performing-android-app-static-analysis-with-mobsf
Performs automated static analysis of Android applications using Mobile Security Framework (MobSF) to identify hardcoded secrets, insecure permissions, vulnerable components, weak cryptography, and code-level security flaws without executing the application. Use when assessing Android APK/AAB files for security vulnerabilities before deployment, during penetration testing, or as part of CI/CD security gates. Activates for requests involving Android static analysis, MobSF scanning, APK security assessment, or mobile application code review.
Works with
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Install Skill
Run in your terminal
0
installs
0
this week
8.6K
stars
Installation Guide
How to use performing-android-app-static-analysis-with-mobsf on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your machine
- ›Node.js 16+ with npm — verify with
node --version - ›Active project directory where you want to add
performing-android-app-static-analysis-with-mobsf
Run the install command
Execute the skills CLI command in your project's root directory to begin installation:
Fetches performing-android-app-static-analysis-with-mobsf from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-android-app-static-analysis-with-mobsf. Access via /performing-android-app-static-analysis-with-mobsf in your agent's command palette.
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Documentation
| name | performing-android-app-static-analysis-with-mobsf |
| description | 'Performs automated static analysis of Android applications using Mobile Security Framework (MobSF) to identify hardcoded secrets, insecure permissions, vulnerable components, weak cryptography, and code-level security flaws without executing the application. Use when assessing Android APK/AAB files for security vulnerabilities before deployment, during penetration testing, or as part of CI/CD security gates. Activates for requests involving Android static analysis, MobSF scanning, APK security assessment, or mobile application code review. ' |
| domain | cybersecurity |
| subdomain | mobile-security |
| author | mahipal |
| tags | - mobile-security - android - mobsf - static-analysis - owasp-mobile - penetration-testing |
| version | 1.0.0 |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - PR.AA-05 - ID.RA-01 - DE.CM-09 |
Performing Android App Static Analysis with MobSF
When to Use
Use this skill when:
- Conducting security assessment of Android APK or AAB files before production release
- Integrating automated mobile security scanning into CI/CD pipelines
- Performing initial triage of Android applications during penetration testing engagements
- Reviewing third-party Android applications for supply chain security risks
Do not use this skill as a replacement for manual code review or dynamic analysis -- MobSF static analysis catches pattern-based vulnerabilities but misses runtime logic flaws.
Prerequisites
- MobSF v4.x installed via Docker (
docker pull opensecurity/mobile-security-framework-mobsf) or local setup - Target Android APK, AAB, or source code ZIP
- Python 3.10+ for MobSF REST API integration
- JADX decompiler (bundled with MobSF) for Java/Kotlin source recovery
- Network access to MobSF web interface (default: http://localhost:8000)
Workflow
Step 1: Deploy MobSF and Obtain API Key
Launch MobSF using Docker for isolated, reproducible scanning:
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Retrieve the REST API key from the MobSF web interface at http://localhost:8000/api_docs or from the startup console output. The API key enables programmatic scanning.
Step 2: Upload APK for Static Analysis
Upload the target APK using the MobSF REST API:
curl -F "file=@target_app.apk" http://localhost:8000/api/v1/upload \
-H "Authorization: <API_KEY>"
Response includes the hash identifier used for subsequent API calls. MobSF automatically decompiles the APK using JADX, extracts the AndroidManifest.xml, and indexes all resources.
Step 3: Trigger and Retrieve Static Scan Results
Initiate the static scan and retrieve results:
# Trigger scan
curl -X POST http://localhost:8000/api/v1/scan \
-H "Authorization: <API_KEY>" \
-d "scan_type=apk&file_name=target_app.apk&hash=<FILE_HASH>"
# Retrieve JSON report
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>"
Step 4: Analyze Critical Findings
MobSF static analysis covers these categories mapped to OWASP Mobile Top 10 2024:
Manifest Analysis (M8 - Security Misconfiguration):
- Exported activities, services, receivers, and content providers without permission guards
android:debuggable="true"left enabledandroid:allowBackup="true"enabling data extraction via ADB- Missing
android:networkSecurityConfigfor certificate pinning
Code Analysis (M1 - Improper Credential Usage):
- Hardcoded API keys, passwords, and tokens in Java/Kotlin source
- Insecure SharedPreferences usage for storing sensitive data
- Weak or broken cryptographic implementations (ECB mode, static IV, hardcoded keys)
Network Security (M5 - Insecure Communication):
- Missing certificate pinning configuration
- Custom TrustManagers that accept all certificates
- Cleartext HTTP traffic allowed without exception domains
Binary Analysis (M7 - Insufficient Binary Protections):
- Missing ProGuard/R8 obfuscation
- Native library vulnerabilities (stack canaries, NX bit, PIE)
- Debugger detection absence
Step 5: Generate and Export Reports
Export findings in multiple formats for stakeholder communication:
# PDF report
curl -X POST http://localhost:8000/api/v1/download_pdf \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>" -o report.pdf
# JSON for programmatic processing
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>" -o report.json
Step 6: Integrate into CI/CD Pipeline
Add MobSF scanning as a build gate:
# GitHub Actions example
- name: MobSF Static Analysis
run: |
UPLOAD=$(curl -s -F "file=@app/build/outputs/apk/release/app-release.apk" \
http://mobsf:8000/api/v1/upload -H "Authorization: $MOBSF_API_KEY")
HASH=$(echo $UPLOAD | jq -r '.hash')
curl -s -X POST http://mobsf:8000/api/v1/scan \
-H "Authorization: $MOBSF_API_KEY" \
-d "scan_type=apk&file_name=app-release.apk&hash=$HASH"
SCORE=$(curl -s -X POST http://mobsf:8000/api/v1/scorecard \
-H "Authorization: $MOBSF_API_KEY" -d "hash=$HASH" | jq '.security_score')
if [ "$SCORE" -lt 60 ]; then exit 1; fi
Key Concepts
| Term | Definition |
|---|---|
| Static Analysis | Examination of application code and resources without executing the program; catches structural and pattern-based vulnerabilities |
| APK Decompilation | Process of recovering Java/Kotlin source from compiled Dalvik bytecode using tools like JADX or apktool |
| AndroidManifest.xml | Configuration file declaring app components, permissions, and security attributes; primary target for manifest analysis |
| Certificate Pinning | Technique binding an app to specific server certificates to prevent man-in-the-middle attacks via rogue CAs |
| ProGuard/R8 | Code obfuscation and shrinking tools that make reverse engineering more difficult by renaming classes and removing unused code |
Tools & Systems
- MobSF: Automated mobile security analysis framework supporting static and dynamic analysis of Android/iOS apps
- JADX: Dex-to-Java decompiler for recovering readable source code from Android APK files
- apktool: Tool for reverse engineering Android APK files, decoding resources to near-original form
- Android Lint: Google's static analysis tool for Android-specific code quality and security issues
- Semgrep: Pattern-based static analysis engine with mobile-specific rule packs for custom vulnerability detection
Common Pitfalls
- Ignoring false positives: MobSF flags patterns like
passwordin variable names even when not storing actual credentials. Triage all HIGH findings manually before reporting. - Missing obfuscated code: Static analysis accuracy drops significantly against obfuscated apps. Supplement with dynamic analysis for apps using DexGuard or custom packers.
- Outdated MobSF rules: Security rules evolve with Android API levels. Ensure MobSF is updated to match the target app's
targetSdkVersion. - Skipping native code analysis: MobSF analyzes Java/Kotlin but has limited coverage of native C/C++ libraries. Use
checksecand manual review for.sofiles.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases
Exploratory Data Analysis
Quickly understand datasets, identify patterns, and generate insights
Example
Analyze CSV with 100K rows, identify outliers, visualize correlations, suggest hypotheses
Reduce EDA time from hours to minutes, uncover insights faster
Data Cleaning & Transformation
Write scripts to clean messy data, handle missing values, normalize formats
Example
Generate Python/SQL to fix date formats, impute missing values, remove duplicates
Automate 80% of data preprocessing work
Statistical Analysis
Perform hypothesis testing, regression, and statistical modeling
Example
Run A/B test analysis, calculate confidence intervals, interpret p-values
Get statistically sound analysis without PhD in statistics
Data Visualization
Create charts, dashboards, and visual reports
Example
Generate matplotlib/seaborn code for time series plots, distribution charts, heatmaps
Build presentation-ready visualizations 3x faster
Implementation Guide
Prerequisites
- ›Claude Desktop or compatible AI client
- ›Python environment (pandas, numpy, matplotlib) or SQL database access
- ›Basic understanding of data analysis concepts
- ›Sample datasets for testing skill capabilities
Time Estimate
20-40 minutes to set up and run first analysis
Steps
- 1Install data analysis skill using provided command
- 2Prepare a sample dataset (CSV, JSON, or database connection)
- 3Start with descriptive statistics: 'Summarize this dataset'
- 4Progress to visualization: 'Create a scatter plot of X vs Y'
- 5Advanced analysis: 'Run linear regression and interpret results'
- 6Validate outputs: check calculations, verify visualizations make sense
- 7Document analysis workflow for reproducibility
Common Pitfalls
- ⚠Not validating statistical assumptions before applying tests
- ⚠Accepting visualizations without checking data accuracy
- ⚠Overlooking data quality issues (missing values, outliers)
- ⚠Misinterpreting correlation as causation
- ⚠Using wrong statistical test for data distribution
- ⚠Not considering sample size and statistical power
Best Practices
✓ Do
- +Always validate data quality before analysis
- +Check statistical assumptions (normality, independence, etc.)
- +Visualize data before running statistical tests
- +Document analysis steps for reproducibility
- +Cross-validate findings with domain experts
- +Use skill for initial exploration, then dive deeper manually
- +Save generated code for reuse on similar datasets
✗ Don't
- −Don't trust analysis without verifying data quality
- −Don't apply statistical tests without checking assumptions
- −Don't make business decisions solely on AI-generated analysis
- −Don't ignore outliers without investigating cause
- −Don't skip data validation and sanity checks
- −Don't use for mission-critical financial or medical analysis without expert review
💡 Pro Tips
- ★Describe data context: 'This is user behavior data from e-commerce site'
- ★Ask for interpretation: 'What does this correlation mean for business?'
- ★Request multiple approaches: 'Show 3 ways to handle missing data'
- ★Combine AI analysis with domain expertise for best insights
- ★Use for rapid prototyping, then refine analysis manually
When to Use This
✓ Use when
Use for exploratory data analysis, data cleaning, statistical testing, visualization prototyping, and learning new analysis techniques. Best for initial exploration and rapid insights.
✗ Avoid when
Avoid for mission-critical financial analysis, medical research requiring regulatory compliance, production ML models, or when deep statistical expertise is required for nuanced interpretation.
Learning Path
- 1Basic: descriptive statistics, data cleaning, simple visualizations
- 2Intermediate: hypothesis testing, regression, correlation analysis
- 3Advanced: time series analysis, clustering, predictive modeling
- 4Expert: causal inference, experimental design, advanced statistical methods
Related Skills
exploiting-deeplink-vulnerabilities
3mukul975/Anthropic-Cybersecurity-Skills
analyzing-android-malware-with-apktool
1mukul975/Anthropic-Cybersecurity-Skills
performing-cryptographic-audit-of-application
5mukul975/Anthropic-Cybersecurity-Skills
implementing-soar-playbook-with-palo-alto-xsoar
3mukul975/Anthropic-Cybersecurity-Skills
generating-threat-intelligence-reports
2mukul975/Anthropic-Cybersecurity-Skills
analyzing-network-traffic-with-wireshark
2mukul975/Anthropic-Cybersecurity-Skills
Reviews
- AAva White★★★★★Dec 12, 2024
Useful defaults in performing-android-app-static-analysis-with-mobsf — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- PPratham Ware★★★★★Dec 8, 2024
performing-android-app-static-analysis-with-mobsf has been reliable in day-to-day use. Documentation quality is above average for community skills.
- CChaitanya Patil★★★★★Dec 4, 2024
I recommend performing-android-app-static-analysis-with-mobsf for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- HHiroshi Zhang★★★★★Nov 27, 2024
performing-android-app-static-analysis-with-mobsf reduced setup friction for our internal harness; good balance of opinion and flexibility.
- PPiyush G★★★★★Nov 23, 2024
Useful defaults in performing-android-app-static-analysis-with-mobsf — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- AAanya Zhang★★★★★Nov 3, 2024
I recommend performing-android-app-static-analysis-with-mobsf for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- MMateo Farah★★★★★Oct 22, 2024
performing-android-app-static-analysis-with-mobsf reduced setup friction for our internal harness; good balance of opinion and flexibility.
- SShikha Mishra★★★★★Oct 14, 2024
performing-android-app-static-analysis-with-mobsf is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- HHarper Jackson★★★★★Sep 25, 2024
performing-android-app-static-analysis-with-mobsf fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- NNikhil Thompson★★★★★Aug 16, 2024
Registry listing for performing-android-app-static-analysis-with-mobsf matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 25
Discussion
Comments — not star reviews- No comments yet — start the thread.