Which integrations are available for this server?

Extracts Firebase configuration from Android and iOS apps, providing project IDs, API keys, database URLs, storage buckets, and OAuth clients. Extracts Google service configuration from mobile apps, including Firebase and Google Cloud Platform settings from google-services.json and GoogleService-Info.plist. Inspects iOS app entitlements related to iCloud, such as iCloud containers and key-value storage, through ios_entitlements_checker. Generates Postman collection JSON from API endpoints extracted during Android app analysis using android_api_extractor.

How do I use mobile-security-mcp?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@mobile-security-mcp Analyze the permissions in /path/to/app.apk" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

mobile-security-mcp

by Serhatcck

Overview Schema Related Servers Score Discussions

TypeScript

Local

mobile-security-mcp is an MCP (Model Context Protocol) server that gives Claude — and any MCP-compatible AI client — the ability to analyze Android APK and iOS IPA files for security issues through natural language conversation.

Security researchers, mobile pentesters, and app developers can now audit permissions, extract API endpoints, detect hardcoded secrets, inspect Firebase configuration, and enumerate third-party SDKs by simply asking Claude — no scripting required.

Features

Android

Tool	What it does
`apk_manifest_analyzer`	Parses `AndroidManifest.xml` — flags `debuggable`, `allowBackup`, exported components, intent filters
`apk_permissions_checker`	Categorizes all permissions into dangerous vs normal with risk explanations
`android_api_extractor`	Decompiles smali bytecode to extract Retrofit HTTP endpoints and OkHttp3 fields
`android_google_services`	Extracts Firebase/GCP config from `google-services.json` and `resources.arsc` string values
`android_secrets_scanner`	Scans DEX bytecode + `resources.arsc` + assets for hardcoded API keys and credentials

iOS

Tool	What it does
`ios_manifest_analyzer`	Parses `Info.plist` — flags ATS misconfigs, URL schemes, background modes
`ios_permissions_checker`	Categorizes privacy permission declarations by HIGH / MEDIUM / LOW risk
`ios_entitlements_checker`	Extracts entitlements via `codesign` — flags `get-task-allow`, sandbox bypass, iCloud containers
`ios_binary_strings`	Extracts URLs, emails, IPs, and API key patterns from the Mach-O binary
`ios_frameworks_detector`	Lists bundled frameworks, maps ~60 known SDKs (analytics, ads, attribution, crash reporting)
`ios_google_services`	Parses `GoogleService-Info.plist` for full Firebase configuration
`ios_secrets_scanner`	Scans app binary + resource files for hardcoded secrets and credentials

Shared Pattern Registry

All secret and Google service detection patterns live in a single patterns.ts — easy to extend, used by both Android and iOS scanners.

Related MCP server: frida-mcp

Installation

npm install -g mobile-security-mcp

Configure Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "mobile-security-mcp": {
      "command": "npx",
      "args": ["mobile-security-mcp"]
    }
  }
}

Config file locations:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

Run from source

git clone https://github.com/Serhatcck/mobile-security-mcp.git
cd mobile-security-mcp
npm install && npm run build

{
  "mcpServers": {
    "mobile-security-mcp": {
      "command": "node",
      "args": ["/absolute/path/to/mobile-security-mcp/dist/index.js"]
    }
  }
}

Usage

Once configured, restart Claude Desktop and start a conversation:

"Analyze the permissions in /path/to/app.apk"

"Check this IPA for hardcoded API keys: /path/to/app.ipa"

"What Firebase services does this APK use?"

"Are there any exported components in this APK that could be an attack surface?"

"Show me all third-party SDKs in this iOS app and flag any privacy risks"

Prerequisites

Android:

apktool — required for android_api_extractor (brew install apktool)
aapt (optional) — speeds up manifest parsing, part of Android SDK build tools

iOS (macOS only):

codesign, plutil, strings — all built into macOS, no install needed

Tools

`apk_manifest_analyzer`

Input:  apk_path (string)
Output: Package info, security flags, components, intent filters, warnings

`apk_permissions_checker`

Input:  apk_path (string)
Output: Dangerous permissions (highlighted) + normal permissions + risk summary

`android_api_extractor`

Input:  apk_path OR smali_folder (string), output_format (txt|postman)
Output: Retrofit HTTP endpoints or Postman collection JSON

`android_google_services`

Input:  apk_path (string), smali_folder (optional)
Output: Firebase project ID, API keys, database URL, storage bucket, OAuth clients

`android_secrets_scanner`

Input:  apk_path (string), smali_folder (optional), min_length (default 8)
Output: Hardcoded credentials found in DEX + resources.arsc + assets

`ios_manifest_analyzer`

Input:  ipa_path (string)
Output: Bundle info, ATS settings, URL schemes, background modes, warnings

`ios_permissions_checker`

Input:  ipa_path (string)
Output: Privacy permissions grouped by HIGH/MEDIUM/LOW risk with usage descriptions

`ios_entitlements_checker`

Input:  ipa_path (string)
Output: Entitlements extracted from binary, high-risk flags, simulator detection

`ios_binary_strings`

Input:  ipa_path (string), filter (all|url|key|email|ip), min_length (default 6)
Output: Filtered strings from Mach-O binary

`ios_frameworks_detector`

Input:  ipa_path (string)
Output: Bundled frameworks grouped by category with privacy risk annotations

`ios_google_services`

Input:  ipa_path (string)
Output: Full GoogleService-Info.plist contents + pattern scan of resource files

`ios_secrets_scanner`

Input:  ipa_path (string), min_length (default 8)
Output: Secrets found in resource files and binary, split by layer with severity

Demo

demo

Regenerate with VHS: brew install charmbracelet/tap/vhs && vhs docs/demo.tape

Contributing

See CONTRIBUTING.md for development setup, how to add new tools, and PR guidelines.

Security

See SECURITY.md for how to report vulnerabilities privately.

Changelog

See CHANGELOG.md.

License

Install Server

license - permissive license

quality - not tested

maintenance

How are these scores calculated?

Maintenance

–Maintainers

–Response time

–Release cycle

1Releases (12mo)

Commit activity

Resources

Need Help?

Related Servers

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Tools

View all tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Serhatcck/mobile-security-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server