moonpiesheldon1337/mobsf-fail-app

mobsf-fail is a small web app that helps mobile-app security testers cut down the noise in their reports. MobSF, short for Mobile Security Framework, is a popular open-source scanner for Android apps, and it is known for producing very long lists of findings, often 100 to 300 per scan, of which many are not real issues. This app reads a MobSF report and marks each finding with how likely it is to be a false positive, so a human only has to look closely at the few that actually matter. The app runs entirely in the user's browser. A MobSF report can be dropped in as JSON, PDF, or HTML. JSON gives the best results because it carries file paths, line numbers, and standard tags; PDF and HTML still work but lose some of those details. Each finding is then sent to a language model that also runs inside the browser through a library called WebLLM, using the user's own GPU. No file, no finding, and no metadata ever leaves the computer. The only remote requests are the initial app load and a one-time download of the model weights. For each finding the model produces a score from 0 to 100, a verdict, and a short reason. The author wrote category-specific prompts that encode the judgement a senior mobile pentester would apply: a 'hardcoded API key' might be a public Stripe key that is meant to ship in the app, an 'exported activity' might be the launcher screen, a 'cleartext traffic' warning might be scoped to the Android emulator address only. The prompts live in src/lib/prompts and the author calls them the real product value, with the language model being just the layer that applies them. Two files come out at the end. A Markdown draft of a pentest report contains only the confirmed findings and the ones that still need review, ready to convert to PDF or DOCX. A CSV table covers every finding with its verdict and reasoning, for spreadsheet review or import into a vulnerability tracker. The README is clear about limits: the tool is not a scanner, it only operates on findings that MobSF has already produced, and it is not a replacement for human review. Running it needs a browser with WebGPU, such as Chrome, Edge, Brave, Opera, or Safari 18 and newer.