2 files changed, 29 insertions, 1 deletions

diff --git a/.github/workflows/android-static-analysis.yml b/.github/workflows/android-static-analysis.yml
index e34fa248fb..23e05376ad 100644
--- a/.github/workflows/android-static-analysis.yml
+++ b/.github/workflows/android-static-analysis.yml
@@ -24,4 +24,4 @@ jobs:
       - name: Scan code
         uses: MobSF/mobsfscan@main
         with:
-          args: '--type android android'
+          args: '--type android --config android/config/config.mobsf android'
diff --git a/android/config/config.mobsf b/android/config/config.mobsf
new file mode 100644
index 0000000000..0b00ae401a
--- /dev/null
+++ b/android/config/config.mobsf
@@ -0,0 +1,28 @@
+---
+- ignore-rules:
+  # Sensitive data isn't logged. There's also an external issue to scan log calls (DROID-527).
+  - android_kotlin_logging
+
+  # The kotlin code isn't responsible for any external API communication and therefore the risk for
+  # including sensitive credentials is very small. This check also caused many false-positives since
+  # the keyword "key" is used throughout the app to for arguments, bundles and preferences.
+  - android_kotlin_hardcoded
+
+  # Intentially not prevented due to a technical user base. We might however want to inform users,
+  # which is something we'll review in an externally tracked issue (DROID-528).
+  - android_root_detection
+  - android_safetynet
+
+  # The backend API communication is done by the Mullvad Daemon which is built in rust.
+  - android_ssl_pinning
+  - android_certificate_pinning
+  - android_certificate_transparency
+
+  # Sensitive screens currently prevent screenshots.
+  - android_prevent_screenshot
+
+  # Will be investigate in the externally tracked issue DROID-529.
+  - android_tapjacking
+
+  # We've currently decided to support Android 8.
+  - android_manifest_insecure_minsdk