Content
# 📱 Mobile App Testing MCP
An MCP Server for Android security testing scenarios, focusing on the following capabilities:
- ADB device and application operation automation
- AAPT APK information analysis
- JADX decompilation and code auditing support
- Static security scanning (key leakage, weak encryption, debugging leakage)
The project follows the standard `stdio` MCP protocol and can be connected to Claude, Codex, and other MCP clients.
## ✨ Core Features
- Out-of-the-box startup script: `npm start` will first detect dependencies and then start the service
- Automatically download JADX on the first run (default `v1.5.5`)
- Supports multiple levels of fallback for `.env`, Android SDK path, and system PATH
- Built-in health check link: `check` + `smoke` + `verify`
- Comprehensive static analysis can directly export a unified audit report (`json` / `md` / `sarif`)
- Added session pre-check and one-click reproduction pipeline (including evidence package `manifest.json`)
## 📌 Capability Boundary
- Currently positioned as **Android App Testing MCP**
- Frida / Gadget dynamic injection capabilities have been removed
- Dynamic Hook class testing is not within the scope of the current tool
## 🚀 Startup Process (Simplest)
```bash
# 1) Clone and enter the directory
git clone https://github.com/your-username/mobile-app-testing-mcp.git
cd mobile-app-testing-mcp
# 2) Install and build
npm run setup
# 3) Start MCP
npm start
```
Just these three steps, other configurations can be added later.
## 🔌 One-Click Installation to Client
```bash
# Install to Codex + Claude simultaneously
npm run install:mcp
# Install only to Codex
npm run install:mcp:codex
# Install only to Claude
npm run install:mcp:claude
```
The installation script will:
1. Automatically locate the client configuration file (`~/.codex/config.toml`, Claude Desktop configuration)
2. Write the `mobile-app-testing` MCP Server entry (pointing to `scripts/start.js`)
3. Automatically back up the original file before making changes (`.bak.<timestamp>`)
## 🧭 What `npm start` Does Automatically
`npm start` actually executes `node scripts/start.js`, and will automatically do the following before starting:
1. Detect the local path of `adb` / `aapt` / `jadx` (`.env`, Android SDK, PATH)
2. If `jadx` is missing and `AUTO_DOWNLOAD_JADX=true`, automatically download and unzip it
3. Print suggestions for fixing missing dependencies, and then start the service
Default JADX download address:
`https://github.com/skylot/jadx/releases/download/v1.5.5/jadx-1.5.5.zip`
## 🛠 Environment Requirements
- Node.js `>= 18`
- Android SDK (at least including `platform-tools`, recommended to include `build-tools`)
- JADX (optional, can be automatically downloaded by the startup script)
## ⚙️ Common Commands
```bash
npm run setup # Install dependencies + build
npm start # Start (including dependency detection and JADX automatic download)
npm run verify # Complete verification (build + check + smoke)
npm run check # Only check local dependencies
npm run smoke # Only do MCP smoke test
npm run build # Clean dist and recompile
npm run dev # Build and start (same as start)
```
## 🔧 `.env` Configuration
Copy `.env.example` to `.env`, and the common configurations are as follows:
- `ANDROID_HOME` / `ANDROID_SDK_ROOT`: Android SDK path (recommended setting)
- `ADB_PATH`: Absolute path to the adb executable (optional)
- `AAPT_PATH`: Absolute path to the aapt executable (optional)
- `JADX_PATH`: Absolute path to the jadx executable (optional)
- `EMULATOR_PATH`: Android emulator executable file path (optional, supports AVD list/start/stop)
- `AUTO_DOWNLOAD_JADX`: Whether to automatically download JADX (default `true`)
- `JADX_VERSION`: Automatically download version (default `1.5.5`)
- `JADX_DOWNLOAD_URL`: JADX download URL (can override the default address)
- `SCREENSHOTS_DIR` / `RECORDINGS_DIR` / `DECOMPILED_DIR` / `LOGS_DIR`: Working directory
## 🔌 MCP Client Access
The project is a standard `stdio` MCP Server, and the general configuration is as follows:
```json
{
"mcpServers": {
"mobile-app-testing": {
"command": "node",
"args": ["/path/to/your/project/scripts/start.js"],
"cwd": "/path/to/your/project",
"env": {}
}
}
}
```
Instructions:
- `args` is recommended to point to `scripts/start.js` (instead of `dist/index.js`), in order to retain automatic dependency checking and JADX first-time download
- `cwd` is recommended to be the project root directory
- When the client does not inherit the system environment, please explicitly pass in `ANDROID_HOME` and `PATH` in `env`
Example file: [`mcp-config.example.json`](./mcp-config.example.json)
## 🧰 Tool Capability List
Currently a total of `46` tools:
- ADB Tools `25`: Device, emulator (AVD list/start/stop), application, file, input simulation, screenshot recording
- AAPT Tools `4`: badging, permissions, xmltree, complete analysis
- JADX Tools `3`: Decompilation, output information, APK verification
- Static Analysis Tools `4`: secrets/debug/weak-crypto/comprehensive (including unified report export)
- Workflow Tools `9`: Template, context, intelligent suggestion, execution record, session pre-check, evidence package export, one-click reproduction pipeline
- File Tools `1`: `sha256` fingerprint
## 💡 Usage Example
In any MCP client, you can directly propose:
```text
Analyze the basic information of this APK: /path/to/app.apk
Decompile this APK and output the key directory: /path/to/app.apk
Take a screenshot of the currently connected device and save it to the default directory
View the available emulators and start: adb_list_emulators / adb_start_emulator
Close the emulator: adb_stop_emulator (or specify emulator_id)
Do a comprehensive static analysis of the decompiled directory and export json/md/sarif reports to /tmp/reports
First do a session pre-check: workflow_session_precheck
Execute the one-click reproduction pipeline and export the evidence package: workflow_run_repro_pipeline
```
`static_comprehensive_analysis` supports optional parameters:
- `output_formats`: Any combination of `["json","md","sarif"]`
- `output_dir`: Report output directory (default `./reports`)
- `report_name`: Report file name prefix
- `include_third_party`: Whether to include third-party library directory (default `false`)
- `third_party_prefixes`: Custom third-party path prefix
`static_scan_secrets` / `static_scan_debug_leaks` / `static_scan_weak_crypto` / `static_comprehensive_analysis` all output a unified field model:
- `severity` / `cwe` / `masvs` / `evidence` / `repro` / `impact` / `fix`
`adb_start_app` / `adb_screenshot` / `adb_shell_command` support stability parameters:
- `timeout_ms`: Timeout control
- `retry_count`: Number of retries
- `retry_delay_ms`: Retry interval
`adb_start_emulator` supports startup waiting parameters:
- `wait_for_ready`: Whether to wait for the emulator to be ready (default `true`)
- `wait_for_boot_completed`: Whether to wait for `sys.boot_completed=1` (default `true`)
- `timeout_ms` / `poll_interval_ms`: Startup waiting timeout and polling interval
`adb_install_app` supports installation waiting parameters:
- `timeout_ms` / `retry_count` / `retry_delay_ms`: Timeout and retry for installation execution
- `wait_after_install_ms`: Extra wait after successful installation (default `3000`)
## 📚 Prompt Examples
Reference [`prompt-examples`](./prompt-examples/):
- [SECURITY_TESTING_PROMPT](./prompt-examples/SECURITY_TESTING_PROMPT.md)
- [Static Code Security Analysis](./prompt-examples/静态代码安全分析.md)
- [Network Communication Encryption Analysis](./prompt-examples/网络通信加密分析.md)
- [Root Detection Bypass Analysis](./prompt-examples/Root检测绕过分析.md)
- [SSL Certificate Pinning Bypass](./prompt-examples/SSL证书固定绕过.md)
- [Application Shelling and Unpacking Analysis](./prompt-examples/应用加壳脱壳分析.md)
- [Malware Behavior Analysis](./prompt-examples/恶意软件行为分析.md)
## 🆘 Common Issues
### 1) Want the Easiest Startup
```bash
npm run setup
npm start
```
If it can start, you don't need to run `check/smoke/verify` first.
### 2) `npm start` Prompts Missing `adb` / `aapt`
First execute:
```bash
npm run check
```
Then set `ANDROID_HOME` or `ADB_PATH` / `AAPT_PATH` according to the output prompt.
### 3) `jadx` Missing
- Keep `AUTO_DOWNLOAD_JADX=true`, and it will automatically download on the first startup
- Or manually install and set `JADX_PATH`
- If you need to fix the download source, set `JADX_DOWNLOAD_URL`
### 4) Client Cannot Connect to MCP
- Confirm that `args` is an absolute path and points to `scripts/start.js`
- Confirm that `cwd` points to the project root directory
- Run `npm run verify` first to rule out server-side issues
- You can re-execute `npm run install:mcp` to overwrite and update the client configuration
### 5) Device Shows `unauthorized`
```bash
adb devices
```
Confirm USB debugging authorization on the phone and try again.
## 🔐 Compliance Statement
- Only for legally authorized security testing and research
- Please comply with local laws and regulations and organizational compliance requirements
- It is forbidden to use it for unauthorized targets or malicious purposes
Connection Info
You Might Also Like
markitdown
MarkItDown-MCP is a lightweight server for converting URIs to Markdown.
servers
Model Context Protocol Servers
everything-claude-code
Complete Claude Code configuration collection - agents, skills, hooks,...
Time
A Model Context Protocol server for time and timezone conversions.
Filesystem
Node.js MCP Server for filesystem operations with dynamic access control.
Sequential Thinking
A structured MCP server for dynamic problem-solving and reflective thinking.