Odel
Android Security Analyzer

Android Security Analyzer

@ako2345Developer Tools2TypeScriptUpdated 3mo ago

MCP server for static security analysis of Android source code

View on GitHubSign in to connect
Server endpointStreamable HTTP
https://android-security-analyzer.ako-labs.workers.dev/mcp

This is the third-party server itself — Odel doesn't run it. Hitting this URL directly talks straight to the upstream server with no auth or proxying. Connect through Odel to front it with managed auth.

Android Security Analyzer

MCP server for static security analysis of Android application source code. Runs on Cloudflare Workers as a remote MCP server over Streamable HTTP.

What it does

Analyzes Android project source files — without building the project — and returns a structured security report. The analysis covers:

  • Manifest analysis — exported components, dangerous permissions, cleartext traffic, debug flags, backup settings, SDK versions
  • Gradle/build config — release build misconfigurations, outdated SDKs, suspicious dependencies, hardcoded secrets
  • Source code (Java/Kotlin) — insecure WebView, SSL/TLS bypass, weak crypto, SQL injection patterns, process execution, insecure file storage, PendingIntent issues
  • XML configuration — network security config weaknesses, overly broad file provider paths
  • Secret scanning — API keys, tokens, passwords, private keys, cloud credentials, high-entropy strings

All analysis is regex/pattern-based and runs natively in the Workers runtime with no external tools, Java, or Android SDK required.

Architecture

POST /mcp ──► McpServer (JSON-RPC 2.0) ──► Tool Router
                                              │
              ┌───────────────────────────────┘
              ▼
         Orchestrator
              │
    ┌─────────┼─────────┬─────────────┬──────────────┐
    ▼         ▼         ▼             ▼              ▼
 Manifest  Gradle   Source Code   XML Config    Secret
 Analyzer  Analyzer  Analyzer     Analyzer     Scanner
    │         │         │             │              │
    └─────────┴─────────┴─────────────┴──────────────┘
              │
              ▼
     Scoring + Deduplication ──► AnalysisReport

Key design decisions:

  • Stateless — no sessions, no Durable Objects
  • Minimal MCP JSON-RPC 2.0 implementation (no heavy SDK dependencies)
  • Data-driven rule engine with extensible rule registry
  • Independent analyzers with unified Finding type
  • Lightweight XML parsing via fast-xml-parser
  • Input validation via zod
  • Bundle size: ~66KB gzipped

MCP Tools

ToolDescription
analyze_android_projectFull security analysis of project files
list_android_security_checksList all implemented security rules
explain_findingDetailed explanation of a specific rule
healthServer status and rule engine stats

Install

Hosted server (recommended for Cline / MCP clients): no local install needed. The server runs at:

https://android-security-analyzer.ako-labs.workers.dev/mcp

Add this URL to your MCP client configuration (see Connecting from an MCP client below).

Local development:

npm install

Development

npm run dev

This starts a local Wrangler dev server. The MCP endpoint is available at http://localhost:8787/mcp.

Deploy

npm run deploy

Deploys to Cloudflare Workers. Requires wrangler authentication (npx wrangler login).

Testing

npm test              # Run all tests
npm run test:watch    # Watch mode
npm run typecheck     # TypeScript type checking

Local MCP Testing

Initialize the connection

Unix:

curl -X POST http://localhost:8787/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}'

Windows (PowerShell):

(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}' -UseBasicParsing).Content

List available tools

Unix:

curl -X POST http://localhost:8787/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}'

Windows (PowerShell): ответ приходит в result.tools; чтобы увидеть список как JSON, используйте сырой ответ:

(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":2,"method":"tools/list"}' -UseBasicParsing).Content

Либо через объект: (Invoke-RestMethod ...).result.tools | ConvertTo-Json -Depth 5

Check health

Unix:

curl -X POST http://localhost:8787/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"health","arguments":{}}}'

Windows (PowerShell):

(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"health","arguments":{}}}' -UseBasicParsing).Content

Run analysis (minimal example)

Unix:

curl -X POST http://localhost:8787/mcp \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 4,
    "method": "tools/call",
    "params": {
      "name": "analyze_android_project",
      "arguments": {
        "projectName": "TestApp",
        "files": [
          {
            "path": "app/src/main/AndroidManifest.xml",
            "content": "<manifest><application android:debuggable=\"true\" android:allowBackup=\"true\"></application></manifest>"
          }
        ]
      }
    }
  }'

Windows (PowerShell):

$body = @{
  jsonrpc = "2.0"
  id = 4
  method = "tools/call"
  params = @{
    name = "analyze_android_project"
    arguments = @{
      projectName = "TestApp"
      files = @(
        @{
          path = "app/src/main/AndroidManifest.xml"
          content = "<manifest><application android:debuggable=`"true`" android:allowBackup=`"true`"></application></manifest>"
        }
      )
    }
  }
} | ConvertTo-Json -Depth 10
(Invoke-WebRequest -Method Post -Uri "http://localhost:8787/mcp" -ContentType "application/json" -Body $body -UseBasicParsing).Content

Connecting from an MCP client

Add to your MCP client configuration:

{
  "mcpServers": {
    "android-security-analyzer": {
      "url": "http://localhost:8787/mcp"
    }
  }
}

For production (hosted):

{
  "mcpServers": {
    "android-security-analyzer": {
      "url": "https://android-security-analyzer.ako-labs.workers.dev/mcp"
    }
  }
}

Security Rules

The analyzer implements 53 security rules across 5 categories:

CategoryPrefixRulesExamples
ManifestMAN-*17debuggable, allowBackup, exported components, permissions
GradleGRD-*9release config, SDK versions, dependencies, secrets
SourceSRC-*17WebView, SSL/TLS, crypto, injection, file storage
XML ConfigXML-*4network security config, file provider paths
SecretSEC-*7API keys, tokens, passwords, cloud credentials

Each finding includes:

  • Stable rule ID
  • Severity (critical/high/medium/low/info) and confidence (high/medium/low)
  • File path and line number (when determinable)
  • Evidence snippet
  • CWE and OWASP Mobile Top 10 mappings
  • Actionable recommendation

Scoring

Risk score (0-100) is computed from finding severities:

  • Critical: 9 points
  • High: 6 points
  • Medium: 3 points
  • Low: 1 point
  • Info: 0 points

The raw sum is normalized against an expected maximum of 50 points.

Limitations

  • Not a SAST replacement — pattern/regex-based heuristics, not full AST/dataflow analysis
  • No build required — analyzes raw source, so build-time transforms are not visible
  • False positives possible — especially for secret scanning and some code patterns
  • Workers constraints — 128MB memory limit, CPU time limits, no filesystem access
  • No APK/AAB analysis — source code only
  • No inter-procedural analysis — patterns are matched per-file, not across call graphs

Project Structure

src/
├── index.ts                          # Worker entry point
├── server/
│   ├── mcp.ts                        # MCP JSON-RPC 2.0 handler
│   └── tools/                        # MCP tool implementations
│       ├── analyzeAndroidProject.ts
│       ├── listAndroidSecurityChecks.ts
│       ├── explainFinding.ts
│       └── health.ts
├── core/
│   ├── types.ts                      # TypeScript types & Zod schemas
│   ├── scoring.ts                    # Risk score computation
│   ├── registry.ts                   # Rule registry
│   └── orchestrator.ts              # Analysis orchestrator
├── analyzers/
│   ├── manifestAnalyzer.ts
│   ├── gradleAnalyzer.ts
│   ├── sourceAnalyzer.ts
│   ├── xmlConfigAnalyzer.ts
│   └── secretScanner.ts
├── parsers/
│   ├── xml.ts                        # XML parser wrapper
│   ├── gradle.ts                     # Gradle file parser
│   ├── source.ts                     # Source code pattern matcher
│   └── files.ts                      # File classifier
├── rules/
│   ├── manifestRules.ts
│   ├── gradleRules.ts
│   ├── sourceRules.ts
│   ├── xmlRules.ts
│   └── secretRules.ts
├── mappings/
│   ├── cwe.ts                        # CWE descriptions
│   └── owaspMobile.ts               # OWASP Mobile Top 10
└── utils/
    ├── lines.ts                      # Line number utilities
    ├── paths.ts                      # Path classification
    └── text.ts                       # Text utilities
test/
├── fixtures/                         # Sample Android project files
├── unit/                             # Unit tests per module
└── integration/                      # Full analysis integration tests

Adding New Rules

  1. Define the rule in the appropriate file under src/rules/
  2. Add detection logic in the corresponding analyzer under src/analyzers/
  3. Add CWE mapping in src/mappings/cwe.ts if needed
  4. Add a test case
  5. The rule is automatically registered via src/core/registry.ts

License

MIT