Mobile Security
FreeNot checkedAn MCP server that enables AI assistants to analyze Android APK and iOS IPA files for security issues through natural language conversation, including permissio
About
An MCP server that enables AI assistants to analyze Android APK and iOS IPA files for security issues through natural language conversation, including permission auditing, secret detection, and SDK enumeration.
README
Features · Installation · Tools · Usage · Contributing · Security
mobile-security-mcp is an MCP (Model Context Protocol) server that gives Claude — and any MCP-compatible AI client — the ability to analyze Android APK and iOS IPA files for security issues through natural language conversation.
Security researchers, mobile pentesters, and app developers can now audit permissions, extract API endpoints, detect hardcoded secrets, inspect Firebase configuration, and enumerate third-party SDKs by simply asking Claude — no scripting required.
Features
Android
| Tool | What it does |
|---|---|
apk_manifest_analyzer |
Parses AndroidManifest.xml — flags debuggable, allowBackup, exported components, intent filters |
apk_permissions_checker |
Categorizes all permissions into dangerous vs normal with risk explanations |
android_api_extractor |
Decompiles smali bytecode to extract Retrofit HTTP endpoints and OkHttp3 fields |
android_google_services |
Extracts Firebase/GCP config from google-services.json and resources.arsc string values |
android_secrets_scanner |
Scans DEX bytecode + resources.arsc + assets for hardcoded API keys and credentials |
iOS
| Tool | What it does |
|---|---|
ios_manifest_analyzer |
Parses Info.plist — flags ATS misconfigs, URL schemes, background modes |
ios_permissions_checker |
Categorizes privacy permission declarations by HIGH / MEDIUM / LOW risk |
ios_entitlements_checker |
Extracts entitlements via codesign — flags get-task-allow, sandbox bypass, iCloud containers |
ios_binary_strings |
Extracts URLs, emails, IPs, and API key patterns from the Mach-O binary |
ios_frameworks_detector |
Lists bundled frameworks, maps ~60 known SDKs (analytics, ads, attribution, crash reporting) |
ios_google_services |
Parses GoogleService-Info.plist for full Firebase configuration |
ios_secrets_scanner |
Scans app binary + resource files for hardcoded secrets and credentials |
Shared Pattern Registry
All secret and Google service detection patterns live in a single patterns.ts — easy to extend, used by both Android and iOS scanners.
Installation
npm install -g mobile-security-mcp
Configure Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"mobile-security-mcp": {
"command": "npx",
"args": ["mobile-security-mcp"]
}
}
}
Config file locations:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
Run from source
git clone https://github.com/Serhatcck/mobile-security-mcp.git
cd mobile-security-mcp
npm install && npm run build
{
"mcpServers": {
"mobile-security-mcp": {
"command": "node",
"args": ["/absolute/path/to/mobile-security-mcp/dist/index.js"]
}
}
}
Usage
Once configured, restart Claude Desktop and start a conversation:
"Analyze the permissions in /path/to/app.apk"
"Check this IPA for hardcoded API keys: /path/to/app.ipa"
"What Firebase services does this APK use?"
"Are there any exported components in this APK that could be an attack surface?"
"Show me all third-party SDKs in this iOS app and flag any privacy risks"
Prerequisites
Android:
- apktool — required for
android_api_extractor(brew install apktool) aapt(optional) — speeds up manifest parsing, part of Android SDK build tools
iOS (macOS only):
codesign,plutil,strings— all built into macOS, no install needed
Tools
apk_manifest_analyzer
Input: apk_path (string)
Output: Package info, security flags, components, intent filters, warnings
apk_permissions_checker
Input: apk_path (string)
Output: Dangerous permissions (highlighted) + normal permissions + risk summary
android_api_extractor
Input: apk_path OR smali_folder (string), output_format (txt|postman)
Output: Retrofit HTTP endpoints or Postman collection JSON
android_google_services
Input: apk_path (string), smali_folder (optional)
Output: Firebase project ID, API keys, database URL, storage bucket, OAuth clients
android_secrets_scanner
Input: apk_path (string), smali_folder (optional), min_length (default 8)
Output: Hardcoded credentials found in DEX + resources.arsc + assets
ios_manifest_analyzer
Input: ipa_path (string)
Output: Bundle info, ATS settings, URL schemes, background modes, warnings
ios_permissions_checker
Input: ipa_path (string)
Output: Privacy permissions grouped by HIGH/MEDIUM/LOW risk with usage descriptions
ios_entitlements_checker
Input: ipa_path (string)
Output: Entitlements extracted from binary, high-risk flags, simulator detection
ios_binary_strings
Input: ipa_path (string), filter (all|url|key|email|ip), min_length (default 6)
Output: Filtered strings from Mach-O binary
ios_frameworks_detector
Input: ipa_path (string)
Output: Bundled frameworks grouped by category with privacy risk annotations
ios_google_services
Input: ipa_path (string)
Output: Full GoogleService-Info.plist contents + pattern scan of resource files
ios_secrets_scanner
Input: ipa_path (string), min_length (default 8)
Output: Secrets found in resource files and binary, split by layer with severity
Demo

Regenerate with VHS:
brew install charmbracelet/tap/vhs && vhs docs/demo.tape
Contributing
See CONTRIBUTING.md for development setup, how to add new tools, and PR guidelines.
Security
See SECURITY.md for how to report vulnerabilities privately.
Changelog
See CHANGELOG.md.
License
Install Mobile Security in Claude Desktop, Claude Code & Cursor
unyly install mobile-security-mcpInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add mobile-security-mcp -- npx -y mobile-security-mcpFAQ
Is Mobile Security MCP free?
Yes, Mobile Security MCP is free — one-click install via Unyly at no cost.
Does Mobile Security need an API key?
No, Mobile Security runs without API keys or environment variables.
Is Mobile Security hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Mobile Security in Claude Desktop, Claude Code or Cursor?
Open Mobile Security on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
by modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
by xuzexin-hzCompare Mobile Security with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All ai MCPs
