Mira

May 21, 2026 · View on GitHub

Mira

Mobile runtime detection workbench for iOS and Android.

Mira is built in the open as a long-term project for turning real runtime cases into reusable detection knowledge, analysis workflows, and cross-platform tooling.

Why follow Mira

Mira grows with real runtime work, not just planned features.
Each field case can become a new workflow, tool capability, or detection note.
The project is designed to accumulate practical mobile runtime knowledge over time.
Following Mira means following how that knowledge turns into working tooling.

Research Updates

[260520] Article: Detecting root, emulators, and scrcpy-like projection through the audit logcat side channel
[260520] Case: Android high-PID shell proc audit side-channel hints at scrcpy projection
[260520] Case: Android emulator proc audit side-channel exposes qemu SELinux context
[260519] Case: Android proc audit side-channel detects Magisk SELinux context

Features

🧩 Real app sandbox access: Drop directly into the true permission sandbox of target apps with one consistent Android and iOS workflow.
🤖 Built for AI operators: Let AI inspect, navigate, and reason inside the live app runtime like a hands-on analyst.
⚡ Live runtime execution: Run Java, Native, and Frida-driven logic on demand to verify signals instead of guessing from static traces.
🚀 Fast to first result: Start Relay, install the app, and get to shell, screen, and runtime evidence in minutes.
♾️ Compounding detection intelligence: Turn one real finding into reusable detection patterns and repeatable hardening wins.

Getting Started

Relay: PYTHONPATH=. python3 -m mira.relay.server --host 0.0.0.0 --port 8765 --advertise-url http://<your-lan-ip>:8765
Browser: Open http://127.0.0.1:8765 on your desktop.
Android: Download the APK from Releases, install it, then enter http://<your-lan-ip>:8765 in the app.
iOS: Verified on a real device running iOS 16.7.10. See docs/GETTING-STARTED.md.
AI: PYTHONPATH=. python3 -m mira.mcp.server --relay http://127.0.0.1:8765. MCP config: docs/MCP.md.

Contributing

Mira welcomes issues and pull requests from mobile security researchers, reverse engineers, Frida users, MCP users, and device testers.

Read CONTRIBUTING.md before opening a focused pull request.
Use the issue templates for bugs, security hardening, detection ideas, and device compatibility reports.
For security reports, read SECURITY.md first.
Scanner-generated hardening PRs are welcome when they include repository-specific reachability reasoning and verification.

Good starting points include native memory-safety review, Android and iOS device testing, Frida workflow examples, MCP client setup notes, and new reusable detection cases.

Live Discovery Examples

Android Remote Frida	iOS Remote Frida
_{Remote shell, runtime inspection, and live Frida execution on Android.}	_{Equivalent PTY and Frida workflow adapted to the iOS iSH compatibility layer.}
Android LSPosed Trace	iOS Jailbreak Trace
_{Construct a Frida path around the app classloader and surface LSPosed traces from runtime state.}	_{Ask Claude to roam the live terminal and surface jailbreak-related traces in the device environment.}

Public Relay Access

Relay exposed through cpolar

With Relay, you can temporarily expose an authorized session beyond the local network for cloud devices, expert review handoff, and fast evidence sharing.

Research Boundaries

Mira observes and interacts with the Mira host app sandbox.
Mira does not control unrelated third-party apps.
Mira does not provide system-wide remote control.
Mira does not provide root or jailbreak bypass capabilities.
Mira is not a production SDK or a silent background control channel.

Documentation

docs/README.md: English documentation hub.
docs/GETTING-STARTED.md: full setup, build, device connect, MCP, and CLI.
docs/REMOTE-RELAY.md: public and LAN Relay startup flows.
docs/MCP.md: Codex and Claude MCP integration.
docs/IOS-APP.md: iOS app architecture and device notes.
docs/NATIVE-ARCHITECTURE.md: shared PTY native architecture.
docs/TOOLBOX.md: Android toolbox packaging and runtime release flow.
docs/REPO-ARCHITECTURE.md: repository layering and entry-point layout.
docs/THIRD-PARTY-NOTICES.md: third-party notices.

Acknowledgements

lamda: inspiration for the web workbench interaction model.
Termux: Android terminal UX and extensible shell ecosystem.
iSH: iOS-side Linux shell compatibility and syscall translation path.

License

GPL-3.0-only.