npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mobile-security-mcp

v1.0.0

Published

Mobile app security analysis MCP server for Android APK and iOS IPA files

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

serhatcckserhatcck

Keywords

mcpmodel-context-protocolmobile-securityandroidiosapkipasecuritypentestreverse-engineeringfirebasesecrets-detectionstatic-analysisclaudeai

Readme

mobile-security-mcp is an MCP (Model Context Protocol) server that gives Claude — and any MCP-compatible AI client — the ability to analyze Android APK and iOS IPA files for security issues through natural language conversation.

Security researchers, mobile pentesters, and app developers can now audit permissions, extract API endpoints, detect hardcoded secrets, inspect Firebase configuration, and enumerate third-party SDKs by simply asking Claude — no scripting required.

Features

Android

| Tool | What it does | |---|---| | apk_manifest_analyzer | Parses AndroidManifest.xml — flags debuggable, allowBackup, exported components, intent filters | | apk_permissions_checker | Categorizes all permissions into dangerous vs normal with risk explanations | | android_api_extractor | Decompiles smali bytecode to extract Retrofit HTTP endpoints and OkHttp3 fields | | android_google_services | Extracts Firebase/GCP config from google-services.json and resources.arsc string values | | android_secrets_scanner | Scans DEX bytecode + resources.arsc + assets for hardcoded API keys and credentials |

iOS

| Tool | What it does | |---|---| | ios_manifest_analyzer | Parses Info.plist — flags ATS misconfigs, URL schemes, background modes | | ios_permissions_checker | Categorizes privacy permission declarations by HIGH / MEDIUM / LOW risk | | ios_entitlements_checker | Extracts entitlements via codesign — flags get-task-allow, sandbox bypass, iCloud containers | | ios_binary_strings | Extracts URLs, emails, IPs, and API key patterns from the Mach-O binary | | ios_frameworks_detector | Lists bundled frameworks, maps ~60 known SDKs (analytics, ads, attribution, crash reporting) | | ios_google_services | Parses GoogleService-Info.plist for full Firebase configuration | | ios_secrets_scanner | Scans app binary + resource files for hardcoded secrets and credentials |

Shared Pattern Registry

All secret and Google service detection patterns live in a single patterns.ts file — easy to extend, used by both Android and iOS scanners.

Installation

Global install

npm install -g mobile-security-mcp

Configure Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "mobile-security-mcp": {
      "command": "mobile-security-mcp"
    }
  }
}

Config file locations:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json

Run from source

git clone https://github.com/Serhatcck/mobile-security-mcp.git
cd mobile-security-mcp
npm install
npm run build

Add to Claude Desktop config:

{
  "mcpServers": {
    "mobile-security-mcp": {
      "command": "node",
      "args": ["/absolute/path/to/mobile-security-mcp/dist/index.js"]
    }
  }
}

Usage

Once configured, restart Claude Desktop and start a conversation:

"Analyze the permissions in /path/to/app.apk"

"Check this IPA for hardcoded API keys: /path/to/app.ipa"

"What Firebase services does this APK use? /path/to/app.apk"

"Are there any exported components in this APK that could be an attack surface?"

"Show me all third-party SDKs in this iOS app and flag any privacy risks"

Android prerequisites

  • apktool — required for android_api_extractor (brew install apktool)
  • aapt (optional, part of Android SDK build tools) — speeds up manifest parsing

iOS prerequisites

  • codesign — built into macOS, required for ios_entitlements_checker
  • plutil — built into macOS, required for binary plist parsing
  • strings — built into macOS, required for binary analysis tools

Demo

Generate a demo GIF with VHS:

brew install charmbracelet/tap/vhs
vhs docs/demo.tape

Tools Reference

apk_manifest_analyzer

Input:  apk_path (string) — path to APK file
Output: Package info, security flags, components, intent filters, warnings

apk_permissions_checker

Input:  apk_path (string)
Output: Dangerous permissions (highlighted) + normal permissions + risk summary

android_api_extractor

Input:  apk_path OR smali_folder (string), output_format (txt|postman)
Output: Retrofit HTTP endpoints or Postman collection JSON

android_google_services

Input:  apk_path (string), smali_folder (optional string)
Output: Firebase project ID, API keys, database URL, storage bucket, OAuth clients

android_secrets_scanner

Input:  apk_path (string), smali_folder (optional), min_length (default 8)
Output: Hardcoded credentials found in DEX + resources.arsc + assets

ios_manifest_analyzer

Input:  ipa_path (string)
Output: Bundle info, ATS settings, URL schemes, background modes, warnings

ios_permissions_checker

Input:  ipa_path (string)
Output: Privacy permissions grouped by HIGH/MEDIUM/LOW risk with usage descriptions

ios_entitlements_checker

Input:  ipa_path (string)
Output: Entitlements extracted from binary, high-risk flags, simulator detection

ios_binary_strings

Input:  ipa_path (string), filter (all|url|key|email|ip), min_length (default 6)
Output: Filtered strings from Mach-O binary

ios_frameworks_detector

Input:  ipa_path (string)
Output: Bundled frameworks grouped by category with privacy risk annotations

ios_google_services

Input:  ipa_path (string)
Output: Full GoogleService-Info.plist contents + pattern scan of resource files

ios_secrets_scanner

Input:  ipa_path (string), min_length (default 8)
Output: Secrets found in resource files and binary, split by layer with severity

Contributing

See CONTRIBUTING.md for development setup, how to add new tools, and PR guidelines.

Security

See SECURITY.md for how to report vulnerabilities privately.

Changelog

See CHANGELOG.md.

License

MIT © Serhatcck