SafeOpen

Know before you open.

A free QR scanner and link inspector for iOS. Risk scoring runs entirely on your device. Optional scan credits unlock AI summaries and a privacy relay for the links you actually want to open.

Coming soon to iOS · In Apple review
Always free · runs on your device

Inspect on your device

Scanning, decoding, and risk analysis run entirely locally. No internet connection required. Nothing leaves your phone.

01 · Capture
QR Scanner
Point your camera at any QR code or barcode. Decodes instantly into URLs, Wi-Fi credentials, contacts, calendar events, SMS, email, geo, crypto, scripts, and plain text. Fully offline.
02 · Inspect
Paste & Inspect
Paste any link or share it from another app. SafeOpen normalizes the URL, classifies the payload, and shows you the destination before you do anything with it.
03 · Risk
Local Risk Scoring
Heuristics flag raw IP addresses, punycode lookalike domains, unusual ports, suspicious path keywords, excessive query parameters, executable scripts, and known URL shorteners.
04 · Explain
Plain-language Explanation
No jargon. Every risk flag comes with a clear explanation of why it matters. You decide with full context, not just a colored badge.
05 · Strip
Tracking-parameter Stripping
Detects and removes 38+ known tracking parameters (UTM, fbclid, gclid, msclkid, and more). Shows the clean URL alongside the original so you can copy it without the surveillance baggage.
06 · History
Local Scan History
Every inspection is saved on your device. Review, copy, or share any past result. History never syncs to iCloud and never leaves your phone.
Costs 1 credit each

Two features that need our servers

When you want more than just heuristics, two features call Katafract’s backend. They cost 1 scan credit each. Nothing else costs anything.

07 · Summary
AI Summary
Our servers fetch the destination through a Katafract relay and use OpenAI to generate a plain-English summary of what the link contains. The destination never sees your IP.
08 · Relay
Open Safely
Open the link inside an isolated, non-persistent in-app browser served from a Katafract relay. Each session gets a disposable IPv6 address that the destination sees instead of your real IP, released after 10 minutes. Cookies and storage are destroyed when the session ends.
Pay only for what you use

Scan credits

Every install starts with 10 free credits. We add 10 more every 30 days. If you need more, three consumable credit packs are available as one-time in-app purchases. Credits never expire. There is no subscription.

Starter
100
scan credits
$0.99
$0.0099 per credit
Best Value
Standard
500
scan credits
$2.99
$0.006 per credit
Power
2,000
scan credits
$9.99
$0.005 per credit
How it works

Scan. Inspect. Decide.

01

Scan or paste

Point the camera at a QR code or barcode, paste a link, or share one from any app. SafeOpen decodes it instantly with no internet connection required.

02

Inspect locally

SafeOpen classifies the payload, normalizes the URL, strips tracking parameters, and runs local risk heuristics. You see the destination, the clean URL, the risk level, and a plain-language explanation of every flag. None of this costs a credit.

03

Spend a credit when it matters

Tap AI Summary to spend 1 credit on a server-side summary of the destination, or tap Open Safely to view the page through Katafract’s privacy relay in an isolated session. Both keep your device’s IP off the destination’s logs.

Try it yourself

Four QR codes, four outcomes

Scan any of these with SafeOpen to see how the app evaluates links before you open them.

Safe QR code — apple.com Safe
apple.com
HTTPS, well-known domain — green indicator, clean preview.
Neutral QR code — example.com Neutral
example.com
HTTPS, placeholder domain — no risk flags, neutral indicator.
Medium risk QR code — bit.ly shortener Caution
bit.ly/3SafeOpen
URL shortener — destination hidden. Yellow caution, shortener flag.
High risk QR code — raw IP address High Risk
192.0.2.1/account/verify
Raw IP address + HTTP + suspicious path — direct high-risk flag, red warning.
Every QR code type, decoded

Not just URLs

SafeOpen decodes every QR code format you'll encounter in the real world. Scan these to see how each payload type is presented.

URL QR code URL
katafract.com/apps/safeopen
Standard HTTPS link — full inspection, risk score, clean URL.
Short URL QR code Short URL
tinyurl.com/…
Shortened link — destination unknown until expanded. Caution flag.
Risky URL QR code Risky URL
198.51.100.42:8080/login
Raw IP + non-standard port + login path — multiple red flags.
Punycode domain QR code Lookalike
xn--pple-43d.com
Punycode domain masquerading as a well-known brand.
Wi-Fi QR code Wi-Fi
CoffeeShopGuest · WPA
Network name, security type, and password shown before you join.
vCard QR code Contact
vCard / MECARD
Name, org, phone, and email displayed before adding to contacts.
Calendar QR code Calendar
VEVENT
Event title, date, and duration shown before adding to calendar.
SMS QR code SMS
+1 555 000 1234
Phone number and pre-filled message shown before sending.
Email QR code Email
hello@example.com
Recipient, subject, and body shown before opening Mail.
Phone QR code Phone
tel:+15550001234
Full number displayed before initiating a call.
Geo QR code Location
40.7128, -74.0060
Coordinates shown with option to open in Maps.
Crypto wallet QR code Crypto
bitcoin:1A1zP1…
Wallet address decoded and displayed. Verify before sending funds.
Plain text QR code Plain Text
Hello, world!
Raw text content shown in full with copy button.

100% transparency on what we collect

The on-device features (scan, decode, risk score, strip trackers, history) make zero network calls. We receive nothing.

The two credit features (AI Summary, Open Safely) send the URL you submitted plus an anonymous device UUID to Katafract. The URL is logged for 30 days for abuse prevention and then deleted by an automated job. The device UUID is stored in your Keychain only so we can track your credit balance. None of it is linked to your Apple ID, name, or email.

For AI Summary, the fetched page text is sent to OpenAI under their API terms. No personal information is ever sent to OpenAI.

SafeOpen contains no advertising SDKs, no analytics, and no crash reporters. We do not sell or share data with anyone for any purpose. Full disclosure on the SafeOpen Privacy Policy page.

No accounts No iCloud sync No analytics 30-day audit window URLs not linked to identity
More from Katafract

SafeOpen is part of a family of privacy-first iOS utilities. ExifArmor strips hidden metadata from photos before you share them. ParkArmor saves your parking spot with no account required. All built on the same principle: your data stays yours.

Coming soon
SafeOpen for iOS
In Apple review queue · iOS 17+ · iPhone & iPad
Get notified when it ships →
Android? Join the waitlist →
Privacy Policy · Terms of Service · Support