Configuration Reference

Configuration Reference

All Mobilicustos configuration is managed through environment variables, typically set in .env or via Docker Compose.

---

Quick Reference

Copy .env.example to .env and customize:

cp .env.example .env

---

Database

Variable	Default	Description
POSTGRES_HOST	postgres	PostgreSQL hostname
POSTGRES_PORT	5432	PostgreSQL port
POSTGRES_DB	mobilicustos	Database name
POSTGRES_USER	mobilicustos	Database user
POSTGRES_PASSWORD	changeme	Database password

---

Neo4j

Variable	Default	Description
NEO4J_URI	bolt://neo4j:7687	Neo4j Bolt connection URI
NEO4J_USER	neo4j	Neo4j username
NEO4J_PASSWORD	changeme	Neo4j password

---

Redis

Variable	Default	Description
REDIS_URL	redis://redis:6379	Redis connection URL

---

API Server

Variable	Default	Description
API_HOST	0.0.0.0	API bind address
API_PORT	8000	API port
API_DEBUG	false	Enable debug mode
API_LOG_LEVEL	info	Log level (debug, info, warning, error)

---

Security

Variable	Default	Description
SECRET_KEY	changeme_generate_random_key	JWT signing key
JWT_ALGORITHM	HS256	JWT algorithm
JWT_EXPIRATION_HOURS	24	Token expiration time

---

Analysis Limits

Variable	Default	Description
MAX_APK_SIZE_MB	500	Maximum APK upload size
MAX_IPA_SIZE_MB	1000	Maximum IPA upload size
ANALYSIS_TIMEOUT_SECONDS	3600	Per-scan timeout (1 hour)

---

Tool Paths

Variable	Default	Description
JADX_PATH	/opt/jadx/bin/jadx	Java decompiler path
APKTOOL_PATH	/usr/local/bin/apktool	APK tool path
BLUTTER_PATH	/opt/blutter/blutter.py	Flutter analyzer path
HERMES_DEC_PATH	/opt/hermes-dec/hbc_decompiler.py	React Native decompiler

---

Device Management

Variable	Default	Description
ADB_HOST	host.docker.internal	ADB server hostname
ADB_SERVER_SOCKET	tcp:host.docker.internal:5037	ADB socket address
FRIDA_SERVER_HOST	host.docker.internal:27042	Frida server address
FRIDA_SERVER_VERSION	16.5.9	Frida version (pinned)
FRIDA_SCRIPTS_PATH	/app/frida-scripts	Custom scripts directory

---

Corellium

Variable	Default	Description
CORELLIUM_API_KEY	(empty)	Corellium API key
CORELLIUM_DOMAIN	https://app.corellium.com	Corellium instance URL

---

Docker

Variable	Default	Description
DOCKER_SOCKET_PATH	/var/run/docker.sock	Docker socket path
ANALYZER_TEMP_PATH	/tmp/mobilicustos_analyzer	Shared temp for containers

Platform-specific Docker socket paths:

• macOS/Linux: /var/run/docker.sock
• Windows (WSL2): //var/run/docker.sock
• Windows (native): //./pipe/docker_engine

---

Frontend

Variable	Default	Description
VITE_API_URL	http://localhost:8000	API URL (build-time)

---

Configuration File

File: api/config.py

Settings are loaded via Pydantic BaseSettings with environment variable support:

class Settings(BaseSettings):
    # Database
    postgres_host: str = "postgres"
    postgres_port: int = 5432
    postgres_db: str = "mobilicustos"
    postgres_user: str = "mobilicustos"
    postgres_password: str = "changeme"

    # Neo4j
    neo4j_uri: str = "bolt://neo4j:7687"
    neo4j_user: str = "neo4j"
    neo4j_password: str = "changeme"

    # API
    api_host: str = "0.0.0.0"
    api_port: int = 8000
    api_debug: bool = False
    api_log_level: str = "info"

    # Security
    secret_key: str = "changeme_generate_random_key"

    # Paths
    upload_dir: str = "/app/uploads"
    reports_dir: str = "/app/reports"

    @property
    def database_url(self) -> str:
        return (
            f"postgresql+asyncpg://{self.postgres_user}:{self.postgres_password}"
            f"@{self.postgres_host}:{self.postgres_port}/{self.postgres_db}"
        )

Access settings anywhere via:

from api.config import get_settings
settings = get_settings()  # Cached singleton

---

Production Checklist

• Change POSTGRES_PASSWORD from default
• Change NEO4J_PASSWORD from default
• Set SECRET_KEY to a random 64-character string
• Set API_DEBUG=false
• Configure CORS origins (currently allows all)
• Set appropriate MAX_APK_SIZE_MB and MAX_IPA_SIZE_MB
• Configure TLS for all external-facing services
• Set DOCKER_SOCKET_PATH for your platform
• Review and restrict API rate limits
• Configure log rotation for API logs