A Model Context Protocol (MCP) server that provides integration with Mobile Security Framework (MobSF) for automated mobile application security analysis.
- π Automated APK/IPA Scanning - Upload and scan Android/iOS applications
- π Comprehensive Reports - Get detailed security analysis reports
- π AI Agent Compatible - Base64 file upload support for AI platforms
- π³ Dockerized - Easy deployment with Docker
- π Streamable HTTP - Modern MCP transport (not SSE)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AI Agent / MCP Client β
β (VS Code, Claude, Custom Apps) β
ββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β HTTP (Streamable HTTP Transport)
β POST http://localhost:7567/mcp
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MobSF MCP Server β
β (Docker: Port 7567) β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Tools: β β
β β β’ scanFile - Scan APK/IPA from file path β β
β β β’ scanFileBase64 - Scan from base64 encoded data β β
β β β’ getReport - Get detailed scan report β β
β β β’ listScans - List all recent scans β β
β β β’ deleteScan - Remove scan from MobSF β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β HTTP REST API
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MobSF β
β (Docker: Port 9000) β
β Mobile Security Analysis Engine β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# Clone the repository
git clone https://github.com/Vesper42/mobsf-mcp-server.git
cd mobsf-mcp-server
# Run the installer with Docker
./mobsf.sh --install --docker
# Or with Podman (RHEL/Fedora compatible with SELinux)
./mobsf.sh --install --podman
The installer will:
- β Check if services are already running (skips if healthy)
- β Check prerequisites (Docker/Podman, compose tool)
- β Pull and start MobSF on port 9000
- β Extract the API key automatically
- β
Create the
.envconfiguration file - β Create SELinux-compatible compose override (for Podman)
- β Build and start the MCP server on port 7567
-
Start MobSF (if not already running):
# Docker docker run -d --name mobsf \ -p 9000:8000 \ -v mobsf_data:/home/mobsf/.MobSF \ opensecurity/mobile-security-framework-mobsf:latest # Podman (with SELinux) podman run -d --name mobsf \ -p 9000:8000 \ -v mobsf_data:/home/mobsf/.MobSF:Z \ opensecurity/mobile-security-framework-mobsf:latest -
Get MobSF API Key:
docker logs mobsf 2>&1 | grep "REST API Key" -
Configure environment:
cp .env.example .env # Edit .env with your MOBSF_API_KEY -
Start MCP Server:
docker-compose up -d --build
# Interactive mode
./mobsf.sh --uninstall --docker
# Remove MCP server only (keep MobSF)
./mobsf.sh --uninstall --docker --mcp-only
# Full cleanup (remove everything)
./mobsf.sh --uninstall --docker --full
# With Podman
./mobsf.sh --uninstall --podman --full
If you've updated .env configuration:
./mobsf.sh --restart --docker
# or
./mobsf.sh --restart --podman
./mobsf.sh --status --docker
# or
./mobsf.sh --status --podman
| Variable | Description | Default |
|---|---|---|
MOBSF_URL |
MobSF server URL | http://host.docker.internal:9000 |
MOBSF_API_KEY |
MobSF REST API key | Required |
MCP_API_KEY |
Bearer token for MCP authentication | Optional (recommended) |
PORT |
MCP server port | 7567 |
MOBSF_URL=http://host.docker.internal:9000
MOBSF_API_KEY=your-mobsf-api-key-here
MCP_API_KEY=your-mcp-auth-token-here
The MCP server supports optional Bearer token authentication. When MCP_API_KEY is configured, all requests to /mcp must include an Authorization header:
Authorization: Bearer <your-mcp-api-key>
Generate a secure token:
openssl rand -hex 32
The install.sh script will automatically offer to generate a secure token for you.
Note: The
/healthand/endpoints do not require authentication.
Create or edit ~/.vscode/mcp.json (or use VS Code's MCP settings):
{
"servers": {
"mobsf-mcp-server": {
"url": "http://127.0.0.1:7567/mcp"
}
}
}
With authentication (recommended):
{
"servers": {
"mobsf-mcp-server": {
"url": "http://127.0.0.1:7567/mcp",
"headers": {
"Authorization": "Bearer your-mcp-api-key-here"
}
}
}
}
### Claude Desktop
Add to `claude_desktop_config.json`:
```json
{
"mcpServers": {
"mobsf": {
"url": "http://localhost:7567/mcp"
}
}
}
const client = new MCPClient({
transport: "streamable-http",
url: "http://localhost:7567/mcp"
});
Scan an APK or IPA file from a file path. Supports automatic path translation - you can use your host machine paths directly (e.g., /Users/username/Downloads/app.apk), and they will be automatically translated to container paths.
Parameters:
file(string, required): Path to the APK/IPA file (host or container path)
Example:
{
"tool": "scanFile",
"arguments": {
"file": "/Users/username/Downloads/app.apk"
}
}
Note: The Docker container mounts your home directory at
/host_home, so files anywhere under your home folder are accessible.
### `scanFileBase64`
Scan a file uploaded as base64 encoded data. Ideal for AI agents that can't access the filesystem directly.
**Parameters:**
- `filename` (string, required): Name of the file (must end with .apk or .ipa)
- `content` (string, required): Base64 encoded file content
- `contentType` (string, optional): MIME type
**Example:**
```json
{
"tool": "scanFileBase64",
"arguments": {
"filename": "app.apk",
"content": "base64-encoded-content-here",
"contentType": "application/vnd.android.package-archive"
}
}
Get the detailed security analysis report for a scanned file.
Parameters:
hash(string, required): The MD5 hash of the scanned file
Example:
{
"tool": "getReport",
"arguments": {
"hash": "abc123def456..."
}
}
List all recent scans in MobSF.
Parameters:
page(number, optional): Page number (default: 1)pageSize(number, optional): Results per page (default: 10)
Example:
{
"tool": "listScans",
"arguments": {
"page": 1,
"pageSize": 20
}
}
Delete a scan from MobSF.
Parameters:
hash(string, required): The MD5 hash of the scan to delete
Example:
{
"tool": "deleteScan",
"arguments": {
"hash": "abc123def456..."
}
}
| Endpoint | Method | Auth Required | Description |
|---|---|---|---|
/ |
GET | No | Server info and available tools |
/mcp |
POST | Yes* | MCP protocol endpoint (Streamable HTTP) |
/mcp/ |
POST | Yes* | MCP protocol endpoint (alias with trailing slash) |
/health |
GET | No | Health check endpoint |
*Auth required only if MCP_API_KEY is configured.
This server implements several security best practices:
- π Bearer Token Authentication - Optional but recommended
- β±οΈ Request Timeouts - All API calls have timeouts to prevent hanging
- π Timing-Safe Comparison - API key validation uses
crypto.timingSafeEqual - π Filename Sanitization - Prevents path traversal attacks
- π« Sensitive Data Masking - Base64 content and file paths are masked in logs
- π Graceful Shutdown - Proper cleanup of sessions on SIGTERM/SIGINT
- π€ Non-root Docker User - Container runs as unprivileged user
# Install dependencies
npm install
# Build
npm run build
# Run locally (requires MobSF running)
npm start
# Build image
docker-compose build
# Start in foreground (see logs)
docker-compose up
# Start in background
docker-compose up -d
# View logs
docker-compose logs -f
# Restart
docker-compose restart
-
Verify MobSF is running:
docker ps | grep mobsf -
Check MobSF logs:
docker logs mobsf -
Verify API key is correct:
curl -X POST http://localhost:9000/api/v1/scans \ -H "Authorization: your-api-key"
-
Check container status:
docker-compose ps -
Check logs:
docker-compose logs -f mobsf-mcp-server -
Verify health endpoint:
curl http://localhost:7567/health
- Ensure the file path is accessible from the container
- For Docker, files must be in mounted volumes
- Use
scanFileBase64for AI agents without filesystem access
MIT License - see LICENSE file.
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request
- MobSF - The amazing mobile security analysis platform
- Model Context Protocol - The MCP specification
This project is a modernized version of the original pullkitsan/mobsf-mcp-server repository, which was unmaintained for 9+ months.
Key improvements in this version:
- β¨ Upgraded from stdio to Streamable HTTP transport
- π³ Full Docker support with multi-stage builds
- π¦ Updated to latest @modelcontextprotocol/sdk v1.11.0
- π§ Added install.sh and uninstall.sh for easy setup
- π€ Added base64 file upload support for AI agents
- π‘οΈ Enhanced security with non-root Docker user
- π Optional Bearer token authentication for MCP endpoints
- π Automatic path translation - use host paths directly
- β±οΈ Request timeouts on all API calls
- π Graceful shutdown handling
- π Timing-safe token comparison to prevent timing attacks