Add firebase-apk-scanner skill for auditing Firebase in APKs (trailofbits#21)

* Reapply "Add firebase-apk-scanner skill for auditing Firebase in APKs"

This reverts commit 555a17c.

* Fix shellcheck and shfmt lint errors in scanner.sh

- Convert spaces to tabs for consistent indentation (shfmt)
- Add shellcheck disable for intentionally unused CYAN color variable
- Remove unused manifest_proj variable
- Replace for loops over find with while read loops (SC2044)
- Separate local declarations from assignments (SC2155)
- Replace sed calls with parameter expansion where possible (SC2001)
- Fix printf format string to avoid variable interpolation (SC2059)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Address code review feedback for firebase-apk-scanner

- Rename .claude_plugin/ to .claude-plugin/ to match convention
- Add plugin to root README.md under new "Mobile Security" category
- Change skill name from firebase-scan to firebase-apk-scanner for consistency

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Fix shfmt formatting in burp-search.sh

Convert spaces to tabs in case statement for consistent formatting.
This fixes a pre-existing CI failure.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Fix shfmt formatting to use 2-space indentation per CI config

CI runs `shfmt -i 2 -ci` (2-space indent with case indentation).
Reformat both shell scripts to match.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Fix remaining shellcheck warnings in scanner.sh

- SC2015: Replace `A && B || C` with proper if-then-else
- SC2002: Remove useless cat, pass file directly to jq

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Add disable-model-invocation to prevent automatic triggering

This skill makes external HTTP requests and performs security testing,
so it should only run when explicitly invoked via /firebase-apk-scanner.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: dguido

README.md

@@ -68,6 +68,12 @@ cd /path/to/parent  # e.g., if repo is at ~/projects/skills, be in ~/projects
 |--------|-------------|
 | [dwarf-expert](plugins/dwarf-expert/) | Interact with and understand the DWARF debugging format |
 
+### Mobile Security
+
+| Plugin | Description |
+|--------|-------------|
+| [firebase-apk-scanner](plugins/firebase-apk-scanner/) | Scan Android APKs for Firebase security misconfigurations |
+
 ### Development
 
 | Plugin | Description |

plugins/firebase-apk-scanner/.claude-plugin/plugin.json

@@ -0,0 +1,10 @@
+{
+  "name": "firebase-apk-scanner",
+  "version": "2.1.0",
+  "description": "Scan Android APKs for Firebase security misconfigurations including open databases, storage buckets, authentication issues, and exposed cloud functions. For authorized security research only.",
+  "author": {
+    "name": "Nick Sellier",
+    "email": "",
+    "url": ""
+  }
+}

plugins/firebase-apk-scanner/README.md

@@ -0,0 +1,85 @@
+# Firebase APK Security Scanner
+
+Scan Android APKs for Firebase security misconfigurations including open databases, exposed storage buckets, and authentication bypasses.
+
+## When to Use
+
+Use this skill when you need to:
+- Audit Android applications for Firebase misconfigurations
+- Test Firebase endpoints extracted from APKs (Realtime Database, Firestore, Storage)
+- Check authentication security (open signup, anonymous auth, email enumeration)
+- Enumerate Cloud Functions and test for unauthenticated access
+- Perform mobile app security assessments involving Firebase backends
+
+## When NOT to Use
+
+- Scanning apps you do not have explicit authorization to test
+- Testing production Firebase projects without written permission
+- When you only need to extract Firebase config without testing (use manual grep/strings instead)
+- For non-Android targets (iOS, web apps) - this skill is APK-specific
+- When the target app does not use Firebase
+
+## What It Does
+
+This skill automates Firebase security testing for Android applications. When invoked, Claude will:
+
+- **Decompile** the APK using apktool
+- **Extract** Firebase configuration from all sources (google-services.json, XML resources, assets, smali code, DEX strings)
+- **Test** authentication endpoints for misconfigurations
+- **Probe** Realtime Database and Firestore for open read/write access
+- **Check** Storage buckets for public listing and upload vulnerabilities
+- **Enumerate** Cloud Functions and test accessibility
+- **Generate** detailed reports with findings and remediation guidance
+
+## Key Features
+
+- Supports native Android, React Native, Flutter, and Cordova apps
+- Extracts config from 7+ sources including raw DEX binary strings
+- Tests 14 distinct vulnerability categories
+- Automatic cleanup of test data created during scans
+- Detailed vulnerability reference documentation included
+
+## Installation
+
+```
+/plugin install trailofbits/skills/plugins/firebase-apk-scanner
+```
+
+## Prerequisites
+
+Install required dependencies before use:
+
+**macOS:**
+```bash
+brew install apktool curl jq binutils
+```
+
+**Ubuntu/Debian:**
+```bash
+sudo apt install apktool curl jq unzip binutils
+```
+
+## Usage
+
+```
+/firebase-scan ./app.apk
+/firebase-scan ./apks/
+```
+
+Or run the standalone script directly:
+
+```bash
+./scanner.sh app.apk
+./scanner.sh ./apks/ --no-cleanup
+```
+
+## Vulnerability Categories
+
+| Category | Tests | Severity |
+|----------|-------|----------|
+| **Authentication** | Open signup, anonymous auth, email enumeration | Critical/High/Medium |
+| **Realtime Database** | Unauthenticated read/write, auth token bypass | Critical/High |
+| **Firestore** | Document access, collection enumeration | Critical/High |
+| **Storage** | Bucket listing, unauthenticated upload | Critical/High |
+| **Cloud Functions** | Unauthenticated access, function enumeration | Medium/Low |
+| **Remote Config** | Public parameter exposure | Medium |