mobsf

MobSF MCP Tool exposes a scanFile action that allows MCP clients to submit APK or IPA files for analysis via MobSF's REST API. This server acts as a bridge between an MCP client and MobSF, translating the MCP protocol into MobSF API calls: uploading the file, triggering the MobSF scan, and retrieving a structured report. The tool automatically filters large, verbose fields (such as raw strings or source dumps) to keep responses concise for Claude, 5ire, and other MCP-enabled clients. To use it, start the server and connect with an MCP client that supports the scanFile command. Then issue prompts like scan <your-app>.apk or scan <your-app>.ipa to receive a summarized analysis report.

Once running, you can leverage the MobSF REST API through the MCP layer without needing to manage MobSF interactions directly. The MCP interface handles file submission, scan initiation, and result aggregation, returning a structured JSON report suitable for quick review or integration into your security workflow.

Prerequisites:

• MobSF installed and running locally or accessible at your MobSF_URL
• Node.js and npm installed
• MCP typescript SDK downloaded and renamed to sdk (as per the repo guidance)

Installation steps:

1. Clone the MobSF MCP server repository (or set up the project as per your source): git clone https://github.com/yourusername/mobsf-mcp.git cd mobsf-mcp

2. Install dependencies: npm install

3. Configure environment variables: copy the example and edit as needed cp .env.example .env Edit MOBSF_API_KEY and MOBSF_URL to point to your MobSF instance

4. Start the server during development (example using tsx for TS server): npx tsx server.ts

5. Validate the server is running by sending a test request via your MCP client or curl to the configured endpoint. Ensure MobSF is reachable at the URL you configured.

Notes and tips:

• Ensure MobSF is accessible from the machine running the MCP server and that the API key is valid.
• The MCP server is designed to handle APK and IPA files only; other file types will be rejected.
• If you encounter missing dependencies, run npm install to refresh node_modules.
• When deploying, you can pin specific versions of dependencies to improve stability. Consider using a process manager (e.g., pm2) to keep the server running in production.
• If the MobSF reports large payloads, the MCP layer will trim those fields to keep responses within message size limits for Claude/5ire integrations.