A Claude Code skill that decompiles Android APK/XAPK/JAR/AAR files and extracts the HTTP APIs used by the app — Retrofit endpoints, OkHttp calls, hardcoded URLs, authentication patterns — so you can document and reproduce them without the original source code.
- Decompiles APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower (single engine or side-by-side comparison)
- Extracts and documents APIs: Retrofit endpoints, OkHttp calls, hardcoded URLs, auth headers and tokens
- Traces call flows from Activities/Fragments through ViewModels and repositories down to HTTP calls
- Analyzes app structure: manifest, packages, architecture patterns
- Handles obfuscated code: strategies for navigating ProGuard/R8 output
- Optionally dumps runtime DEX with Frida when protected code only appears in memory
- Optionally traces native
.soactivity with load and JNI registration probes - Optionally hands off native analysis into IDA Pro through
ida-pro-mcp
Required:
- Java JDK 17+
- jadx (CLI)
Optional (recommended):
- Vineflower or Fernflower — better output on complex Java code
- dex2jar — needed to use Fernflower on APK/DEX files
Optional for dynamic analysis:
- Frida host tooling and matching device-side
frida-server adb- ida-pro-mcp for IDA Pro handoff
See plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.md for detailed installation instructions.
Inside Claude Code, run:
/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill
The skill will be permanently available in all future sessions.
The repository root is a Claude plugin, so it is not directly installable as a Codex skill without adaptation.
This fork includes a Codex-compatible package at:
codex-skills/android-reverse-engineering
Install it with Codex's bundled skill installer:
python3 ~/.codex/skills/.system/skill-installer/scripts/install-skill-from-github.py \
--repo JackLee992/android-reverse-engineering-skill \
--ref master \
--path codex-skills/android-reverse-engineeringAfter installation, restart Codex to pick up the new skill.
The Codex package also includes optional runtime-analysis helpers.
# Check Frida/ADB/IDA MCP prerequisites
bash ~/.codex/skills/android-reverse-engineering/scripts/check-dynamic-deps.sh
# Dump runtime DEX files
bash ~/.codex/skills/android-reverse-engineering/scripts/run-frida-dexdump.sh \
--package com.example.app \
--output-dir output/runtime-dex
# Trace runtime native loads
bash ~/.codex/skills/android-reverse-engineering/scripts/run-frida-trace-loads.sh \
--package com.example.app \
--output output/native-loads.jsonl
# Trace JNI registrations
bash ~/.codex/skills/android-reverse-engineering/scripts/run-frida-trace-jni.sh \
--package com.example.app \
--output output/jni-trace.jsonlgit clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.gitThen in Claude Code:
/plugin marketplace add /path/to/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill
/decompile path/to/app.apk
This runs the full workflow: dependency check, decompilation, and initial structure analysis.
The skill activates on phrases like:
- "Decompile this APK"
- "Reverse engineer this Android app"
- "Extract API endpoints from this app"
- "Follow the call flow from LoginActivity"
- "Analyze this AAR library"
The scripts can also be used standalone:
# Check dependencies
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh
# Install a missing dependency (auto-detects OS and package manager)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadx
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower
# Decompile APK with jadx (default)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk
# Decompile XAPK (auto-extracts and decompiles each APK inside)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app-bundle.xapk
# Decompile with Fernflower
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower library.jar
# Run both engines and compare
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk
# Find API calls
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --retrofit
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --urlsandroid-reverse-engineering-skill/
├── .claude-plugin/
│ └── marketplace.json # Marketplace catalog
├── plugins/
│ └── android-reverse-engineering/
│ ├── .claude-plugin/
│ │ └── plugin.json # Plugin manifest
│ ├── skills/
│ │ └── android-reverse-engineering/
│ │ ├── SKILL.md # Core workflow (5 phases)
│ │ ├── references/
│ │ │ ├── setup-guide.md
│ │ │ ├── jadx-usage.md
│ │ │ ├── fernflower-usage.md
│ │ │ ├── api-extraction-patterns.md
│ │ │ ├── call-flow-analysis.md
│ │ │ ├── frida-setup.md
│ │ │ ├── dynamic-dex-unpack.md
│ │ │ ├── native-so-tracing.md
│ │ │ └── ida-pro-mcp.md
│ │ └── scripts/
│ │ ├── check-deps.sh
│ │ ├── install-dep.sh
│ │ ├── decompile.sh
│ │ ├── find-api-calls.sh
│ │ ├── check-dynamic-deps.sh
│ │ ├── run-frida-dexdump.sh
│ │ ├── run-frida-trace-loads.sh
│ │ └── run-frida-trace-jni.sh
│ └── commands/
│ └── decompile.md # /decompile slash command
├── LICENSE
└── README.md
- jadx — Dex to Java decompiler
- Fernflower — JetBrains analytical decompiler
- Vineflower — Fernflower community fork
- dex2jar — DEX to JAR converter
- apktool — Android resource decoder
- dstmath/frida-unpack
- mrexodia/ida-pro-mcp
This plugin is provided strictly for lawful purposes, including but not limited to:
- Security research and authorized penetration testing
- Interoperability analysis permitted under applicable law (e.g., EU Directive 2009/24/EC, US DMCA §1201(f))
- Malware analysis and incident response
- Educational use and CTF competitions
You are solely responsible for ensuring that your use of this tool complies with all applicable laws, regulations, and terms of service. Unauthorized reverse engineering of software you do not own or do not have permission to analyze may violate intellectual property laws and computer fraud statutes in your jurisdiction.
The authors disclaim any liability for misuse of this tool.
Apache 2.0 — see LICENSE