Command Palette

Search for a command to run...

UnylyUnyly
Browse all

Mobile Security

FreeNot checked

An MCP server that enables AI assistants to analyze Android APK and iOS IPA files for security issues through natural language conversation, including permissio

GitHubEmbed

About

An MCP server that enables AI assistants to analyze Android APK and iOS IPA files for security issues through natural language conversation, including permission auditing, secret detection, and SDK enumeration.

README

mobile-security-mcp

npm version npm downloads MIT License TypeScript MCP CI

Features · Installation · Tools · Usage · Contributing · Security


mobile-security-mcp is an MCP (Model Context Protocol) server that gives Claude — and any MCP-compatible AI client — the ability to analyze Android APK and iOS IPA files for security issues through natural language conversation.

Security researchers, mobile pentesters, and app developers can now audit permissions, extract API endpoints, detect hardcoded secrets, inspect Firebase configuration, and enumerate third-party SDKs by simply asking Claude — no scripting required.


Features

Android

Tool What it does
apk_manifest_analyzer Parses AndroidManifest.xml — flags debuggable, allowBackup, exported components, intent filters
apk_permissions_checker Categorizes all permissions into dangerous vs normal with risk explanations
android_api_extractor Decompiles smali bytecode to extract Retrofit HTTP endpoints and OkHttp3 fields
android_google_services Extracts Firebase/GCP config from google-services.json and resources.arsc string values
android_secrets_scanner Scans DEX bytecode + resources.arsc + assets for hardcoded API keys and credentials

iOS

Tool What it does
ios_manifest_analyzer Parses Info.plist — flags ATS misconfigs, URL schemes, background modes
ios_permissions_checker Categorizes privacy permission declarations by HIGH / MEDIUM / LOW risk
ios_entitlements_checker Extracts entitlements via codesign — flags get-task-allow, sandbox bypass, iCloud containers
ios_binary_strings Extracts URLs, emails, IPs, and API key patterns from the Mach-O binary
ios_frameworks_detector Lists bundled frameworks, maps ~60 known SDKs (analytics, ads, attribution, crash reporting)
ios_google_services Parses GoogleService-Info.plist for full Firebase configuration
ios_secrets_scanner Scans app binary + resource files for hardcoded secrets and credentials

Shared Pattern Registry

All secret and Google service detection patterns live in a single patterns.ts — easy to extend, used by both Android and iOS scanners.


Installation

npm install -g mobile-security-mcp

Configure Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "mobile-security-mcp": {
      "command": "npx",
      "args": ["mobile-security-mcp"]
    }
  }
}

Config file locations:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json

Run from source

git clone https://github.com/Serhatcck/mobile-security-mcp.git
cd mobile-security-mcp
npm install && npm run build
{
  "mcpServers": {
    "mobile-security-mcp": {
      "command": "node",
      "args": ["/absolute/path/to/mobile-security-mcp/dist/index.js"]
    }
  }
}

Usage

Once configured, restart Claude Desktop and start a conversation:

"Analyze the permissions in /path/to/app.apk"

"Check this IPA for hardcoded API keys: /path/to/app.ipa"

"What Firebase services does this APK use?"

"Are there any exported components in this APK that could be an attack surface?"

"Show me all third-party SDKs in this iOS app and flag any privacy risks"

Prerequisites

Android:

  • apktool — required for android_api_extractor (brew install apktool)
  • aapt (optional) — speeds up manifest parsing, part of Android SDK build tools

iOS (macOS only):

  • codesign, plutil, strings — all built into macOS, no install needed

Tools

apk_manifest_analyzer

Input:  apk_path (string)
Output: Package info, security flags, components, intent filters, warnings

apk_permissions_checker

Input:  apk_path (string)
Output: Dangerous permissions (highlighted) + normal permissions + risk summary

android_api_extractor

Input:  apk_path OR smali_folder (string), output_format (txt|postman)
Output: Retrofit HTTP endpoints or Postman collection JSON

android_google_services

Input:  apk_path (string), smali_folder (optional)
Output: Firebase project ID, API keys, database URL, storage bucket, OAuth clients

android_secrets_scanner

Input:  apk_path (string), smali_folder (optional), min_length (default 8)
Output: Hardcoded credentials found in DEX + resources.arsc + assets

ios_manifest_analyzer

Input:  ipa_path (string)
Output: Bundle info, ATS settings, URL schemes, background modes, warnings

ios_permissions_checker

Input:  ipa_path (string)
Output: Privacy permissions grouped by HIGH/MEDIUM/LOW risk with usage descriptions

ios_entitlements_checker

Input:  ipa_path (string)
Output: Entitlements extracted from binary, high-risk flags, simulator detection

ios_binary_strings

Input:  ipa_path (string), filter (all|url|key|email|ip), min_length (default 6)
Output: Filtered strings from Mach-O binary

ios_frameworks_detector

Input:  ipa_path (string)
Output: Bundled frameworks grouped by category with privacy risk annotations

ios_google_services

Input:  ipa_path (string)
Output: Full GoogleService-Info.plist contents + pattern scan of resource files

ios_secrets_scanner

Input:  ipa_path (string), min_length (default 8)
Output: Secrets found in resource files and binary, split by layer with severity

Demo

demo

Regenerate with VHS: brew install charmbracelet/tap/vhs && vhs docs/demo.tape


Contributing

See CONTRIBUTING.md for development setup, how to add new tools, and PR guidelines.

Security

See SECURITY.md for how to report vulnerabilities privately.

Changelog

See CHANGELOG.md.

License

MIT © Serhatcck

from github.com/Serhatcck/mobile-security-mcp

Install Mobile Security in Claude Desktop, Claude Code & Cursor

Recommended · one command, every IDE
unyly install mobile-security-mcp

Installs into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.

First time? Get the CLI: curl -fsSL https://unyly.org/install | sh

Or configure manually

Run in your terminal:

claude mcp add mobile-security-mcp -- npx -y mobile-security-mcp

FAQ

Is Mobile Security MCP free?

Yes, Mobile Security MCP is free — one-click install via Unyly at no cost.

Does Mobile Security need an API key?

No, Mobile Security runs without API keys or environment variables.

Is Mobile Security hosted or self-hosted?

Self-hosted: the server runs locally on your machine via the install command above.

How do I install Mobile Security in Claude Desktop, Claude Code or Cursor?

Open Mobile Security on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare Mobile Security with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All ai MCPs