Summary
Runs static security analysis on Android source code without requiring a build or SDK. Exposes four MCP tools: analyze_android_project scans manifests, Gradle files, Java/Kotlin source, and XML configs for 53 security issues across five categories (exported components, weak crypto, SQL injection patterns, hardcoded secrets, SSL bypasses). Each finding maps to CWE and OWASP Mobile Top 10 with severity scoring. Built on Cloudflare Workers with pattern matching and regex rules, so it's fast but won't catch dataflow issues a full SAST tool would. Useful for quick security sweeps in CI or when reviewing Android projects through Claude without spinning up heavyweight analysis infrastructure.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Android Security Analyzer
MCP server for static security analysis of Android application source code. Runs on Cloudflare Workers as a remote MCP server over Streamable HTTP.
What it does
Analyzes Android project source files — without building the project — and returns a structured security report. The analysis covers:
- Manifest analysis — exported components, dangerous permissions, cleartext traffic, debug flags, backup settings, SDK versions
- Gradle/build config — release build misconfigurations, outdated SDKs, suspicious dependencies, hardcoded secrets
- Source code (Java/Kotlin) — insecure WebView, SSL/TLS bypass, weak crypto, SQL injection patterns, process execution, insecure file storage, PendingIntent issues
- XML configuration — network security config weaknesses, overly broad file provider paths
- Secret scanning — API keys, tokens, passwords, private keys, cloud credentials, high-entropy strings
All analysis is regex/pattern-based and runs natively in the Workers runtime with no external tools, Java, or Android SDK required.
Architecture
POST /mcp ──► McpServer (JSON-RPC 2.0) ──► Tool Router
│
┌───────────────────────────────┘
▼
Orchestrator
│
┌─────────┼─────────┬─────────────┬──────────────┐
▼ ▼ ▼ ▼ ▼
Manifest Gradle Source Code XML Config Secret
Analyzer Analyzer Analyzer Analyzer Scanner
│ │ │ │ │
└─────────┴─────────┴─────────────┴──────────────┘
│
▼
Scoring + Deduplication ──► AnalysisReport
Key design decisions:
- Stateless — no sessions, no Durable Objects
- Minimal MCP JSON-RPC 2.0 implementation (no heavy SDK dependencies)
- Data-driven rule engine with extensible rule registry
- Independent analyzers with unified Finding type
- Lightweight XML parsing via
fast-xml-parser - Input validation via
zod - Bundle size: ~66KB gzipped
MCP Tools
| Tool | Description |
|---|---|
analyze_android_project | Full security analysis of project files |
list_android_security_checks | List all implemented security rules |
explain_finding | Detailed explanation of a specific rule |
health | Server status and rule engine stats |
Install
Hosted server (recommended for Cline / MCP clients): no local install needed. The server runs at:
https://android-security-analyzer.ako-labs.workers.dev/mcp
Add this URL to your MCP client configuration (see Connecting from an MCP client below).
Local development:
npm install
Development
npm run dev
This starts a local Wrangler dev server. The MCP endpoint is available at http://localhost:8787/mcp.
Deploy
npm run deploy
Deploys to Cloudflare Workers. Requires wrangler authentication (npx wrangler login).
Testing
npm test # Run all tests
npm run test:watch # Watch mode
npm run typecheck # TypeScript type checking
Local MCP Testing
Initialize the connection
Unix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}'
Windows (PowerShell):
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}' -UseBasicParsing).Content
List available tools
Unix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'
Windows (PowerShell): ответ приходит в result.tools; чтобы увидеть список как JSON, используйте сырой ответ:
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":2,"method":"tools/list"}' -UseBasicParsing).Content
Либо через объект: (Invoke-RestMethod ...).result.tools | ConvertTo-Json -Depth 5
Check health
Unix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"health","arguments":{}}}'
Windows (PowerShell):
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"health","arguments":{}}}' -UseBasicParsing).Content
Run analysis (minimal example)
Unix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 4,
"method": "tools/call",
"params": {
"name": "analyze_android_project",
"arguments": {
"projectName": "TestApp",
"files": [
{
"path": "app/src/main/AndroidManifest.xml",
"content": "<manifest><application android:debuggable=\"true\" android:allowBackup=\"true\"></application></manifest>"
}
]
}
}
}'
Windows (PowerShell):
$body = @{
jsonrpc = "2.0"
id = 4
method = "tools/call"
params = @{
name = "analyze_android_project"
arguments = @{
projectName = "TestApp"
files = @(
@{
path = "app/src/main/AndroidManifest.xml"
content = "<manifest><application android:debuggable=`"true`" android:allowBackup=`"true`"></application></manifest>"
}
)
}
}
} | ConvertTo-Json -Depth 10
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body $body -UseBasicParsing).Content
Connecting from an MCP client
Add to your MCP client configuration:
{
"mcpServers": {
"android-security-analyzer": {
"url": "http://localhost:8787/mcp"
}
}
}
For production (hosted):
{
"mcpServers": {
"android-security-analyzer": {
"url": "https://android-security-analyzer.ako-labs.workers.dev/mcp"
}
}
}
Security Rules
The analyzer implements 53 security rules across 5 categories:
| Category | Prefix | Rules | Examples |
|---|---|---|---|
| Manifest | MAN-* | 17 | debuggable, allowBackup, exported components, permissions |
| Gradle | GRD-* | 9 | release config, SDK versions, dependencies, secrets |
| Source | SRC-* | 17 | WebView, SSL/TLS, crypto, injection, file storage |
| XML Config | XML-* | 4 | network security config, file provider paths |
| Secret | SEC-* | 7 | API keys, tokens, passwords, cloud credentials |
Each finding includes:
- Stable rule ID
- Severity (critical/high/medium/low/info) and confidence (high/medium/low)
- File path and line number (when determinable)
- Evidence snippet
- CWE and OWASP Mobile Top 10 mappings
- Actionable recommendation
Scoring
Risk score (0-100) is computed from finding severities:
- Critical: 9 points
- High: 6 points
- Medium: 3 points
- Low: 1 point
- Info: 0 points
The raw sum is normalized against an expected maximum of 50 points.
Limitations
- Not a SAST replacement — pattern/regex-based heuristics, not full AST/dataflow analysis
- No build required — analyzes raw source, so build-time transforms are not visible
- False positives possible — especially for secret scanning and some code patterns
- Workers constraints — 128MB memory limit, CPU time limits, no filesystem access
- No APK/AAB analysis — source code only
- No inter-procedural analysis — patterns are matched per-file, not across call graphs
Project Structure
src/
├── index.ts # Worker entry point
├── server/
│ ├── mcp.ts # MCP JSON-RPC 2.0 handler
│ └── tools/ # MCP tool implementations
│ ├── analyzeAndroidProject.ts
│ ├── listAndroidSecurityChecks.ts
│ ├── explainFinding.ts
│ └── health.ts
├── core/
│ ├── types.ts # TypeScript types & Zod schemas
│ ├── scoring.ts # Risk score computation
│ ├── registry.ts # Rule registry
│ └── orchestrator.ts # Analysis orchestrator
├── analyzers/
│ ├── manifestAnalyzer.ts
│ ├── gradleAnalyzer.ts
│ ├── sourceAnalyzer.ts
│ ├── xmlConfigAnalyzer.ts
│ └── secretScanner.ts
├── parsers/
│ ├── xml.ts # XML parser wrapper
│ ├── gradle.ts # Gradle file parser
│ ├── source.ts # Source code pattern matcher
│ └── files.ts # File classifier
├── rules/
│ ├── manifestRules.ts
│ ├── gradleRules.ts
│ ├── sourceRules.ts
│ ├── xmlRules.ts
│ └── secretRules.ts
├── mappings/
│ ├── cwe.ts # CWE descriptions
│ └── owaspMobile.ts # OWASP Mobile Top 10
└── utils/
├── lines.ts # Line number utilities
├── paths.ts # Path classification
└── text.ts # Text utilities
test/
├── fixtures/ # Sample Android project files
├── unit/ # Unit tests per module
└── integration/ # Full analysis integration tests
Adding New Rules
- Define the rule in the appropriate file under
src/rules/ - Add detection logic in the corresponding analyzer under
src/analyzers/ - Add CWE mapping in
src/mappings/cwe.tsif needed - Add a test case
- The rule is automatically registered via
src/core/registry.ts
License
MIT
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Categories
Registryactive
TransportHTTP
UpdatedMar 14, 2026
