API Reference

Mobilicustos exposes a RESTful API via FastAPI on port 8000. All endpoints are prefixed with /api when accessed through the Nginx proxy (port 3000).

Base URL: http://localhost:8000 (direct) or http://localhost:3000/api (via proxy)

Health & System

Health Check

GET /health

Returns service health status including database, Neo4j, and Redis connectivity.

Readiness Check

GET /ready

Returns whether the API is ready to accept requests.

Apps

Manage uploaded mobile applications (APK/IPA).

Method	Endpoint	Description
`GET`	`/api/apps`	List all apps with pagination and filtering
`GET`	`/api/apps/{app_id}`	Get app details
`GET`	`/api/apps/{app_id}/stats`	Get app statistics (scan/finding counts)
`POST`	`/api/apps`	Upload a new app (multipart/form-data)
`DELETE`	`/api/apps/{app_id}`	Delete an app and all associated data

Upload Request:

POST /api/apps
Content-Type: multipart/form-data

file: <APK or IPA binary>

Query Parameters (List):

page (int) — Page number (default: 1)
page_size (int) — Items per page (default: 20)
platform (string) — Filter: android, ios
framework (string) — Filter: native, flutter, react_native, xamarin, cordova, unity
status (string) — Filter: pending, analyzing, completed, failed
search (string) — Search by package name or app name

Scans

Create and manage security scans.

Method	Endpoint	Description
`GET`	`/api/scans`	List scans with pagination
`GET`	`/api/scans/{scan_id}`	Get scan details
`POST`	`/api/scans`	Create and start a new scan
`POST`	`/api/scans/{scan_id}/cancel`	Cancel a running scan
`DELETE`	`/api/scans/{scan_id}`	Delete a scan
`DELETE`	`/api/scans/purge/{app_id}`	Delete all scans for an app
`POST`	`/api/scans/bulk-delete`	Bulk delete scans
`GET`	`/api/scans/{scan_id}/progress`	Real-time scan progress
`GET`	`/api/scans/registry/analyzers`	List available analyzers
`GET`	`/api/scans/{scan_id}/mastg-coverage`	OWASP MASTG test coverage
`GET`	`/api/scans/{scan_id}/export/burp`	Export as Burp XML
`GET`	`/api/scans/{scan_id}/export/har`	Export as HAR

Create Scan:

POST /api/scans
{
  "app_id": "uuid-string",
  "scan_type": "static|dynamic|full"
}

Findings

Browse, filter, and manage security findings.

Method	Endpoint	Description
`GET`	`/api/findings`	List findings with advanced filtering
`GET`	`/api/findings/{finding_id}`	Get finding details
`GET`	`/api/findings/summary`	Aggregated summary statistics
`GET`	`/api/findings/filters/options`	Available filter options
`PATCH`	`/api/findings/{finding_id}/status`	Update finding status
`POST`	`/api/findings/bulk-status`	Bulk status update
`DELETE`	`/api/findings/{finding_id}`	Delete a finding
`POST`	`/api/findings/bulk-delete`	Bulk delete findings
`DELETE`	`/api/findings/purge/{app_id}`	Delete all findings for an app

Query Parameters (List):

page, page_size — Pagination
severity[] — Filter: critical, high, medium, low, info
status[] — Filter: open, confirmed, false_positive, accepted_risk, remediated
platform[] — Filter: android, ios
category[] — Filter by finding category
tool[] — Filter by analyzer name
owasp_masvs_category[] — Filter by MASVS category
cwe_id[] — Filter by CWE ID
app_id — Filter by specific app
scan_id — Filter by specific scan
search — Full-text search on finding title
sort_by — Sort field (severity, created_at, title)
sort_order — asc or desc

Dashboard

Pre-aggregated dashboard data.

Method	Endpoint	Description
`GET`	`/api/dashboard/overview`	Overall platform statistics
`GET`	`/api/dashboard/severity-distribution`	Finding counts by severity
`GET`	`/api/dashboard/category-distribution`	Finding counts by category
`GET`	`/api/dashboard/trends`	Finding trends over time
`GET`	`/api/dashboard/top-vulnerable-apps`	Most vulnerable applications
`GET`	`/api/dashboard/compliance-summary`	OWASP compliance overview
`GET`	`/api/dashboard/mean-time-to-fix`	Average remediation time
`GET`	`/api/dashboard/recent-activity`	Recent scans and findings
`GET`	`/api/dashboard/security-score`	Aggregate security scores
`GET`	`/api/dashboard/executive-summary`	Executive summary data

Devices

Manage physical, emulator, and Corellium devices.

Method	Endpoint	Description
`GET`	`/api/devices`	List registered devices
`GET`	`/api/devices/{device_id}`	Get device details
`POST`	`/api/devices/discover`	Auto-discover connected devices
`POST`	`/api/devices/{device_id}/connect`	Connect to a device
`POST`	`/api/devices/{device_id}/frida/install`	Install Frida server
`POST`	`/api/devices/{device_id}/frida/start`	Start Frida server
`DELETE`	`/api/devices/{device_id}`	Remove a device

Dynamic Analysis

Frida

Method	Endpoint	Description
`GET`	`/api/frida/scripts`	List Frida scripts
`GET`	`/api/frida/scripts/{script_id}`	Get script details
`POST`	`/api/frida/scripts`	Create a new script
`PUT`	`/api/frida/scripts/{script_id}`	Update a script
`DELETE`	`/api/frida/scripts/{script_id}`	Delete a script
`POST`	`/api/frida/inject`	Inject a script into a running app
`GET`	`/api/frida/sessions`	List active Frida sessions
`DELETE`	`/api/frida/sessions/{session_id}`	Kill a session

Drozer

Method	Endpoint	Description
`POST`	`/api/drozer/sessions`	Start a Drozer session
`GET`	`/api/drozer/sessions`	List active sessions
`DELETE`	`/api/drozer/sessions/{session_id}`	End a session
`POST`	`/api/drozer/execute`	Execute a Drozer module
`GET`	`/api/drozer/modules`	List available modules
`POST`	`/api/drozer/quick-actions`	Run predefined security checks

Objection

Method	Endpoint	Description
`POST`	`/api/objection/execute`	Execute Objection command
`GET`	`/api/objection/sessions`	List sessions
`POST`	`/api/objection/file-operations`	File system access
`POST`	`/api/objection/sql`	SQLite database queries

Security Analysis

Secrets

Method	Endpoint	Description
`GET`	`/api/secrets`	List detected secrets
`POST`	`/api/secrets/{secret_id}/validate`	Live-validate a secret
`GET`	`/api/secrets/types`	Secret type metadata
`GET`	`/api/secrets/providers`	Provider-specific info

Attack Paths

Method	Endpoint	Description
`GET`	`/api/attack-paths/{app_id}`	Get attack paths for an app
`POST`	`/api/attack-paths/{app_id}/generate`	Generate attack path graph
`GET`	`/api/attack-paths/{app_id}/graph`	Get Neo4j graph data

Compliance

Method	Endpoint	Description
`GET`	`/api/compliance/masvs`	OWASP MASVS framework info
`GET`	`/api/compliance/masvs/{app_id}`	App MASVS compliance status
`GET`	`/api/compliance/masvs/{app_id}/{category}`	Category-specific compliance
`GET`	`/api/compliance/report/{app_id}`	Full compliance report

Bypass Detection

Method	Endpoint	Description
`GET`	`/api/bypass/results`	List bypass results
`POST`	`/api/bypass/analyze`	Analyze app protections
`POST`	`/api/bypass/attempt`	Attempt a bypass
`POST`	`/api/bypass/auto-bypass`	Automated bypass suite
`GET`	`/api/bypass/detection-types`	Detection type metadata
`GET`	`/api/bypass/scripts/recommended`	Recommended bypass scripts

ML Models

Method	Endpoint	Description
`GET`	`/api/ml-models`	List extracted ML models
`GET`	`/api/ml-models/{model_id}`	Model details
`POST`	`/api/ml-models/extract`	Extract models from app
`POST`	`/api/ml-models/{model_id}/analyze`	Analyze model security
`GET`	`/api/ml-models/{model_id}/security`	Security assessment
`GET`	`/api/ml-models/formats`	Supported model formats

API Endpoints

Method	Endpoint	Description
`GET`	`/api/api-endpoints/{app_id}`	List discovered endpoints
`GET`	`/api/api-endpoints/{app_id}/export`	Export endpoint list
`POST`	`/api/api-endpoints/{app_id}/probe`	Probe discovered endpoints

Integrations

Burp Suite

Method	Endpoint	Description
`POST`	`/api/burp/connections`	Create Burp connection
`GET`	`/api/burp/connections`	List connections
`GET`	`/api/burp/connections/{id}`	Get connection details
`DELETE`	`/api/burp/connections/{id}`	Delete connection
`POST`	`/api/burp/connections/{id}/test`	Test connection
`POST`	`/api/burp/connections/{id}/scans`	Start Burp scan
`GET`	`/api/burp/scans/{task_id}`	Get scan status
`POST`	`/api/burp/scans/{task_id}/stop`	Stop scan
`POST`	`/api/burp/scans/{task_id}/import`	Import scan results
`GET`	`/api/burp/connections/{id}/proxy-history`	Get proxy history
`POST`	`/api/burp/connections/{id}/proxy-history/import`	Import proxy history
`GET`	`/api/burp/connections/{id}/configurations`	Get Burp configs
`GET`	`/api/burp/issues`	List Burp issues
`GET`	`/api/burp/issues/{issue_id}`	Get issue details

Corellium

Method	Endpoint	Description
`POST`	`/api/corellium/connections`	Create connection
`GET`	`/api/corellium/connections`	List connections
`GET`	`/api/corellium/connections/{id}/projects`	List projects
`GET`	`/api/corellium/connections/{id}/supported-devices`	Supported devices
`POST`	`/api/corellium/connections/{id}/devices`	Create virtual device
`POST`	`/api/corellium/connections/{id}/devices/{iid}/start`	Start device
`POST`	`/api/corellium/connections/{id}/devices/{iid}/stop`	Stop device
`DELETE`	`/api/corellium/connections/{id}/devices/{iid}`	Delete device
`POST`	`/api/corellium/connections/{id}/devices/{iid}/apps`	Install app
`POST`	`/api/corellium/connections/{id}/devices/{iid}/frida`	Run Frida
`POST`	`/api/corellium/connections/{id}/devices/{iid}/security-test`	Security test
`POST`	`/api/corellium/connections/{id}/devices/{iid}/snapshots`	Create snapshot

Automation & Exports

Scheduled Scans

Method	Endpoint	Description
`GET`	`/api/scheduled-scans`	List scheduled scans
`POST`	`/api/scheduled-scans`	Create scheduled scan (cron)
`PUT`	`/api/scheduled-scans/{id}`	Update schedule
`DELETE`	`/api/scheduled-scans/{id}`	Delete schedule

Webhooks

Method	Endpoint	Description
`GET`	`/api/webhooks`	List webhooks
`POST`	`/api/webhooks`	Create webhook
`PUT`	`/api/webhooks/{id}`	Update webhook
`DELETE`	`/api/webhooks/{id}`	Delete webhook
`POST`	`/api/webhooks/{id}/test`	Test delivery
`GET`	`/api/webhooks/{id}/deliveries`	Delivery history

Exports

Method	Endpoint	Description
`GET`	`/api/exports/{app_id}/csv`	Export as CSV
`GET`	`/api/exports/{app_id}/json`	Export as JSON
`GET`	`/api/exports/{app_id}/html`	Export as HTML report
`GET`	`/api/exports/{app_id}/pdf`	Export as PDF report
`GET`	`/api/exports/{app_id}/sarif`	Export as SARIF

Administration

Settings

Method	Endpoint	Description
`GET`	`/api/settings`	Get system configuration
`PUT`	`/api/settings`	Update configuration
`GET`	`/api/settings/services`	Service status overview

Screenshot

Method	Endpoint	Description
`POST`	`/api/screenshot/screenshot`	Capture Android screenshot
`POST`	`/api/screenshot/screenshot/ios`	Capture iOS screenshot

Pagination

All list endpoints support pagination:

{
  "items": [...],
  "total": 150,
  "page": 1,
  "page_size": 20,
  "pages": 8
}

Error Responses

{
  "detail": "Error message description"
}

Standard HTTP status codes: 200 (OK), 201 (Created), 400 (Bad Request), 404 (Not Found), 422 (Validation Error), 500 (Internal Server Error).

Mobilicustos v0.1.1 | GitHub Repository | MIT License

Mobilicustos Wiki

Getting Started

Architecture

Analysis Engine

Interface

Workflows

API Reference

API Reference

Health & System

Health Check

Readiness Check

Apps

Scans

Findings

Dashboard

Devices

Dynamic Analysis

Frida

Drozer

Objection

Security Analysis

Secrets

Attack Paths

Compliance

Bypass Detection

ML Models

API Endpoints

Integrations

Burp Suite

Corellium

Automation & Exports

Scheduled Scans

Webhooks

Exports

Administration

Settings

Screenshot

Pagination

Error Responses

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Mobilicustos Wiki

Clone this wiki locally