shiaho777
web-to-app
Kotlin

A native Android application that converts any website URL into a standalone Android App.

Last updated Jul 7, 2026
4.8k
Stars
694
Forks
1
Issues
+203
Stars/day
Attention Score
97
Language breakdown
No language data available.
โ–ธ Files click to expand
README

WebToApp icon

WebToApp

Build Android APKs from web projects, directly on your phone.

An on-device APK workshop that goes far beyond URL wrapping โ€” it can fork and exec full server runtimes, ship a hardened anti-censorship network stack, sign bundles for Google Play, and run MV3 browser extensions, all without a PC or a remote build server.

English ยท ็ฎ€ไฝ“ไธญๆ–‡

Stars Forks License Android

What's different ยท What you can build ยท Capability overview ยท Feature map ยท Module market ยท Architecture ยท Build


WebToApp: My Apps home, Create App picker, main toolbox, and per-app APK actions running on an Android phone


What makes WebToApp different

Most "website to app" tools stop at wrapping a URL in a WebView. WebToApp is closer to a pocket-sized APK workshop, and the hard parts are exactly where it diverges:

  • It runs real server runtimes on-device. Node.js, PHP, Python, Go, and WordPress are fork+exec'd as native binaries straight from app storage โ€” like Termux, packaged into an installable APK. URL-wrapper tools cannot do this at all.
  • It ships a hardened, anti-censorship network stack. DNS-over-HTTPS, TLS fingerprint spoofing (Chrome / Firefox / Safari JA3 templates) with a local MITM bridge, Encrypted Client Hello (ECH) on the GeckoView engine to encrypt the SNI, per-app proxies, and CORS bypass for locked-down SPAs.
  • The whole build is self-contained. Binary AXML/ARSC patching, permission pruning, V1/V2/V3 signing, and Google Play-ready AAB export all happen inside the app via apksig โ€” no remote build queue, no PC.
  • It stays extensible after shipping. Add JS/CSS modules, Tampermonkey-style userscripts, or MV3 Chrome extensions (live-searched and installed from the Chrome Web Store) without rebuilding the host.

Capability overview

A quick scan of what's in the box. Each links to the detailed feature map below.

| Area | Highlights | | --- | --- | | Build targets | Web ยท HTML ยท Frontend ยท WordPress ยท Node.js ยท PHP ยท Python ยท Go ยท Image ยท Video ยท Gallery ยท Multi-Web | | Browser engines | System WebView by default; optional GeckoView (Firefox) runtime for ECH / SNI encryption | | Network & anti-censorship | DoH (7 providers), TLS fingerprint spoofing + MITM bridge, ECH, static/PAC/SOCKS5 proxies, CORS bypass | | Privacy & hardening | 50+ vector browser fingerprint disguise, resource encryption (AES-256-GCM), anti-debug, activation gating | | Local runtimes | Native Node.js, PHP 8.4 + Composer, Python (Flask/Django/FastAPI), Go, WordPress over SQLite | | Extensions | Built-in modules, userscripts with GM_*, MV3 Chrome extensions, live Chrome Web Store search | | APK/AAB output | On-device V1/V2/V3 signing, Google Play AAB export with targetSdk rewrite, keystore management | | AI coding | Prompt-driven generation of web apps, modules, userscripts, and runtime projects |


What you can build

| Input | Output | Good for | | --- | --- | --- | | Website URL | WebView-based APK | Landing pages, tools, dashboards, docs, internal systems | | HTML / static front-end | Localhost-backed APK | React, Vue, Vite, static builds, offline web apps | | Node.js / PHP / Python / Go | APK with an on-device local server | Small server apps, admin tools, demos, prototypes | | WordPress | APK running WordPress over local PHP + SQLite | Portable sites, theme/plugin demos, content packages | | Images / video / galleries | Media-focused APK | Albums, course materials, portfolios, offline viewers | | Multiple sites | Tab/card/feed/drawer multi-web APK | Link hubs, portals, app collections | | Installed APK | Rebranded clone or shortcut disguise | Icon/name/package experiments, repackaging research |


Full feature map

WebToApp has a large number of switches. The sections below group them by use case, kept collapsible so the top of the page stays scannable.

๐ŸŒ Browser engine & networking

  • Dual engine โ€” System WebView by default, or an optional GeckoView (Firefox) runtime downloaded on first use.
  • Kernel flavor disguise โ€” present as Chrome, Edge, Samsung Internet, Firefox, or Safari-style while keeping the real engine.
  • Desktop mode, custom User-Agent, and JS/CSS injection at document-start / end / idle.
  • Popup handling โ€” same window, external browser, popup window, or block.
  • Proxies โ€” static HTTP/HTTPS/SOCKS5, PAC, authentication, bypass rules, and a local HTTP-to-SOCKS bridge.
  • DNS-over-HTTPS โ€” Cloudflare, Google, AdGuard, NextDNS, CleanBrowsing, Quad9, Mullvad, plus custom endpoints; strict or automatic modes.
  • Encrypted Client Hello (ECH) โ€” encrypt the SNI in the TLS handshake (GeckoView only; auto-wires DoH + GeckoView when toggled).
  • TLS fingerprint spoofing โ€” impersonate Chrome 131 / Firefox 133 / Safari 18 JA3 profiles (or custom ciphers), served through a local TLS-MITM bridge so the outgoing ClientHello matches a real browser.
  • CORS bypass โ€” let static SPAs call external APIs that would otherwise be blocked by CORS.
  • Failover โ€” automatic fallback to mirror URLs when the primary target is unreachable.
  • PWA offline cache strategies, custom error pages, per-app host overrides, and payment-scheme handlers.
  • Compatibility toggles โ€” blob download interception, scroll memory, image repair, clipboard / orientation / notification polyfills, private-network bridging, and Native Bridge capability gates.

๐Ÿ›ก๏ธ Privacy, fingerprint defense & hardening

  • Browser fingerprint disguise across 50+ vectors โ€” User-Agent, WebGL, Canvas, AudioContext, ClientRects, timezone, language, memory, media devices, WebRTC, fonts, battery, permissions, performance, storage, notifications, CSS media, iframe propagation, and error-stack cleanup.
  • Hosts-rule ad blocker with cosmetic MutationObserver filtering, 20 built-in community filter lists (EasyList, uBlock Origin, AdGuard, AdAway, plus 8 language-specific lists), per-source enable/disable/delete, and custom subscription rules bundled into the APK.
  • Resource encryption (PBKDF2 + AES-256-GCM) for packaged config, HTML, media, and BGM; optional custom encryption password stronger than package/certificate-derived keys.
  • Runtime hardening when encryption is on โ€” anti-debug, anti-Frida, DEX-tamper checks; threat response of log-only, silent exit, or randomized crash.
  • WebView/content isolation for storage, WebRTC, Canvas, Audio, WebGL, fonts, headers, and IP surfaces.
  • Activation-code gating โ€” local verification, or your own HTTPS endpoint signed with EC P-256. See the remote activation docs.

๐Ÿ“ฆ Local server runtimes (fork + exec on-device)

  • Node.js runs in a dedicated :nodejs OS process via a native node_launcher wrapper loading libnode.so; supports custom native .node extensions.
  • PHP 8.4 from pmmp/PHP-Binaries, downloaded once on first use, with Composer and custom native extensions (zend_extension, .so).
  • Python โ€” Flask, Django, FastAPI via uvicorn, Tornado, the built-in HTTP server; pip dependencies resolved into .pypackages, custom native extensions supported.
  • Go โ€” on-device go build, vendor/ offline builds, static serving, and the native goexecloader wrapper.
  • WordPress over local PHP + SQLite (sqlite-database-integration), with theme and plugin import.
  • Linux Environment screen manages toolchains and dependencies for Node, PHP, and Python.
  • Port Manager coordinates runtime ports across generated apps via broadcast receivers.
  • A local DNS bridge proxy (HTTP CONNECT in the Android JVM) gives runtimes working DNS resolution and outbound HTTP where the musl/packed binary can't reach the system resolver.

๐Ÿงฉ Extensions & automation

  • Built-in modules โ€” video download (YouTube / Bilibili / Douyin / Xiaohongshu extractors), video enhancer with YouTube cleanup (ad skip, max quality, background play, SponsorBlock), web analyzer, find-in-page, dark mode, privacy tools, content enhancer, element blocker, and YouTube launcher.
  • Userscripts โ€” Greasemonkey/Tampermonkey-style .user.js with a GM_ bridge (storage, requests, styles, menu commands) and promise-based GM. APIs gated by script grants.
  • MV3 Chrome extension runtime for manifest content scripts in isolated or main worlds, with chrome.* polyfills for runtime, storage, tabs, scripting, and declarative network-request parsing.
  • In-app Chrome Web Store search โ€” browse and install browser extensions by keyword (or paste a store URL / extension ID), with offline fallback to manual import.
  • Export codes (WTA1: gzip + Base64) and QR sharing via ZXing.
  • AI Coding skills to generate modules, userscripts, MV3 extensions, front-end apps, and local runtime projects.

๐Ÿ“ฑ App experience

  • Splash screens โ€” image or video, with skip behavior, trim ranges, and fixed orientation.
  • Background music โ€” playlists with synced LRC lyrics, lyric animations, custom font/color/stroke/shadow, and online music search.
  • Toolbar, status bar (light & dark), navigation, floating-window mode, and long-press menu styles.
  • Announcement templates for launch, interval, and no-network moments.
  • Translation overlay โ€” 20 target languages via Google, MyMemory, LibreTranslate, Lingva, or Auto engines.
  • Print bridge โ€” intercept window.print() and blob/data-URL PDFs to the Android print framework / PDF export.
  • Notifications โ€” Web Notification polyfill, scheduled and persistent notifications with progress, URL-polling foreground service, deep links, boot auto-start, scheduled launch, and background-run service.
  • Per-app usage stats with Vico charts and URL health monitoring.

๐Ÿ”ง APK / AAB export & signing

  • Custom package name, versionName, versionCode, icon, label, architecture target, and export format.
  • Build-time permission injection with unused permissions pruned from the template manifest.
  • One-tap AAB export โ€” auto-builds the APK on demand, converts it to a Play-ready signed AAB with targetSdk rewritten to the Play-required level (currently 35) and protobuf metadata generated locally; cancellable mid-build.
  • Keystore management โ€” create, import, export, delete, and certificate-fingerprint viewing; PKCS12/PFX/JKS/BKS import including Android Studio upload-key cases where store and key passwords differ.
  • Signature schemes โ€” V1, V2, V3 independently controlled, with auto-fallback for legacy certificates; custom V1 signer filename for META-INF/<name>.SF / .RSA.
  • Performance options โ€” image compression, WebP conversion, code minification, lazy loading, DNS prefetch, and preload hints.
  • Full project and app-data backup/restore.

๐Ÿ—‚ File manager & project tooling

  • File manager โ€” a single screen to view, share, install, open, and clear build outputs (APK builds, AAB exports, app clones, build logs) and a user-files directory, with a read-only build-log viewer.
  • Website scraper for offline packs โ€” HTML, CSS, JS, images, fonts, url(), srcset, @import, path rewriting, same-domain limits, depth limits, and size limits.
  • Multi-Web layouts โ€” tabs, cards, feeds, drawers, per-site icons/theme colors/extraction selectors/refresh intervals, and shared JS/CSS.
  • Gallery apps โ€” categorized media, grid/list/timeline views, shuffle/single-loop, sorting, thumbnail bar, overlays, auto-next, and playback memory.
  • App Modifier โ€” shortcut disguise or real binary clone with manifest/resource patching and re-signing.

๐Ÿ”ฌ Specialized tools & research features

  • Forced-run, BlackTech, device disguise, and Icon Storm are included for technical demonstration and must only be used with informed user consent.

Module market

WebToApp has a GitHub-backed module market for community JS/CSS extension modules. The catalog is just files in this repository, so contributions use a normal pull-request flow.

modules/
โ”œโ”€โ”€ registry.json        # app-facing catalog
โ”œโ”€โ”€ submissions.json     # CI-generated PR / contributor metadata
โ”œโ”€โ”€ README.md            # contributor guide
โ””โ”€โ”€ <module-folder>/     # each module

The app fetches both registry.json and submissions.json and only shows modules present in both, keeping the in-app catalog aligned with actually-merged PRs. The submissions file also records every contributor per module, so the catalog shows stacked avatars and a contributors leaderboard. Catalog files and module icons route through a global mirror first, with raw.githubusercontent.com and jsDelivr as automatic fallbacks, so the store loads fast everywhere (including mainland China).

  • Users open Extension Modules and tap the storefront icon.
  • Contributors add a folder under modules/, update registry.json, and open a PR.
  • The default client cache is one hour, so merged modules propagate without an app update.
The high-level architecture lives here; the canonical submission rules, field schemas, reviewer checklist, and CI validation details live in modules/README.md.

The community market carries only JS/CSS extension modules. Browser extensions (MV3) are no longer a community catalog โ€” instead the Browser Extensions tab searches the Chrome Web Store live: type a keyword, browse results, and install on demand through the existing CRX pipeline. Live search requires a network that can reach Google.

Architecture

  • The repository has three Gradle modules: app (the full builder and host), shell (the runtime host embedded into generated APKs), and clone-host (host code for app cloning โ€” compiled to a classes.jar, converted to DEX via d8, and bundled as an asset for AppCloner).
  • Runtime code is authored in app and synchronized into shell, so shared WebView/runtime behavior has one source of truth (core/shell, core/webview, core/engine, core/extension, ui/shell, etc.).
  • The APK builder patches template APKs at the binary AXML/ARSC level, injects config/resources, prunes permissions, and signs with apksig. A separate encrypted build path (EncryptedApkBuilder) offers resource encryption, shelling, and integrity checks.
  • The host pins targetSdk = 28 deliberately โ€” it is what lets generated apps fork+exec native runtimes (Node.js, PHP, Python, Go, WordPress) from app storage, a capability URL-wrapper tools lack. The AAB exporter separately rewrites targetSdk for Play Store distribution.
  • Server runtimes and the optional GeckoView native runtime are downloaded on first use rather than bundled into the base APK.
  • The configuration center is WebApp (data/model/WebApp.kt) and its *Config classes โ€” the single source of truth for all feature settings, carried through a full packaging passthrough chain into the generated APK.

Tech stack

  • Kotlin, Jetpack Compose, Material 3
  • Koin for dependency injection
  • Room 2.7.2 + KSP for persistence
  • OkHttp 4.12.0 + okhttp-dnsoverhttps
  • com.android.tools.build:apksig 8.3.0 for APK signing
  • protobuf-javalite 3.25.5 for AAB metadata
  • GeckoView as an optional browser engine
  • Coil for image/video/GIF loading
  • AndroidX Security Crypto + DataStore for stored secrets
  • Vico Compose-M3 for charts
  • ZXing for QR sharing
  • Apache Commons Compress + xz for project import and website scraping
  • Native C++ via JNI for nodelauncher and goexec_loader
  • Robolectric for unit tests
See app/build.gradle.kts for the complete dependency list.

Build from source

Requirements: Android Studio Hedgehog or newer, JDK 17. The Gradle wrapper pins Gradle 9.4.1.

git clone https://github.com/shiaho777/web-to-app.git
cd web-to-app
./gradlew assembleDebug

For release builds, configure signing through local.properties and app/build.gradle.kts.

Contributing

| Lane | What you do | Guide | | --- | --- | --- | | modules/ | Publish a community module to the in-app market | modules/README.md | | Issues | Report a bug or request a feature | GitHub Issues | | Code | Fix a bug or build a feature in the Android client | CONTRIBUTING.md |

Contact

Developed by shiaho.

| Platform | Link | | --- | --- | | GitHub | github.com/shiaho777/web-to-app | | Telegram | t.me/webtoapp777 | | X (Twitter) | @shiaho777 | | Bilibili | b23.tv/8mGDo2N | | QQ Group | 1041130206 |

License

The Unlicense.

Advanced features such as forced run, BlackTech, device disguise, and Icon Storm are intended for technical demonstration and must only be used with informed user consent.

Open source ยท Built for Android power users ยท Star to support the project

ยฉ 2026 GitRepoTrend ยท shiaho777/web-to-app ยท Updated daily from GitHub