Skillget

mobile-device-mcp

mcp
Security Audit
Fail
Health Warn
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 6 GitHub stars
Code Fail
  • rm -rf — Recursive force deletion command in scripts/build.sh
  • process.env — Environment variable access in src/server/bootstrap.ts
  • network request — Outbound network request in src/server/bootstrap.ts
  • process.env — Environment variable access in src/server/ports.ts
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This is an MCP server that enables AI agents to control and interact with iOS and Android mobile devices. It maps native screens and WebViews, allowing agents to perform actions like tapping, typing, taking screenshots, and executing sandboxed JavaScript code across multiple parallel devices.

Security Assessment
Overall Risk: Medium. The server requires significant system-level access to function, relying on environment variables and external developer tools like `adb` and `xcodebuild`. It makes outbound network requests over localhost to proxy commands to the on-device servers. The codebase includes a recursive force deletion command (`rm -rf`) inside a build script, which is a standard cleanup operation but warrants manual verification to ensure it only targets intended build directories. The `run_code` tool presents an inherent risk, as it allows the execution of JavaScript on the devices. However, the tool explicitly mitigates this by restricting potentially dangerous operations and running the code in a fresh, isolated sandbox that automatically terminates infinite loops. There are no hardcoded secrets or dangerous broad permissions requested.

Quality Assessment
The project is very new and currently has low community visibility with only 6 GitHub stars. However, it is actively maintained, featuring a very recent push and a comprehensive, well-detailed README. The code is open-source and distributed under the standard, permissive MIT license, making it fully accessible for security review.

Verdict
Use with caution — while the tool thoughtfully sandboxes its remote code execution features, its low community adoption and deep system-level access require a thorough code review before integrating into sensitive workflows.
SUMMARY

An MCP server to use with iOS and Android. Seamlessly maps Native screens and WebViews. Multiple parallel devices supported.

README.md

Mobile Device MCP

An MCP server that lets AI agents control iOS and Android devices (tap, scroll, type, take screenshots, read UI trees, and run code). Works with multiple devices at the same time.

How It Works

Three-layer architecture:

  1. On-device servers — Lightweight HTTP servers running on each mobile device (UIAutomator on Android, XCUITest on iOS) that expose the accessibility tree and accept interaction commands.
  2. UI tree filter — Normalizes raw UI trees from both platforms into a unified flat element list.
  3. MCP server — The external interface. Handles device discovery, bootstrapping, port allocation, and proxies requests to on-device servers.

Devices are bootstrapped on first use — the server installs the driver app, allocates a port, starts the on-device server, and polls until it's healthy. After that, all tool calls are proxied over localhost HTTP with per-device bearer token auth.

Tools

Tool Description
list_devices List available iOS and Android devices
screenshot Capture the device screen (JPEG)
uitree Get the UI element tree as a flat list, with optional search and limit
tap Tap at screen coordinates
double_tap Double-tap at screen coordinates
long_press Long-press at screen coordinates (configurable duration)
scroll Swipe from start to end coordinates
type_text Type text into the focused element
press_button Press a hardware/navigation button (home, back, enter, volumeUp/Down, dpadUp/Down/Left/Right/Center)
launch_app Launch an app by bundle ID / package name
terminate_app Force-stop an app
list_apps List installed apps
run_code Execute sandboxed JavaScript on-device (see run_code below)

run_code

Agents can pass code that looks like UIAutomator or XCUITest, both being Javascript under the hood.
The sandbox restricts (Android) potentially dangerous Java operations and only allows (iOS) some XCUITest-ish commands

  • Android: Rhino engine with UIAutomator bindings — uiDevice (click, swipe, find elements, press keys, read display info), By (selectors), Until (wait conditions), console.log()
  • iOS: JavaScriptCore with XCUITest bindings — app (query elements, tap, type, swipe), springboard, device, openApp(bundleId), sleep(ms), console.log()

Both platforms automatically kill runaway scripts (infinite loops) and create a fresh sandbox per call.

Prerequisites

  • Node.js 18+ (for running via npx)
  • Android: Android SDK with adb on PATH
  • iOS Simulator: Xcode with xcrun, simctl
  • iOS Real Device: Xcode with xcodebuild, devicectl, and iproxy (from libimobiledevice)
  • Building from source: Bun runtime, Gradle (Android), Xcode (iOS)

Installation

Claude Code

claude mcp add mobile-device-mcp -- npx -y @srmorete/mobile-device-mcp

Or with custom ports:

claude mcp add mobile-device-mcp -e MDMS_PORT_ANDROID=20000 -e MDMS_PORT_IOS=21000 -- npx -y @srmorete/mobile-device-mcp

Modifying .mcp.json (Cursor, Claude Desktop, etc)

{
  "mcpServers": {
    "mobile-device-mcp": {
      "command": "npx",
      "args": ["-y", "@srmorete/mobile-device-mcp"],
      "env": {
        "MDMS_PORT_ANDROID": "18000",           # optional
        "MDMS_PORT_IOS": "19000"                # optional
      }
    }
  }
}

Building from Source

git clone <repo-url>
cd mobile-device-mcp
bun install

# Build drivers for both platforms and pack tarball
./scripts/build.sh

The build script compiles the on-device drivers (Android APKs via Gradle, iOS test bundle via xcodebuild), copies them to drivers/, and creates an npm tarball.

To run locally during development:

bun run start           # Start the MCP server
bun test                # Run the test suite

Configuration

Environment Variable Default Description
MDMS_PORT_ANDROID 18000 Base port for Android on-device servers
MDMS_PORT_IOS 19000 Base port for iOS on-device servers

Ports are assigned sequentially — first Android device gets 18000, second gets 18001, and so on. Same for iOS starting at 19000.

Acknowledgements

Mobile Device MCP server stands on the shoulders of giants such as mobile-mcp and Maestro.
Used as inspiration but reframed the current approach to be multi-device and with seamless Native/WebView support (especially on Android).

License

MIT

Reviews (0)

No results found