Do I need permission to use this tool?

Yes. This skill is intended for authorized security research and professional auditing. You should only scan applications you have explicit permission to test.

What kind of vulnerabilities can it find?

It detects critical issues such as unauthenticated read/write access to databases, open Firebase Storage buckets, insecure Cloud Functions, and anonymous authentication vulnerabilities.

What tools are required for this skill to run?

The skill utilizes Bash, apktool, curl, and standard Unix utilities like grep and glob to perform its analysis.

What is the Firebase APK Security Scanner?

It is a Claude Code skill that automates the discovery of security misconfigurations in Android apps that use Firebase, scanning for open databases, storage, and auth issues.

Does this skill work with iOS applications?

No, this specific skill is designed for Android APK files. It uses Android-specific tools like apktool for decompilation.

Firebase APK Security Scanner

Name: Firebase APK Security Scanner
Author: trailofbits

bytrailofbits

•

1,825

セキュリティとテスト

Scans Android APKs for Firebase security misconfigurations like open databases, storage leaks, and exposed authentication endpoints.

概要

The firebase-apk-scanner is a specialized security tool designed for auditors and researchers to identify vulnerabilities in Android applications using Firebase backends. It automates the process of decompiling APKs, extracting configuration data like API keys and Project IDs, and actively testing endpoints for critical issues such as unauthenticated database access, open storage buckets, and anonymous authentication bypasses. This skill provides a comprehensive workflow from initial static analysis to generating detailed vulnerability reports with remediation advice, ensuring mobile applications adhere to security best practices.

主な機能

1,825 GitHub stars
Enumeration and access testing for Cloud Functions and Storage buckets
Active testing of Realtime Database and Firestore security rules
Detailed severity-based reporting with remediation guidance
Authentication vulnerability scanning including open signup and email enumeration
Automated APK decompilation and Firebase config extraction

ユースケース

Performing mobile application security audits and penetration tests
Identifying leaked PII or sensitive business data in Firebase backends
Validating Firebase security rule implementations during the development lifecycle

概要

主な機能

1,825 GitHub stars
Enumeration and access testing for Cloud Functions and Storage buckets
Active testing of Realtime Database and Firestore security rules
Detailed severity-based reporting with remediation guidance
Authentication vulnerability scanning including open signup and email enumeration
Automated APK decompilation and Firebase config extraction

ユースケース

Performing mobile application security audits and penetration tests
Identifying leaked PII or sensitive business data in Firebase backends
Validating Firebase security rule implementations during the development lifecycle