playbooks

home / mcp / apk security mcp server

APK Security MCP Server

Provides multi-tool APK security analysis via MCP endpoints for JEB, JADX, APKTool, FlowDroid, and MobSF.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "cc-apk-apk-security-guard-mcp-suite": {
      "url": "http://localhost:16161",
      "headers": {
        "JAVA_HOME": "/path/to/java_home",
        "MOBSF_URL": "http://localhost:8000",
        "MOBSF_API_KEY": "your_api_key_here",
        "FLOWDROID_JAR_PATH": "/path/to/flowdroid.jar",
        "FLOWDROID_WORKSPACE": "flowdroid_workspace"
      }
    }
  }
}

This MCP Server consolidates multiple APK security analysis tools into a shared, scriptable interface. You can run independent analyses with JEB, JADX, APKTool, FlowDroid, and MobSF, then combine results into a comprehensive vulnerability report. This approach increases coverage, speeds up investigations, and lets you orchestrate security checks from a single client or editor integration.

How to use

You interact with the server through an MCP client that can start, query, and manage the 5 integrated analysis tools. For a given APK, you can request static decompilation data, manifest details, decompiled source, taint analysis results, and security reports. The client can also request combined results to prioritize high-frequency findings across tools, enabling you to focus on the most credible issues.

How to install

Prerequisites: you need Node.js and Python installed on your machine, plus any runtime environments required by the individual MCP tools.

Install dependencies and set up the MobSF integration, then install the specific MCP components to enable local servers for each tool.

Follow these concrete steps to get started with the server locally:

Additional sections

Configuration and environment notes are shown below. These blocks pull from the built-in MCP configurations for the JEB, JADX, FlowDroid, and MobSF integrations. Start each local MCP server according to its documented command, then point the MCP client at the appropriate endpoints.

Available tools

JEB MCP

JEB-based MCP endpoint offering manifest, decompiled code, and analysis utilities for APKs.

JADX MCP

JADX MCP endpoint providing class listings, decompiled sources, and code exploration APIs.

APKTOOL MCP

APKTool-based MCP endpoints for decoding, rebuilding, and resource inspection.

MobSF MCP

MobSF-based MCP endpoints for uploading apps, retrieving scans, and accessing detailed report sections.

FlowDroid MCP

FlowDroid MCP endpoint for taint analysis and extraction of sources/sinks.

APK Security MCP Server - cc-apk/apk-security-guard-mcp-suite