[FEATURE] Add detection for Java/Kotlin packages #2542
Description
If you're requesting a new feature/enhancement, explain why you'd like it to be added and it's importance.
Is your feature request related to a problem? Please describe.
Mobile app reviews and security audits in our project currently lack automated visibility into third-party Java/Kotlin packages bundled inside APKs.
Indeed, during an audit, a vulnerability has been identified on a Java/Kotlin library, but it was not possible to demonstrate its presence in MobSF. This limits the ability to properly link detected issues to actual dependencies and to justify remediation actions.
Describe the solution you’d like
Integrate a part of Android Lib Detector (https://github.com/rsenet/android_lib_detector) as a new module dedicated to Java/Kotlin library detection.
Key features:
-
Identify all non-native Java/Kotlin packages included in the APK (excluding standard AndroidX, JetBrains, Material, etc.).
-
Group results by root package (with an option for full package names).
-
Resolve versions of libraries whenever META-INF/. version files or equivalent markers are available.
Describe alternatives you’ve considered
-
Manual decompilation with JADX: works but is slow, repetitive, and hard to standardize across analysts.
-
Existing tools like LibScout or ClassyShark: outdated or not easily integrated into MobSF; they also lack simple export/reporting capabilities.
-
Gradle dependency trees: only available when we have the source code, not for third-party APKs.
Additional context