A native Android application that converts any website URL into a standalone Android App.

WebToApp
Build Android APKs from web projects, directly on your phone.
An on-device APK workshop that goes far beyond URL wrapping โ it can fork and exec full server runtimes, ship a hardened anti-censorship network stack, sign bundles for Google Play, and run MV3 browser extensions, all without a PC or a remote build server.
English ยท ็ฎไฝไธญๆ
What's different ยท What you can build ยท Capability overview ยท Feature map ยท Module market ยท Architecture ยท Build
What makes WebToApp different
Most "website to app" tools stop at wrapping a URL in a WebView. WebToApp is closer to a pocket-sized APK workshop, and the hard parts are exactly where it diverges:
- It runs real server runtimes on-device. Node.js, PHP, Python, Go, and WordPress are fork+exec'd as native binaries straight from app storage โ like Termux, packaged into an installable APK. URL-wrapper tools cannot do this at all.
- It ships a hardened, anti-censorship network stack. DNS-over-HTTPS, TLS fingerprint spoofing (Chrome / Firefox / Safari JA3 templates) with a local MITM bridge, Encrypted Client Hello (ECH) on the GeckoView engine to encrypt the SNI, per-app proxies, and CORS bypass for locked-down SPAs.
- The whole build is self-contained. Binary AXML/ARSC patching, permission pruning, V1/V2/V3 signing, and Google Play-ready AAB export all happen inside the app via
apksigโ no remote build queue, no PC. - It stays extensible after shipping. Add JS/CSS modules, Tampermonkey-style userscripts, or MV3 Chrome extensions (live-searched and installed from the Chrome Web Store) without rebuilding the host.
Capability overview
A quick scan of what's in the box. Each links to the detailed feature map below.
| Area | Highlights | | --- | --- | | Build targets | Web ยท HTML ยท Frontend ยท WordPress ยท Node.js ยท PHP ยท Python ยท Go ยท Image ยท Video ยท Gallery ยท Multi-Web | | Browser engines | System WebView by default; optional GeckoView (Firefox) runtime for ECH / SNI encryption | | Network & anti-censorship | DoH (7 providers), TLS fingerprint spoofing + MITM bridge, ECH, static/PAC/SOCKS5 proxies, CORS bypass | | Privacy & hardening | 50+ vector browser fingerprint disguise, resource encryption (AES-256-GCM), anti-debug, activation gating | | Local runtimes | Native Node.js, PHP 8.4 + Composer, Python (Flask/Django/FastAPI), Go, WordPress over SQLite | | Extensions | Built-in modules, userscripts with GM_*, MV3 Chrome extensions, live Chrome Web Store search | | APK/AAB output | On-device V1/V2/V3 signing, Google Play AAB export with targetSdk rewrite, keystore management | | AI coding | Prompt-driven generation of web apps, modules, userscripts, and runtime projects |
What you can build
| Input | Output | Good for | | --- | --- | --- | | Website URL | WebView-based APK | Landing pages, tools, dashboards, docs, internal systems | | HTML / static front-end | Localhost-backed APK | React, Vue, Vite, static builds, offline web apps | | Node.js / PHP / Python / Go | APK with an on-device local server | Small server apps, admin tools, demos, prototypes | | WordPress | APK running WordPress over local PHP + SQLite | Portable sites, theme/plugin demos, content packages | | Images / video / galleries | Media-focused APK | Albums, course materials, portfolios, offline viewers | | Multiple sites | Tab/card/feed/drawer multi-web APK | Link hubs, portals, app collections | | Installed APK | Rebranded clone or shortcut disguise | Icon/name/package experiments, repackaging research |
Full feature map
WebToApp has a large number of switches. The sections below group them by use case, kept collapsible so the top of the page stays scannable.
๐ Browser engine & networking
- Dual engine โ System WebView by default, or an optional GeckoView (Firefox) runtime downloaded on first use.
- Kernel flavor disguise โ present as Chrome, Edge, Samsung Internet, Firefox, or Safari-style while keeping the real engine.
- Desktop mode, custom User-Agent, and JS/CSS injection at document-start / end / idle.
- Popup handling โ same window, external browser, popup window, or block.
- Proxies โ static HTTP/HTTPS/SOCKS5, PAC, authentication, bypass rules, and a local HTTP-to-SOCKS bridge.
- DNS-over-HTTPS โ Cloudflare, Google, AdGuard, NextDNS, CleanBrowsing, Quad9, Mullvad, plus custom endpoints; strict or automatic modes.
- Encrypted Client Hello (ECH) โ encrypt the SNI in the TLS handshake (GeckoView only; auto-wires DoH + GeckoView when toggled).
- TLS fingerprint spoofing โ impersonate Chrome 131 / Firefox 133 / Safari 18 JA3 profiles (or custom ciphers), served through a local TLS-MITM bridge so the outgoing ClientHello matches a real browser.
- CORS bypass โ let static SPAs call external APIs that would otherwise be blocked by CORS.
- Failover โ automatic fallback to mirror URLs when the primary target is unreachable.
- PWA offline cache strategies, custom error pages, per-app host overrides, and payment-scheme handlers.
- Compatibility toggles โ blob download interception, scroll memory, image repair, clipboard / orientation / notification polyfills, private-network bridging, and Native Bridge capability gates.
๐ก๏ธ Privacy, fingerprint defense & hardening
- Browser fingerprint disguise across 50+ vectors โ User-Agent, WebGL, Canvas, AudioContext, ClientRects, timezone, language, memory, media devices, WebRTC, fonts, battery, permissions, performance, storage, notifications, CSS media, iframe propagation, and error-stack cleanup.
- Hosts-rule ad blocker with cosmetic MutationObserver filtering, 20 built-in community filter lists (EasyList, uBlock Origin, AdGuard, AdAway, plus 8 language-specific lists), per-source enable/disable/delete, and custom subscription rules bundled into the APK.
- Resource encryption (PBKDF2 + AES-256-GCM) for packaged config, HTML, media, and BGM; optional custom encryption password stronger than package/certificate-derived keys.
- Runtime hardening when encryption is on โ anti-debug, anti-Frida, DEX-tamper checks; threat response of log-only, silent exit, or randomized crash.
- WebView/content isolation for storage, WebRTC, Canvas, Audio, WebGL, fonts, headers, and IP surfaces.
- Activation-code gating โ local verification, or your own HTTPS endpoint signed with EC P-256. See the remote activation docs.
๐ฆ Local server runtimes (fork + exec on-device)
- Node.js runs in a dedicated
:nodejsOS process via a nativenode_launcherwrapper loadinglibnode.so; supports custom native.nodeextensions. - PHP 8.4 from
pmmp/PHP-Binaries, downloaded once on first use, with Composer and custom native extensions (zend_extension,.so). - Python โ Flask, Django, FastAPI via uvicorn, Tornado, the built-in HTTP server; pip dependencies resolved into
.pypackages, custom native extensions supported. - Go โ on-device
go build,vendor/offline builds, static serving, and the nativegoexecloaderwrapper. - WordPress over local PHP + SQLite (
sqlite-database-integration), with theme and plugin import. - Linux Environment screen manages toolchains and dependencies for Node, PHP, and Python.
- Port Manager coordinates runtime ports across generated apps via broadcast receivers.
- A local DNS bridge proxy (HTTP CONNECT in the Android JVM) gives runtimes working DNS resolution and outbound HTTP where the musl/packed binary can't reach the system resolver.
๐งฉ Extensions & automation
- Built-in modules โ video download (YouTube / Bilibili / Douyin / Xiaohongshu extractors), video enhancer with YouTube cleanup (ad skip, max quality, background play, SponsorBlock), web analyzer, find-in-page, dark mode, privacy tools, content enhancer, element blocker, and YouTube launcher.
- Userscripts โ Greasemonkey/Tampermonkey-style
.user.jswith aGM_bridge (storage, requests, styles, menu commands) and promise-basedGM.APIs gated by script grants. - MV3 Chrome extension runtime for manifest content scripts in isolated or main worlds, with
chrome.*polyfills for runtime, storage, tabs, scripting, and declarative network-request parsing. - In-app Chrome Web Store search โ browse and install browser extensions by keyword (or paste a store URL / extension ID), with offline fallback to manual import.
- Export codes (
WTA1:gzip + Base64) and QR sharing via ZXing. - AI Coding skills to generate modules, userscripts, MV3 extensions, front-end apps, and local runtime projects.
๐ฑ App experience
- Splash screens โ image or video, with skip behavior, trim ranges, and fixed orientation.
- Background music โ playlists with synced LRC lyrics, lyric animations, custom font/color/stroke/shadow, and online music search.
- Toolbar, status bar (light & dark), navigation, floating-window mode, and long-press menu styles.
- Announcement templates for launch, interval, and no-network moments.
- Translation overlay โ 20 target languages via Google, MyMemory, LibreTranslate, Lingva, or Auto engines.
- Print bridge โ intercept
window.print()and blob/data-URL PDFs to the Android print framework / PDF export. - Notifications โ Web Notification polyfill, scheduled and persistent notifications with progress, URL-polling foreground service, deep links, boot auto-start, scheduled launch, and background-run service.
- Per-app usage stats with Vico charts and URL health monitoring.
๐ง APK / AAB export & signing
- Custom package name,
versionName,versionCode, icon, label, architecture target, and export format. - Build-time permission injection with unused permissions pruned from the template manifest.
- One-tap AAB export โ auto-builds the APK on demand, converts it to a Play-ready signed AAB with
targetSdkrewritten to the Play-required level (currently 35) and protobuf metadata generated locally; cancellable mid-build. - Keystore management โ create, import, export, delete, and certificate-fingerprint viewing; PKCS12/PFX/JKS/BKS import including Android Studio upload-key cases where store and key passwords differ.
- Signature schemes โ V1, V2, V3 independently controlled, with auto-fallback for legacy certificates; custom V1 signer filename for
META-INF/<name>.SF/.RSA. - Performance options โ image compression, WebP conversion, code minification, lazy loading, DNS prefetch, and preload hints.
- Full project and app-data backup/restore.
๐ File manager & project tooling
- File manager โ a single screen to view, share, install, open, and clear build outputs (APK builds, AAB exports, app clones, build logs) and a user-files directory, with a read-only build-log viewer.
- Website scraper for offline packs โ HTML, CSS, JS, images, fonts,
url(),srcset,@import, path rewriting, same-domain limits, depth limits, and size limits. - Multi-Web layouts โ tabs, cards, feeds, drawers, per-site icons/theme colors/extraction selectors/refresh intervals, and shared JS/CSS.
- Gallery apps โ categorized media, grid/list/timeline views, shuffle/single-loop, sorting, thumbnail bar, overlays, auto-next, and playback memory.
- App Modifier โ shortcut disguise or real binary clone with manifest/resource patching and re-signing.
๐ฌ Specialized tools & research features
- Forced-run, BlackTech, device disguise, and Icon Storm are included for technical demonstration and must only be used with informed user consent.
Module market
WebToApp has a GitHub-backed module market for community JS/CSS extension modules. The catalog is just files in this repository, so contributions use a normal pull-request flow.
modules/
โโโ registry.json # app-facing catalog
โโโ submissions.json # CI-generated PR / contributor metadata
โโโ README.md # contributor guide
โโโ <module-folder>/ # each module
The app fetches both registry.json and submissions.json and only shows modules present in both, keeping the in-app catalog aligned with actually-merged PRs. The submissions file also records every contributor per module, so the catalog shows stacked avatars and a contributors leaderboard. Catalog files and module icons route through a global mirror first, with raw.githubusercontent.com and jsDelivr as automatic fallbacks, so the store loads fast everywhere (including mainland China).
- Users open Extension Modules and tap the storefront icon.
- Contributors add a folder under
modules/, updateregistry.json, and open a PR. - The default client cache is one hour, so merged modules propagate without an app update.
modules/README.md.
The community market carries only JS/CSS extension modules. Browser extensions (MV3) are no longer a community catalog โ instead the Browser Extensions tab searches the Chrome Web Store live: type a keyword, browse results, and install on demand through the existing CRX pipeline. Live search requires a network that can reach Google.
Architecture
- The repository has three Gradle modules:
app(the full builder and host),shell(the runtime host embedded into generated APKs), andclone-host(host code for app cloning โ compiled to aclasses.jar, converted to DEX via d8, and bundled as an asset forAppCloner). - Runtime code is authored in
appand synchronized intoshell, so shared WebView/runtime behavior has one source of truth (core/shell,core/webview,core/engine,core/extension,ui/shell, etc.). - The APK builder patches template APKs at the binary AXML/ARSC level, injects config/resources, prunes permissions, and signs with
apksig. A separate encrypted build path (EncryptedApkBuilder) offers resource encryption, shelling, and integrity checks. - The host pins
targetSdk = 28deliberately โ it is what lets generated apps fork+exec native runtimes (Node.js, PHP, Python, Go, WordPress) from app storage, a capability URL-wrapper tools lack. The AAB exporter separately rewritestargetSdkfor Play Store distribution. - Server runtimes and the optional GeckoView native runtime are downloaded on first use rather than bundled into the base APK.
- The configuration center is
WebApp(data/model/WebApp.kt) and its*Configclasses โ the single source of truth for all feature settings, carried through a full packaging passthrough chain into the generated APK.
Tech stack
- Kotlin, Jetpack Compose, Material 3
- Koin for dependency injection
- Room 2.7.2 + KSP for persistence
- OkHttp 4.12.0 +
okhttp-dnsoverhttps com.android.tools.build:apksig8.3.0 for APK signingprotobuf-javalite3.25.5 for AAB metadata- GeckoView as an optional browser engine
- Coil for image/video/GIF loading
- AndroidX Security Crypto + DataStore for stored secrets
- Vico Compose-M3 for charts
- ZXing for QR sharing
- Apache Commons Compress + xz for project import and website scraping
- Native C++ via JNI for
nodelauncherandgoexec_loader - Robolectric for unit tests
Build from source
Requirements: Android Studio Hedgehog or newer, JDK 17. The Gradle wrapper pins Gradle 9.4.1.
git clone https://github.com/shiaho777/web-to-app.git
cd web-to-app
./gradlew assembleDebug
For release builds, configure signing through local.properties and app/build.gradle.kts.
Contributing
| Lane | What you do | Guide | | --- | --- | --- | | modules/ | Publish a community module to the in-app market | modules/README.md | | Issues | Report a bug or request a feature | GitHub Issues | | Code | Fix a bug or build a feature in the Android client | CONTRIBUTING.md |
Contact
Developed by shiaho.
| Platform | Link | | --- | --- | | GitHub | github.com/shiaho777/web-to-app | | Telegram | t.me/webtoapp777 | | X (Twitter) | @shiaho777 | | Bilibili | b23.tv/8mGDo2N | | QQ Group | 1041130206 |
License
Advanced features such as forced run, BlackTech, device disguise, and Icon Storm are intended for technical demonstration and must only be used with informed user consent.
Open source ยท Built for Android power users ยท Star to support the project