAZ Cybersecurity News

LegitURL was also featured on ZATAZ, in an article by Damien Bancal, highlighting the tool's unique approach to phishing and scam link detection.

Scoring System

Score	Description
🟥 High risk	Multiple critical signals: expired/mismatched certs, missing CSP, scam patterns, cloaking, etc.
🟧 Moderate risk	Mixed or partial protection. Often seen with major brands but warrants caution.
🟩 Low risk	Clean redirect flow, strong TLS, proper headers, no tracking or obfuscation detected.

Getting Started


End-users	Download via the App Store
Developers	Open `LegitURL.xcodeproj` in Xcode and build directly.

Screenshots


Signals & Logs
Inline script findings

More screenshots


Cookie view
CSP directives
HTML report export
LLM JSON export

How it works

Offline static parsing
Detects homograph attacks, encoded words, scam phrases, entropy anomalies, and more.
Sandboxed HTTPS fetch
Retrieves headers, HTML body, TLS certificate, cookies, and inline JavaScript.
Deterministic scoring engine
Findings set bit-flags → weighted penalties → a single final score with full traceability.

See TECHNICAL_OVERVIEW.md for detailed logic and implementation

Roadmap

Completed

[x] Cookie bit-flag pyramid
[x] CSP / header correlation
[x] HTML <meta refresh> detection

In progress

[ ] Correlate CSP SHA to inline
[ ] Subresource-Integrity (SRI) hash checks
[ ] Consolidated CSP generator
[ ] Implement OpenSSL probe to retrieve certificate chain and reason for failed TLS handshake

License

GNU Affero GPL v3 – see LICENSE for details. Issues welcome.

LegitURL
LegitURL copied to clipboard

Metadata

LegitURL