Android Security Analyzer
БесплатноНе проверенMCP server for static security analysis of Android source code
Описание
MCP server for static security analysis of Android source code
README
MCP server for static security analysis of Android application source code. Runs on Cloudflare Workers as a remote MCP server over Streamable HTTP.
What it does
Analyzes Android project source files — without building the project — and returns a structured security report. The analysis covers:
- Manifest analysis — exported components, dangerous permissions, cleartext traffic, debug flags, backup settings, SDK versions
- Gradle/build config — release build misconfigurations, outdated SDKs, suspicious dependencies, hardcoded secrets
- Source code (Java/Kotlin) — insecure WebView, SSL/TLS bypass, weak crypto, SQL injection patterns, process execution, insecure file storage, PendingIntent issues
- XML configuration — network security config weaknesses, overly broad file provider paths
- Secret scanning — API keys, tokens, passwords, private keys, cloud credentials, high-entropy strings
All analysis is regex/pattern-based and runs natively in the Workers runtime with no external tools, Java, or Android SDK required.
Architecture
POST /mcp ──► McpServer (JSON-RPC 2.0) ──► Tool Router
│
┌───────────────────────────────┘
▼
Orchestrator
│
┌─────────┼─────────┬─────────────┬──────────────┐
▼ ▼ ▼ ▼ ▼
Manifest Gradle Source Code XML Config Secret
Analyzer Analyzer Analyzer Analyzer Scanner
│ │ │ │ │
└─────────┴─────────┴─────────────┴──────────────┘
│
▼
Scoring + Deduplication ──► AnalysisReport
Key design decisions:
- Stateless — no sessions, no Durable Objects
- Minimal MCP JSON-RPC 2.0 implementation (no heavy SDK dependencies)
- Data-driven rule engine with extensible rule registry
- Independent analyzers with unified Finding type
- Lightweight XML parsing via
fast-xml-parser - Input validation via
zod - Bundle size: ~66KB gzipped
MCP Tools
| Tool | Description |
|---|---|
analyze_android_project |
Full security analysis of project files |
list_android_security_checks |
List all implemented security rules |
explain_finding |
Detailed explanation of a specific rule |
health |
Server status and rule engine stats |
Install
Hosted server (recommended for Cline / MCP clients): no local install needed. The server runs at:
https://android-security-analyzer.ako-labs.workers.dev/mcp
Add this URL to your MCP client configuration (see Connecting from an MCP client below).
Local development:
npm install
Development
npm run dev
This starts a local Wrangler dev server. The MCP endpoint is available at http://localhost:8787/mcp.
Deploy
npm run deploy
Deploys to Cloudflare Workers. Requires wrangler authentication (npx wrangler login).
Testing
npm test # Run all tests
npm run test:watch # Watch mode
npm run typecheck # TypeScript type checking
Local MCP Testing
Initialize the connection
Unix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}'
Windows (PowerShell):
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}' -UseBasicParsing).Content
List available tools
Unix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'
Windows (PowerShell): ответ приходит в result.tools; чтобы увидеть список как JSON, используйте сырой ответ:
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":2,"method":"tools/list"}' -UseBasicParsing).Content
Либо через объект: (Invoke-RestMethod ...).result.tools | ConvertTo-Json -Depth 5
Check health
Unix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"health","arguments":{}}}'
Windows (PowerShell):
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"health","arguments":{}}}' -UseBasicParsing).Content
Run analysis (minimal example)
Unix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 4,
"method": "tools/call",
"params": {
"name": "analyze_android_project",
"arguments": {
"projectName": "TestApp",
"files": [
{
"path": "app/src/main/AndroidManifest.xml",
"content": "<manifest><application android:debuggable=\"true\" android:allowBackup=\"true\"></application></manifest>"
}
]
}
}
}'
Windows (PowerShell):
$body = @{
jsonrpc = "2.0"
id = 4
method = "tools/call"
params = @{
name = "analyze_android_project"
arguments = @{
projectName = "TestApp"
files = @(
@{
path = "app/src/main/AndroidManifest.xml"
content = "<manifest><application android:debuggable=`"true`" android:allowBackup=`"true`"></application></manifest>"
}
)
}
}
} | ConvertTo-Json -Depth 10
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body $body -UseBasicParsing).Content
Connecting from an MCP client
Add to your MCP client configuration:
{
"mcpServers": {
"android-security-analyzer": {
"url": "http://localhost:8787/mcp"
}
}
}
For production (hosted):
{
"mcpServers": {
"android-security-analyzer": {
"url": "https://android-security-analyzer.ako-labs.workers.dev/mcp"
}
}
}
Security Rules
The analyzer implements 53 security rules across 5 categories:
| Category | Prefix | Rules | Examples |
|---|---|---|---|
| Manifest | MAN-* | 17 | debuggable, allowBackup, exported components, permissions |
| Gradle | GRD-* | 9 | release config, SDK versions, dependencies, secrets |
| Source | SRC-* | 17 | WebView, SSL/TLS, crypto, injection, file storage |
| XML Config | XML-* | 4 | network security config, file provider paths |
| Secret | SEC-* | 7 | API keys, tokens, passwords, cloud credentials |
Each finding includes:
- Stable rule ID
- Severity (critical/high/medium/low/info) and confidence (high/medium/low)
- File path and line number (when determinable)
- Evidence snippet
- CWE and OWASP Mobile Top 10 mappings
- Actionable recommendation
Scoring
Risk score (0-100) is computed from finding severities:
- Critical: 9 points
- High: 6 points
- Medium: 3 points
- Low: 1 point
- Info: 0 points
The raw sum is normalized against an expected maximum of 50 points.
Limitations
- Not a SAST replacement — pattern/regex-based heuristics, not full AST/dataflow analysis
- No build required — analyzes raw source, so build-time transforms are not visible
- False positives possible — especially for secret scanning and some code patterns
- Workers constraints — 128MB memory limit, CPU time limits, no filesystem access
- No APK/AAB analysis — source code only
- No inter-procedural analysis — patterns are matched per-file, not across call graphs
Project Structure
src/
├── index.ts # Worker entry point
├── server/
│ ├── mcp.ts # MCP JSON-RPC 2.0 handler
│ └── tools/ # MCP tool implementations
│ ├── analyzeAndroidProject.ts
│ ├── listAndroidSecurityChecks.ts
│ ├── explainFinding.ts
│ └── health.ts
├── core/
│ ├── types.ts # TypeScript types & Zod schemas
│ ├── scoring.ts # Risk score computation
│ ├── registry.ts # Rule registry
│ └── orchestrator.ts # Analysis orchestrator
├── analyzers/
│ ├── manifestAnalyzer.ts
│ ├── gradleAnalyzer.ts
│ ├── sourceAnalyzer.ts
│ ├── xmlConfigAnalyzer.ts
│ └── secretScanner.ts
├── parsers/
│ ├── xml.ts # XML parser wrapper
│ ├── gradle.ts # Gradle file parser
│ ├── source.ts # Source code pattern matcher
│ └── files.ts # File classifier
├── rules/
│ ├── manifestRules.ts
│ ├── gradleRules.ts
│ ├── sourceRules.ts
│ ├── xmlRules.ts
│ └── secretRules.ts
├── mappings/
│ ├── cwe.ts # CWE descriptions
│ └── owaspMobile.ts # OWASP Mobile Top 10
└── utils/
├── lines.ts # Line number utilities
├── paths.ts # Path classification
└── text.ts # Text utilities
test/
├── fixtures/ # Sample Android project files
├── unit/ # Unit tests per module
└── integration/ # Full analysis integration tests
Adding New Rules
- Define the rule in the appropriate file under
src/rules/ - Add detection logic in the corresponding analyzer under
src/analyzers/ - Add CWE mapping in
src/mappings/cwe.tsif needed - Add a test case
- The rule is automatically registered via
src/core/registry.ts
License
MIT
Установка Android Security Analyzer
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/ako2345/android-security-analyzerFAQ
Android Security Analyzer MCP бесплатный?
Да, Android Security Analyzer MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Android Security Analyzer?
Нет, Android Security Analyzer работает без API-ключей и переменных окружения.
Android Security Analyzer — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Android Security Analyzer в Claude Desktop, Claude Code или Cursor?
Открой Android Security Analyzer на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Android Security Analyzer with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
