Performs automated static analysis of Android applications using Mobile Security Framework (MobSF) to identify hardcoded secrets, insecure permissions, vulnerable components, weak cryptography, and code-level security flaws without executing the application. Use when assessing Android APK/AAB files for security vulnerabilities before deployment, during penetration testing, or as part of CI/CD security gates. Activates for requests involving Android static analysis, MobSF scanning, APK security assessment, or mobile application code review.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-android-app-static-analysis-with-mobsfExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-android-app-static-analysis-with-mobsf from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-android-app-static-analysis-with-mobsf. Access via /performing-android-app-static-analysis-with-mobsf in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Quickly understand datasets, identify patterns, and generate insights
Example
Analyze CSV with 100K rows, identify outliers, visualize correlations, suggest hypotheses
Reduce EDA time from hours to minutes, uncover insights faster
Write scripts to clean messy data, handle missing values, normalize formats
Example
Generate Python/SQL to fix date formats, impute missing values, remove duplicates
Automate 80% of data preprocessing work
Perform hypothesis testing, regression, and statistical modeling
Example
Run A/B test analysis, calculate confidence intervals, interpret p-values
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-android-app-static-analysis-with-mobsf |
| description | 'Performs automated static analysis of Android applications using Mobile Security Framework (MobSF) to identify hardcoded secrets, insecure permissions, vulnerable components, weak cryptography, and code-level security flaws without executing the application. Use when assessing Android APK/AAB files for security vulnerabilities before deployment, during penetration testing, or as part of CI/CD security gates. Activates for requests involving Android static analysis, MobSF scanning, APK security assessment, or mobile application code review. ' |
| domain | cybersecurity |
| subdomain | mobile-security |
| author | mahipal |
| tags | - mobile-security - android - mobsf - static-analysis - owasp-mobile - penetration-testing |
| version | 1.0.0 |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - PR.AA-05 - ID.RA-01 - DE.CM-09 |
Use this skill when:
Do not use this skill as a replacement for manual code review or dynamic analysis -- MobSF static analysis catches pattern-based vulnerabilities but misses runtime logic flaws.
docker pull opensecurity/mobile-security-framework-mobsf) or local setupLaunch MobSF using Docker for isolated, reproducible scanning:
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Retrieve the REST API key from the MobSF web interface at http://localhost:8000/api_docs or from the startup console output. The API key enables programmatic scanning.
Upload the target APK using the MobSF REST API:
curl -F "file=@target_app.apk" http://localhost:8000/api/v1/upload \
-H "Authorization: <API_KEY>"
Response includes the hash identifier used for subsequent API calls. MobSF automatically decompiles the APK using JADX, extracts the AndroidManifest.xml, and indexes all resources.
Initiate the static scan and retrieve results:
# Trigger scan
curl -X POST http://localhost:8000/api/v1/scan \
-H "Authorization: <API_KEY>" \
-d "scan_type=apk&file_name=target_app.apk&hash=<FILE_HASH>"
# Retrieve JSON report
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>"
MobSF static analysis covers these categories mapped to OWASP Mobile Top 10 2024:
Manifest Analysis (M8 - Security Misconfiguration):
android:debuggable="true" left enabledandroid:allowBackup="true" enabling data extraction via ADBandroid:networkSecurityConfig for certificate pinningCode Analysis (M1 - Improper Credential Usage):
Network Security (M5 - Insecure Communication):
Binary Analysis (M7 - Insufficient Binary Protections):
Export findings in multiple formats for stakeholder communication:
# PDF report
curl -X POST http://localhost:8000/api/v1/download_pdf \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>" -o report.pdf
# JSON for programmatic processing
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>" -o report.json
Add MobSF scanning as a build gate:
# GitHub Actions example
- name: MobSF Static Analysis
run: |
UPLOAD=$(curl -s -F "file=@app/build/outputs/apk/release/app-release.apk" \
http://mobsf:8000/api/v1/upload -H "Authorization: $MOBSF_API_KEY")
HASH=$(echo $UPLOAD | jq -r '.hash')
curl -s -X POST http://mobsf:8000/api/v1/scan \
-H "Authorization: $MOBSF_API_KEY" \
-d "scan_type=apk&file_name=app-release.apk&hash=$HASH"
SCORE=$(curl -s -X POST http://mobsf:8000/api/v1/scorecard \
-H "Authorization: $MOBSF_API_KEY" -d "hash=$HASH" | jq '.security_score')
if [ "$SCORE" -lt 60 ]; then exit 1; fi
| Term | Definition |
|---|---|
| Static Analysis | Examination of application code and resources without executing the program; catches structural and pattern-based vulnerabilities |
| APK Decompilation | Process of recovering Java/Kotlin source from compiled Dalvik bytecode using tools like JADX or apktool |
| AndroidManifest.xml | Configuration file declaring app components, permissions, and security attributes; primary target for manifest analysis |
| Certificate Pinning | Technique binding an app to specific server certificates to prevent man-in-the-middle attacks via rogue CAs |
| ProGuard/R8 | Code obfuscation and shrinking tools that make reverse engineering more difficult by renaming classes and removing unused code |
password in variable names even when not storing actual credentials. Triage all HIGH findings manually before reporting.targetSdkVersion.checksec and manual review for .so files.Get statistically sound analysis without PhD in statistics
Create charts, dashboards, and visual reports
Example
Generate matplotlib/seaborn code for time series plots, distribution charts, heatmaps
Build presentation-ready visualizations 3x faster
Prerequisites
Time Estimate
20-40 minutes to set up and run first analysis
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for exploratory data analysis, data cleaning, statistical testing, visualization prototyping, and learning new analysis techniques. Best for initial exploration and rapid insights.
✗ Avoid when
Avoid for mission-critical financial analysis, medical research requiring regulatory compliance, production ML models, or when deep statistical expertise is required for nuanced interpretation.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Useful defaults in performing-android-app-static-analysis-with-mobsf — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
performing-android-app-static-analysis-with-mobsf has been reliable in day-to-day use. Documentation quality is above average for community skills.
I recommend performing-android-app-static-analysis-with-mobsf for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
performing-android-app-static-analysis-with-mobsf reduced setup friction for our internal harness; good balance of opinion and flexibility.
Useful defaults in performing-android-app-static-analysis-with-mobsf — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend performing-android-app-static-analysis-with-mobsf for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
performing-android-app-static-analysis-with-mobsf reduced setup friction for our internal harness; good balance of opinion and flexibility.
performing-android-app-static-analysis-with-mobsf is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
performing-android-app-static-analysis-with-mobsf fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Registry listing for performing-android-app-static-analysis-with-mobsf matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 25