drozer-mcp

drozer-mcp

MCP server wrapping Drozer for LLM-driven Android IPC security testing, enabling autonomous enumeration and exploitation of app components via natural language.

Category
Visit Server

README

drozer-mcp

MCP server wrapping Drozer for LLM-driven Android IPC security testing.

Lets any Model Context Protocol client — Claude Code, Claude Desktop, Cursor, LM Studio, custom agents — drive Drozer autonomously. The LLM enumerates exported activities, services, broadcast receivers, and content providers across installed apps, then exercises them with intents, broadcasts, and provider queries to surface IPC vulnerabilities.

Designed for the gap in the mobile-security-AI landscape: while there are solid MCP wrappers for Frida, JADX, and MobSF, the canonical Android IPC tool — Drozer — has had no agentic interface until now.

Status

Alpha. Working core: connection lifecycle, package/component enumeration, content provider querying, intent launching, and the most commonly-used scanner modules. Tested against the Drozer 3.1.x console.

Install

pip install drozer-mcp

Or from source:

git clone https://github.com/YOUR-USERNAME/drozer-mcp
cd drozer-mcp
pip install -e .

You also need:

  1. A working Drozer install (pip install drozer plus a Java runtime). The MCP server shells out to the drozer binary.

  2. The Drozer agent APK running on a rooted physical device or emulator. Download from the Drozer releases page.

  3. ADB port forwarding:

    adb forward tcp:31415 tcp:31415
    

Configure your MCP client

Claude Desktop / Claude Code

Add to ~/.config/claude/claude_desktop_config.json (Linux) or the equivalent on macOS / Windows:

{
  "mcpServers": {
    "drozer": {
      "command": "drozer-mcp"
    }
  }
}

Restart the client. The Drozer tools will appear with the drozer__ prefix.

Environment variables

Variable Purpose Default
DROZER_BIN Path to the drozer console binary drozer (PATH)
DROZER_SERVER Override the agent host:port drozer's own default
DROZER_LOG Log level: DEBUG/INFO/WARNING/ERROR INFO

Tools

Connection

Tool Purpose
drozer_connect Open a console session against the agent
drozer_disconnect Close the session

The first non-connection tool call connects implicitly. If the underlying console dies (agent crash, ADB hiccup), the next call transparently reconnects.

Enumeration

Tool Drozer command Returns
list_packages app.package.list List of package names
package_attack_surface app.package.attacksurface Per-kind counts + debuggable
list_activities app.activity.info Components with required permissions
list_services app.service.info Same shape as activities
list_receivers app.broadcast.info Same shape
list_providers app.provider.info Same shape
find_provider_uris app.provider.finduri Deduped list of content://... URIs

Attacks

Tool Drozer command Purpose
query_provider app.provider.query Read a provider with full WHERE/projection/sort args
read_provider app.provider.read Read file-backed providers (FileProvider path-traversal)
start_activity app.activity.start Launch with component / action / data / extras
start_service app.service.start Start or bind a service with intent params
send_broadcast app.broadcast.send Send a broadcast intent

Scanners

Tool Drozer module Finds
scan_provider_injection scanner.provider.injection SQLi in content providers
scan_provider_traversal scanner.provider.traversal Directory traversal in file providers
scan_activity_browsable scanner.activity.browsable Deep-link / URL scheme entry points

Shell + escape hatch

Tool Purpose
shell_exec Run a shell command on the device via shell.exec
drozer_run_raw Run any Drozer command verbatim — for modules not yet wrapped

Example session (Claude Code)

You: Find SQL injection in any installed app.
Claude: [calls list_packages with filter="com.example"]
        [calls package_attack_surface for each result]
        [calls scan_provider_injection for those with providers exported]
        [calls query_provider with payloads on each finding]

Found 1 injection in com.example.app's UserProvider:
  URI: content://com.example.app.provider/users
  Injectable parameter: selection
  PoC: query with selection="1=1 UNION SELECT password FROM ..."
       returned 47 rows including hashed credentials.

Why a long-lived console?

Drozer's console connect starts a JVM-backed REPL that talks to the agent over a TCP port. Cold-start is ~1-2 seconds; once warm, command roundtrips are sub-second. Re-spawning per tool call would make an LLM-driven workflow painfully slow, so this MCP server runs a single pexpect-managed session and dispatches each tool call to it as a REPL command.

That comes with one caveat: the session is not thread-safe. The MCP runtime serializes tool calls per server process, which makes this safe in practice. If you want parallel scans of multiple devices, run multiple MCP server instances with different DROZER_SERVER settings.

Roadmap

  • More scanners: scanner.misc.checkparcel, scanner.misc.native, the full scanner.misc.* family.
  • Structured JSON output mode for query_provider (currently raw text).
  • Drozer Module API integration so custom modules show up automatically.
  • iOS / Objective-C equivalents (probably a separate frida-ios-mcp rather than shoehorning here).

License

Apache-2.0.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured