diff --git a/LATER.md b/LATER.md
index f49de7b..9b744aa 100644
--- a/LATER.md
+++ b/LATER.md
@@ -1,5 +1,6 @@
 # Later
 
+---
 
 use si3e2e@thomas-guettler.de in tests.
 
diff --git a/Taskfile.yml b/Taskfile.yml
index 28e94c4..0f3af8d 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -159,34 +159,11 @@ tasks:
           Android platform 34 or higher not found. Install it with:
             ${ANDROID_HOME:-$HOME/Android/Sdk}/cmdline-tools/latest/bin/sdkmanager "build-tools;34.0.0" "platforms;android-34"
 
-  _mobsf-start:
-    internal: true
-    run: once
-    ignore_error: true
-    cmds:
-      - cmd: |
-          if ! docker ps -q --filter name=mobsf-sharedinbox | grep -q .; then
-            docker rm mobsf-sharedinbox 2>/dev/null || true
-            docker pull -q opensecurity/mobile-security-framework-mobsf:latest >/dev/null 2>&1 || true
-            docker run -d --rm \
-              --name mobsf-sharedinbox \
-              -p 8000:8000 \
-              -e MOBSF_API_KEY=sharedinbox-dev \
-              opensecurity/mobile-security-framework-mobsf:latest >/dev/null
-          fi
-
   build-android:
-    desc: Build a release APK (runs MobSF security scan if docker is available)
+    desc: Build a release APK
     deps: [_preflight, _android-sdk-check, _pub-get]
     cmds:
       - ANDROID_HOME=${ANDROID_HOME:-$HOME/Android/Sdk} fvm flutter build apk --release --no-pub | grep -Ev "was tree-shaken|Tree-shaking can be disabled"
-      - task: _mobsf-start
-      - scripts/mobsf_scan.sh || true
-
-  mobsf-stop:
-    desc: Stop the MobSF Docker container (started automatically by build-android)
-    cmds:
-      - docker stop mobsf-sharedinbox 2>/dev/null || true
 
   deploy-android:
     desc: Build release APK and upload via scp to $ANDROID_APK_SCP_USER@$ANDROID_APK_SCP_HOST:$ANDROID_APK_SCP_PATH
diff --git a/done.md b/done.md
index 93e2594..e9b14f0 100644
--- a/done.md
+++ b/done.md
@@ -218,7 +218,7 @@ and the tile is briefly absent right after. Fixed in
 `pumpUntil` (5 s timeout) before the tap.
 
 Bundled with a coherent set of pre-existing infrastructure changes that make the full
-pipeline (Linux + Android UI tests, MobSF scan, APK upload) work in `nix develop`:
+pipeline (Linux + Android UI tests, APK upload) work in `nix develop`:
 
 - `flake.nix`: adds Linux desktop runtime libs (gtk3, mesa, libGL, libsecret, …) plus
   `PKG_CONFIG_PATH`, `LD_LIBRARY_PATH`, `LIBGL_ALWAYS_SOFTWARE=1`, and the libglvnd
@@ -311,15 +311,10 @@ above a divider and the folder list. Tapping it closes the drawer and navigates
 
 ## Speed up `task deploy-android`
 
-Two parallelism improvements:
+Parallelism improvement:
 
 - `_integrations` internal task: runs `integration` and `integration-ui` in parallel (they use
   random Stalwart ports and different Flutter build targets so there is no conflict).
-- `_mobsf-start` internal task: starts the MobSF Docker container as a dep of `build-android`,
-  so it warms up concurrently with the APK build instead of blocking for up to 90 s afterwards.
-- `scripts/mobsf_scan.sh`: added `docker rm $CONTAINER_NAME 2>/dev/null || true` before
-  `docker run` to handle stopped-but-not-yet-removed containers (same fix applied to the new
-  `_mobsf-start` task).
 
 ## Android E2E test verifies APK before deploy
 
diff --git a/scripts/mobsf_scan.sh b/scripts/mobsf_scan.sh
deleted file mode 100755
index 2c595b6..0000000
--- a/scripts/mobsf_scan.sh
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/usr/bin/env bash
-# Uploads the release APK to MobSF and checks for required Android permissions.
-# MobSF is started via Docker automatically if not already running.
-#
-# Usage: scripts/mobsf_scan.sh [path/to/app.apk]
-#
-# Environment variables:
-#   MOBSF_URL      — MobSF base URL (default: http://localhost:8000)
-#   MOBSF_API_KEY  — REST API key (default: sharedinbox-dev; must match the
-#                    value used when starting the container)
-#
-# First run pulls the MobSF Docker image (~1 GB); subsequent runs reuse it.
-set -Eeuo pipefail
-
-APK="${1:-build/app/outputs/flutter-apk/app-release.apk}"
-MOBSF_URL="${MOBSF_URL:-http://localhost:8000}"
-MOBSF_API_KEY="${MOBSF_API_KEY:-sharedinbox-dev}"
-CONTAINER_NAME="mobsf-sharedinbox"
-
-[[ -f "$APK" ]] || { echo "APK not found: $APK"; exit 1; }
-
-command -v docker >/dev/null 2>&1 || { echo "docker not found — install Docker to run MobSF scans"; exit 1; }
-
-# Start MobSF if not already running.
-if ! docker ps --format '{{.Names}}' 2>/dev/null | grep -q "^${CONTAINER_NAME}$"; then
-    echo "Starting MobSF Docker container (this may take a moment on first run)..."
-    docker rm "$CONTAINER_NAME" 2>/dev/null || true
-    # Pull quietly first so progress-bar noise doesn't overwrite other output.
-    docker pull -q opensecurity/mobile-security-framework-mobsf:latest >/dev/null 2>&1
-    docker run -d --rm \
-        --name "$CONTAINER_NAME" \
-        -p 8000:8000 \
-        -e MOBSF_API_KEY="$MOBSF_API_KEY" \
-        opensecurity/mobile-security-framework-mobsf:latest >/dev/null
-fi
-
-# Wait up to 90 s for MobSF to become ready.
-echo "Waiting for MobSF to be ready..."
-READY=0
-for _i in $(seq 1 90); do
-    curl -s --max-time 2 "$MOBSF_URL/" >/dev/null 2>&1 && READY=1 && break
-    sleep 1
-done
-[[ "$READY" -eq 1 ]] || { echo "MobSF did not become ready at $MOBSF_URL within 90 s"; exit 1; }
-
-# Upload APK.
-echo "Uploading $(basename "$APK") to MobSF..."
-UPLOAD=$(curl -s -F "file=@$APK" -H "Authorization: $MOBSF_API_KEY" "$MOBSF_URL/api/v1/upload")
-HASH=$(echo "$UPLOAD" | jq -r '.hash // empty')
-[[ -n "$HASH" ]] || { echo "Upload failed — response: $UPLOAD"; exit 1; }
-echo "Scan hash: $HASH"
-
-# Trigger scan.
-echo "Scanning..."
-curl -s -X POST \
-    --data "hash=$HASH&re_scan=0" \
-    -H "Authorization: $MOBSF_API_KEY" \
-    "$MOBSF_URL/api/v1/scan" >/dev/null
-
-# Fetch JSON report.
-REPORT_FILE=$(mktemp /tmp/mobsf-report-XXXXXX.json)
-trap 'rm -f "$REPORT_FILE"' EXIT
-curl -s -X POST \
-    --data "hash=$HASH" \
-    -H "Authorization: $MOBSF_API_KEY" \
-    "$MOBSF_URL/api/v1/report_json" >"$REPORT_FILE"
-
-# ── Permission checks ─────────────────────────────────────────────────────────
-
-FAIL=0
-
-check_permission() {
-    local perm="$1"
-    # MobSF returns permissions as an object keyed by permission name.
-    if jq -e --arg p "$perm" '.permissions | has($p)' "$REPORT_FILE" >/dev/null 2>&1; then
-        echo "  OK : $perm"
-    else
-        echo "  FAIL: $perm missing from AndroidManifest.xml"
-        FAIL=1
-    fi
-}
-
-echo "Checking required permissions..."
-check_permission "android.permission.INTERNET"
-
-[[ "$FAIL" -eq 0 ]] || { echo "MobSF scan failed — fix the issues above."; exit 1; }
-echo "MobSF scan passed."