Mira
mcp
Pass
Health Pass
- License — License: GPL-3.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 34 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This tool is a mobile runtime detection workbench designed for iOS and Android security analysis. It turns mobile app inspection into an AI-native defensive workflow, allowing users to execute live logic and uncover security vulnerabilities within third-party application sandboxes.
Security Assessment
Because it is explicitly designed for mobile penetration testing and runtime manipulation, the tool performs highly sensitive operations. It executes arbitrary shell commands, scripts (JavaScript, Java), and facilitates remote Frida injection to inspect targeted apps. It also makes network requests, operating a local relay server (defaulting to 0.0.0.0) that connects desktop browsers, mobile devices, and AI models over the local network. No hardcoded secrets were found in the scanned code, and no inherently dangerous host permissions were flagged. However, given its extensive dynamic execution capabilities and the requirement to expose a local server endpoint, the overall risk is rated as Medium.
Quality Assessment
The project is actively maintained, with its most recent push occurring today. It is legally transparent and distributed under the GPL-3.0 license. The community trust is currently small but focused, indicated by 34 GitHub stars. Furthermore, a light automated code audit across 12 files detected no dangerous code patterns.
Verdict
Use with caution — strictly within authorized security testing and isolated research environments due to its local network exposure and active runtime manipulation capabilities.
This tool is a mobile runtime detection workbench designed for iOS and Android security analysis. It turns mobile app inspection into an AI-native defensive workflow, allowing users to execute live logic and uncover security vulnerabilities within third-party application sandboxes.
Security Assessment
Because it is explicitly designed for mobile penetration testing and runtime manipulation, the tool performs highly sensitive operations. It executes arbitrary shell commands, scripts (JavaScript, Java), and facilitates remote Frida injection to inspect targeted apps. It also makes network requests, operating a local relay server (defaulting to 0.0.0.0) that connects desktop browsers, mobile devices, and AI models over the local network. No hardcoded secrets were found in the scanned code, and no inherently dangerous host permissions were flagged. However, given its extensive dynamic execution capabilities and the requirement to expose a local server endpoint, the overall risk is rated as Medium.
Quality Assessment
The project is actively maintained, with its most recent push occurring today. It is legally transparent and distributed under the GPL-3.0 license. The community trust is currently small but focused, indicated by 34 GitHub stars. Furthermore, a light automated code audit across 12 files detected no dangerous code patterns.
Verdict
Use with caution — strictly within authorized security testing and isolated research environments due to its local network exposure and active runtime manipulation capabilities.
🔬 Mobile runtime detection workbench (iOS and Android)
README.md
English | 简体中文
Mira
Turn Android and iOS runtime inspection into one AI-native defensive workflow.
Inspect real mobile runtime state, execute live logic, and turn raw signals into repeatable hardening evidence.
Features
- 🧩 Third-party app sandbox shell: Enter the real permission sandbox of target apps with a consistent Android and iOS experience.
- 🤖 Built for AI: Let AI operate like a user inside the third-party permission sandbox to explore risk paths.
- ⚡ Arbitrary runtime execution: Execute arbitrary Java and Native logic, or use JavaScript to construct objects and call non-exported methods.
- ♾️ Persistent risk intelligence: Turn one real finding into reusable knowledge and repeatable future discovery.
Getting Started
- Relay:
PYTHONPATH=. python3 -m mira.relay.server --host 0.0.0.0 --port 8765 --advertise-url http://<your-lan-ip>:8765 - Browser: Open
http://127.0.0.1:8765on your desktop. - Android: Download the APK from Releases, install it, then enter
http://<your-lan-ip>:8765in the app. - iOS: Verified on a real device running iOS 16.7.10. See
docs/GETTING-STARTED.md. - AI:
PYTHONPATH=. python3 -m mira.mcp.server --relay http://127.0.0.1:8765. MCP config:docs/MCP.md.
Live Discovery Examples
| Android Remote Frida | iOS Remote Frida |
|---|---|
Remote shell, runtime inspection, and live Frida execution on Android.
|
Equivalent PTY and Frida workflow adapted to the iOS iSH compatibility layer.
|
| Android LSPosed Trace | iOS Jailbreak Trace |
Construct a Frida path around the app classloader and surface LSPosed traces from runtime state.
|
Ask Claude to roam the live terminal and surface jailbreak-related traces in the device environment.
|
Public Relay Access
With Relay, you can temporarily expose an authorized session beyond the local network for cloud devices, expert review handoff, and fast evidence sharing.
Research Boundaries
- Mira observes and interacts with the Mira host app sandbox.
- Mira does not control unrelated third-party apps.
- Mira does not provide system-wide remote control.
- Mira does not provide root or jailbreak bypass capabilities.
- Mira is not a production SDK or a silent background control channel.
Documentation
docs/README.md: documentation hub.docs/GETTING-STARTED.md: full setup, build, device connect, MCP, and CLI.docs/MCP.md: Codex and Claude MCP integration.docs/IOS-APP.md: iOS app architecture and device notes.docs/NATIVE-ARCHITECTURE.md: shared PTY native architecture.docs/THIRD-PARTY-NOTICES.md: third-party notices.
Acknowledgements
- lamda: inspiration for the web workbench interaction model.
- Termux: Android terminal UX and extensible shell ecosystem.
- iSH: iOS-side Linux shell compatibility and syscall translation path.
License
GPL-3.0-only.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found