MCP server for static security analysis of Android application source code. Runs on Cloudflare Workers as a remote MCP server over Streamable HTTP.
Analyzes Android project source files — without building the project — and returns a structured security report. The analysis covers:
- Manifest analysis — exported components, dangerous permissions, cleartext traffic, debug flags, backup settings, SDK versions
- Gradle/build config — release build misconfigurations, outdated SDKs, suspicious dependencies, hardcoded secrets
- Source code (Java/Kotlin) — insecure WebView, SSL/TLS bypass, weak crypto, SQL injection patterns, process execution, insecure file storage, PendingIntent issues
- XML configuration — network security config weaknesses, overly broad file provider paths
- Secret scanning — API keys, tokens, passwords, private keys, cloud credentials, high-entropy strings
All analysis is regex/pattern-based and runs natively in the Workers runtime with no external tools, Java, or Android SDK required.
POST /mcp ──► McpServer (JSON-RPC 2.0) ──► Tool Router
│
┌───────────────────────────────┘
▼
Orchestrator
│
┌─────────┼─────────┬─────────────┬──────────────┐
▼ ▼ ▼ ▼ ▼
Manifest Gradle Source Code XML Config Secret
Analyzer Analyzer Analyzer Analyzer Scanner
│ │ │ │ │
└─────────┴─────────┴─────────────┴──────────────┘
│
▼
Scoring + Deduplication ──► AnalysisReport
Key design decisions:
- Stateless — no sessions, no Durable Objects
- Minimal MCP JSON-RPC 2.0 implementation (no heavy SDK dependencies)
- Data-driven rule engine with extensible rule registry
- Independent analyzers with unified Finding type
- Lightweight XML parsing via
fast-xml-parser - Input validation via
zod - Bundle size: ~66KB gzipped
| Tool | Description |
|---|---|
analyze_android_project |
Full security analysis of project files |
list_android_security_checks |
List all implemented security rules |
explain_finding |
Detailed explanation of a specific rule |
health |
Server status and rule engine stats |
Hosted server (recommended for Cline / MCP clients): no local install needed. The server runs at:
https://android-security-analyzer.ako-labs.workers.dev/mcp
Add this URL to your MCP client configuration (see Connecting from an MCP client below).
Local development:
npm installnpm run devThis starts a local Wrangler dev server. The MCP endpoint is available at http://localhost:8787/mcp.
npm run deployDeploys to Cloudflare Workers. Requires wrangler authentication (npx wrangler login).
npm test # Run all tests
npm run test:watch # Watch mode
npm run typecheck # TypeScript type checkingUnix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}'Windows (PowerShell):
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}' -UseBasicParsing).ContentUnix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'Windows (PowerShell): ответ приходит в result.tools; чтобы увидеть список как JSON, используйте сырой ответ:
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":2,"method":"tools/list"}' -UseBasicParsing).ContentЛибо через объект: (Invoke-RestMethod ...).result.tools | ConvertTo-Json -Depth 5
Unix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"health","arguments":{}}}'Windows (PowerShell):
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"health","arguments":{}}}' -UseBasicParsing).ContentUnix:
curl -X POST http://localhost:8787/mcp \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 4,
"method": "tools/call",
"params": {
"name": "analyze_android_project",
"arguments": {
"projectName": "TestApp",
"files": [
{
"path": "app/src/main/AndroidManifest.xml",
"content": "<manifest><application android:debuggable=\"true\" android:allowBackup=\"true\"></application></manifest>"
}
]
}
}
}'Windows (PowerShell):
$body = @{
jsonrpc = "2.0"
id = 4
method = "tools/call"
params = @{
name = "analyze_android_project"
arguments = @{
projectName = "TestApp"
files = @(
@{
path = "app/src/main/AndroidManifest.xml"
content = "<manifest><application android:debuggable=`"true`" android:allowBackup=`"true`"></application></manifest>"
}
)
}
}
} | ConvertTo-Json -Depth 10
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body $body -UseBasicParsing).ContentAdd to your MCP client configuration:
{
"mcpServers": {
"android-security-analyzer": {
"url": "http://localhost:8787/mcp"
}
}
}For production (hosted):
{
"mcpServers": {
"android-security-analyzer": {
"url": "https://android-security-analyzer.ako-labs.workers.dev/mcp"
}
}
}The analyzer implements 53 security rules across 5 categories:
| Category | Prefix | Rules | Examples |
|---|---|---|---|
| Manifest | MAN-* | 17 | debuggable, allowBackup, exported components, permissions |
| Gradle | GRD-* | 9 | release config, SDK versions, dependencies, secrets |
| Source | SRC-* | 17 | WebView, SSL/TLS, crypto, injection, file storage |
| XML Config | XML-* | 4 | network security config, file provider paths |
| Secret | SEC-* | 7 | API keys, tokens, passwords, cloud credentials |
Each finding includes:
- Stable rule ID
- Severity (critical/high/medium/low/info) and confidence (high/medium/low)
- File path and line number (when determinable)
- Evidence snippet
- CWE and OWASP Mobile Top 10 mappings
- Actionable recommendation
Risk score (0-100) is computed from finding severities:
- Critical: 9 points
- High: 6 points
- Medium: 3 points
- Low: 1 point
- Info: 0 points
The raw sum is normalized against an expected maximum of 50 points.
- Not a SAST replacement — pattern/regex-based heuristics, not full AST/dataflow analysis
- No build required — analyzes raw source, so build-time transforms are not visible
- False positives possible — especially for secret scanning and some code patterns
- Workers constraints — 128MB memory limit, CPU time limits, no filesystem access
- No APK/AAB analysis — source code only
- No inter-procedural analysis — patterns are matched per-file, not across call graphs
src/
├── index.ts # Worker entry point
├── server/
│ ├── mcp.ts # MCP JSON-RPC 2.0 handler
│ └── tools/ # MCP tool implementations
│ ├── analyzeAndroidProject.ts
│ ├── listAndroidSecurityChecks.ts
│ ├── explainFinding.ts
│ └── health.ts
├── core/
│ ├── types.ts # TypeScript types & Zod schemas
│ ├── scoring.ts # Risk score computation
│ ├── registry.ts # Rule registry
│ └── orchestrator.ts # Analysis orchestrator
├── analyzers/
│ ├── manifestAnalyzer.ts
│ ├── gradleAnalyzer.ts
│ ├── sourceAnalyzer.ts
│ ├── xmlConfigAnalyzer.ts
│ └── secretScanner.ts
├── parsers/
│ ├── xml.ts # XML parser wrapper
│ ├── gradle.ts # Gradle file parser
│ ├── source.ts # Source code pattern matcher
│ └── files.ts # File classifier
├── rules/
│ ├── manifestRules.ts
│ ├── gradleRules.ts
│ ├── sourceRules.ts
│ ├── xmlRules.ts
│ └── secretRules.ts
├── mappings/
│ ├── cwe.ts # CWE descriptions
│ └── owaspMobile.ts # OWASP Mobile Top 10
└── utils/
├── lines.ts # Line number utilities
├── paths.ts # Path classification
└── text.ts # Text utilities
test/
├── fixtures/ # Sample Android project files
├── unit/ # Unit tests per module
└── integration/ # Full analysis integration tests
- Define the rule in the appropriate file under
src/rules/ - Add detection logic in the corresponding analyzer under
src/analyzers/ - Add CWE mapping in
src/mappings/cwe.tsif needed - Add a test case
- The rule is automatically registered via
src/core/registry.ts
MIT