MobileSec-MS is a modular, enterprise-grade platform for automated security analysis of mobile applications. Designed to detect vulnerabilities in both Android (APK) and iOS (IPA) applications, it provides comprehensive security assessments including cryptographic usage analysis, network communication inspection, exposed secrets detection, and intelligent remediation suggestions.
Built on a modern microservices architecture, MobileSec-MS integrates seamlessly into CI/CD pipelines, enabling continuous security testing throughout the development lifecycle.
This is a summary repository that serves as the central documentation and overview for the MobileSec-MS project. This repository does NOT contain the actual implementation code. Instead, it provides:
- 📋 Architecture Overview: Understanding how all microservices work together
- 🔗 Repository Links: Direct links to each individual microservice repository
- 📚 Documentation: Comprehensive guides for deployment and integration
- 🗺️ Project Roadmap: Future plans and feature development
Each microservice is maintained in its own dedicated repository for modularity, independent development, and scaling.
Watch a demonstration of MobileSec-MS showcasing a complete security analysis workflow using 5 microservices out of the 8 available, executed against an intentionally vulnerable mobile application. The demo is performed on VulnerableTestApp
0125.1.mp4
This video illustrates how multiple MobileSec-MS components work together to analyze a mobile application and produce a consolidated security report.
Each microservice below is maintained in its own repository. Click the microservice name to view its source code and documentation. For a more detailed breakdown of each service within this repository, see the microservices/ directory.
| Microservice | Description | Technologies | Status | Detailed Docs |
|---|---|---|---|---|
| APKScanner | Disassembles and analyzes Android APK files to extract manifest, permissions, and endpoints | Python, Androguard, Apktool, SQLite |  |
Docs |
| iPAScanner | Disassembles and analyzes iOS IPA files to extract plist, binaries, and endpoints | Python, MachO analysis | |
Docs |
| SecretHunter | Detects exposed secrets, API keys, and hardcoded credentials in code and resources | Python, GitLeaks, Regex patterns, YARA Rules | |
Docs |
| CryptoCheck | Verifies proper usage of cryptographic APIs and detects security flaws | SAST engine, Regex, CWE mapping, Python | |
Docs |
| NetworkInspector | Intercepts and analyzes network communications (HTTPS/TLS inspection) | mitmproxy, Docker sandbox, AVD/iOS simulator, Python | |
Docs |
| ReportGen | Aggregates results from all microservices and generates comprehensive reports | Node.js, Express.js, Puppeteer, JSON/SARIF/PDF formats, RabbitMQ Via amqplib library | |
Docs |
| ThreatGuard-ML | Provides AI-powered remediation suggestions based on MASVS standards | Python, YAML, ML models, Jupyter Notebooks, ReportLab | |
Docs |
| CIConnector | Integrates the platform with CI/CD pipelines via webhooks and API triggers | GitHub Actions, Docker CLI, YAML | |
Docs |
Role: Disassemble and analyze Android APKs to extract manifest, permissions, and endpoints
- Language: Python
- Key Tools:
- Androguard (APK decompilation & analysis)
- Apktool (resource decoding and manifest extraction)
- SQLite (metadata and scan results storage)
Role: Disassemble and analyze iOS IPA files to extract plist, binaries, and endpoints
- Languages: Python
- Key Tools:
- IPA decompilation
- MachO analysis tools
Role: Detect exposed secrets in code or resources
- Language: Python
- Key Tools:
- GitLeaks
- Custom Regex patterns
- YARA Rules
Role: Verify proper usage of cryptographic APIs
- Languages: Python
- Key Tools:
- Static Application Security Testing (SAST) engine
- Regex
- Rule engine mapped to CWE identifiers
Role: Intercept and analyze network communications
- Language: Python
- Key Tools:
- mitmproxy (HTTPS/TLS inspection)
- Docker sandbox for Android/IOS emulators (AVD simulator)
- Supports physical devices as primary, AVD as fallback
Role: Provide remediation suggestions and configuration fixes
- Languages: Python
- Key Tools:
- MASVS (Mobile Application Security Verification Standard) rules
- YAML (rules representation)
- ML model for ranking best fixes
- Pandas & NumPy - Data manipulation and analysis
- ReportLab - PDF report generation
- Pydantic - Data validation and serialization
Role: Aggregate results and generate reports
- Language: Node.js
- Key Tools:
- Express.js – to expose API endpoints for receiving scan results
- Puppeteer – for PDF report rendering
- JSON / SARIF / PDF – supported report formats
- RabbitMQ (via amqplib) – for receiving messages from other microservices
Role: Integrate microservices into CI/CD pipelines
- Supported Platforms: GitHub Actions
- Key Tools:
- Docker CLI
- YAML pipeline configuration
- Webhooks/API triggers
To use individual microservices, visit their respective repositories:
- APKScanner: https://github.com/houssamb4/APKScanner
- iPAScanner: https://github.com/houssamb4/ios-ipa-scanner
- SecretHunter: https://github.com/houssamb4/secret-hunter-ms
- CryptoCheck: https://github.com/houssamb4/CryptoCheck
- NetworkInspector: https://github.com/houssamb4/NetworkInspector
- ReportGen: https://github.com/houssamb4/ReportGen
- ThreatGuard-ML (Fix Suggestions): https://github.com/houssamb4/threatguard-ml
Each repository contains its own:
- Installation instructions
- Usage examples
- API documentation
- Configuration guides
For testing and demonstration purposes, use our vulnerable test application:
- VulnerableTestApp: https://github.com/houssamb4/VulnerableTestApp
- Intentionally vulnerable mobile app for testing security scanners
- Contains various security issues to validate microservice detection capabilities
- Perfect for testing and development
Once all microservices are complete, you'll be able to deploy the entire platform using:
# Clone individual microservices
git clone https://github.com/houssamb4/APKScanner
git clone https://github.com/houssamb4/ios-ipa-scanner
git clone https://github.com/houssamb4/secret-hunter-ms
git clone https://github.com/houssamb4/CryptoCheck
git clone https://github.com/houssamb4/NetworkInspector
git clone https://github.com/houssamb4/ReportGen
git clone https://github.com/houssamb4/threatguard-ml
# Clone test application (optional)
git clone https://github.com/houssamb4/VulnerableTestApp
# Deploy with Docker Compose
docker-compose up -dThe following features will be available across the microservices ecosystem:
- Static Analysis: Deep code inspection without execution
- Dynamic Analysis: Runtime behavior monitoring in sandboxed environments
- Binary Analysis: APK/IPA disassembly and reverse engineering
- Network Traffic Inspection: MITM proxy for traffic interception
- OWASP MASVS Compliance: Automated verification against mobile security standards (powered by ThreatGuard-ML)
- Cryptographic Validation: Detection of weak algorithms and implementations using SAST engine and CWE mapping
- Secret Detection: Hardcoded credentials, API keys, and sensitive data using GitLeaks, Regex, and YARA Rules
- Permission Analysis: Overscoped permissions and security misconfigurations via manifest analysis
- Network Security: TLS/SSL configuration, certificate pinning, cleartext traffic inspection via mitmproxy
- AI-Powered Fix Suggestions: Context-aware remediation recommendations based on MASVS rules and ML ranking
- Risk Scoring: CVSS-based vulnerability prioritization with CWE mapping
- Automated Reporting: Multi-format report generation (PDF via Puppeteer, JSON, SARIF)
- Trend Analysis: Historical vulnerability tracking via SQLite storage
- CI/CD Pipeline Integration: Native support for GitHub Actions and Jenkins via CIConnector
- Docker-Based Deployment: Container-ready microservices with Docker CLI integration
- Security Gates: Automatic build blocking on critical vulnerabilities via webhooks
- API-First Design: RESTful APIs with message queue support (RabbitMQ/Kafka)
For detailed usage instructions, please refer to each microservice's repository:
# Analyzes Android APK files using Androguard and Apktool
# Extracts: manifest, permissions, endpoints, resources
# See: https://github.com/houssamb4/APKScanner# Analyzes iOS IPA files using MachO analysis and Clutch
# Extracts: plist, binaries, endpoints, resources
# See: https://github.com/houssamb4/ios-ipa-scanner# Detects secrets using GitLeaks, Regex, and YARA Rules
# Scans: source code, configuration files, resources
# See: https://github.com/houssamb4/secret-hunter-ms# SAST-based cryptographic API validation
# Checks: weak algorithms, improper implementations, CWE violations
# See: https://github.com/houssamb4/CryptoCheck# mitmproxy-based network traffic analysis
# Analyzes: HTTPS/TLS, certificate pinning, cleartext traffic
# Environment: Physical device (primary), AVD (fallback)
# See: https://github.com/houssamb4/NetworkInspector# Node.js + Puppeteer report generation
# Formats: PDF, HTML, JSON, SARIF
# Integration: RabbitMQ/Kafka message queues
# See: https://github.com/houssamb4/ReportGen# MASVS-based AI-powered remediation engine
# Features: ML ranking, YAML rules, context-aware suggestions
# See: https://github.com/houssamb4/threatguard-mlTarget performance metrics for the complete platform:
| Metric | Target Value |
|---|---|
| APK Analysis Time | ~30-90 seconds |
| IPA Analysis Time | ~30-60 seconds |
| Concurrent Analyses | Up to 10 parallel |
| Accuracy Rate | 95%+ (validated against OWASP MSTG) |
| False Positive Rate | <5% |
- APKScanner - Android APK analysis
- iPAScanner - iOS IPA analysis
- SecretHunter - Secret detection engine
- CryptoCheck - Cryptographic validation
- NetworkInspector - Network traffic analysis (uses physical device primarily, AVD as fallback)
- ReportGen - Report generation engine
- ThreatGuard-ML - AI-powered fix suggestions
- VulnerableTestApp - Test application for validation
- CIConnector - CI/CD integration (GitHub Actions)
Each microservice has its own test suite. Please refer to individual repositories for testing instructions:
- APKScanner: Repository
- iPAScanner: Repository
- SecretHunter: Repository
- CryptoCheck: Repository
- NetworkInspector: Repository
- ReportGen: Repository
- ThreatGuard-ML: Repository
Use the VulnerableTestApp to test all microservices:
- VulnerableTestApp: https://github.com/houssamb4/VulnerableTestApp
We welcome contributions to any of the microservices!
- APKScanner: https://github.com/houssamb4/APKScanner
- iPAScanner: https://github.com/houssamb4/ios-ipa-scanner
- SecretHunter: https://github.com/houssamb4/secret-hunter-ms
- CryptoCheck: https://github.com/houssamb4/CryptoCheck
- NetworkInspector: https://github.com/houssamb4/NetworkInspector
- ReportGen: https://github.com/houssamb4/ReportGen
- ThreatGuard-ML: https://github.com/houssamb4/threatguard-ml
- VulnerableTestApp (Test App): https://github.com/houssamb4/VulnerableTestApp
- Report Issues: Open issues in the respective microservice repository
- Discussions: Use GitHub Discussions in individual repositories
- Contact: Create an issue for general inquiries
- OWASP Mobile Security Testing Guide (MSTG) for comprehensive security guidelines
- Androguard and APKTool for Android APK
- Google Security Researchers for continuous improvement of mobile security practices
- Open Source Community for invaluable tools and libraries
If you find this project useful:
- ⭐ Star the individual microservice repositories
- 🐛 Report bugs and request features via GitHub Issues
- 💬 Share your experience and use cases
- 🔗 Spread the word about MobileSec-MS