claudeers.

🔓 unclaimed — this page was auto-generated from GitHub. Are you the creator?

Claim this page →
// DevOps & CI/CD

android-reverse-engineering-skill

Claude Code skill to support Android app's reverse engineering

// DevOps & CI/CD[ cli ][ api ][ web ][ mobile ][ claude ]#claude#devopsApache-2.0$open-sourceupdated 15 days ago
Actively maintained
100/100
last commit 29 days ago
last release 2 months ago
releases 1
open issues 5
// install
git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill

Android Reverse Engineering & API Extraction — Claude Code skill

A Claude Code skill that decompiles Android APK/XAPK/JAR/AAR files and extracts the HTTP APIs used by the app — Retrofit endpoints, OkHttp calls, hardcoded URLs, authentication patterns — so you can document and reproduce them without the original source code.

First-class Kotlin support: modern Android apps are Kotlin/KMP, heavily obfuscated with R8. This skill recovers the original Kotlin class names from metadata R8 cannot strip, and extracts APIs from Ktor, Apollo (GraphQL) and Koin — not just the classic Retrofit/OkHttp stack. See Kotlin name recovery below.

Windows / PowerShell support (experimental): The *.ps1 scripts alongside the bash ones are a recent community contribution, still being stabilised. For any issues please open an issue on this repository (not on the contributors' upstream forks): the PowerShell scripts are maintained here by @SimoneAvogadro.

What it does

CapabilityDescription
Fingerprint first (Phase 0)Triage an APK/XAPK in seconds — detect the framework (Flutter / React Native / Cordova / Xamarin / native-Kotlin), HTTP stack, obfuscation level and native libs before spending time on a full decompile
DecompileAPK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower (single engine or side-by-side comparison)
Recover Kotlin namesRebuild original *Repository / *ViewModel / *UseCase class names from R8-obfuscated binaries using Kotlin metadata that R8 cannot strip
Extract APIsRetrofit, OkHttp, Volley and modern Kotlin/KMP stacks: Ktor, Apollo (GraphQL), Koin DI — endpoints, hardcoded URLs, auth headers, tokens and HMAC request-signing schemes
Trace call flowsFrom Activities/Fragments through ViewModels and repositories down to HTTP calls
Analyze structureManifest, packages, architecture patterns
Handle obfuscationR8-resistant path/URL extraction plus strategies for navigating ProGuard/R8 output

Requirements

Required:

  • Java JDK 17+
  • jadx (CLI)

Optional (recommended):

See plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.md for detailed installation instructions.

Installation

Inside Claude Code, run:

/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill

The skill will be permanently available in all future sessions.

From a local clone

git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git

Then in Claude Code:

/plugin marketplace add /path/to/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill

Usage

Slash command

/decompile path/to/app.apk

This runs the full workflow: dependency check, decompilation, and initial structure analysis.

Natural language

The skill activates on phrases like:

  • "Decompile this APK"
  • "Reverse engineer this Android app"
  • "Extract API endpoints from this app"
  • "Follow the call flow from LoginActivity"
  • "Analyze this AAR library"

Manual scripts

The scripts can also be used standalone:

# Check dependencies
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh

# Install a missing dependency (auto-detects OS and package manager)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadx
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower

# Fingerprint an APK/XAPK BEFORE decompiling (Phase 0 triage):
# framework, HTTP stack, obfuscation level, native libs, notable SDKs
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/fingerprint.sh app.apk

# Decompile APK with jadx (default)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk

# Decompile XAPK (auto-extracts and decompiles each APK inside)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app-bundle.xapk

# Decompile with Fernflower
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower library.jar

# Run both engines and compare
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk

# Find API calls — defaults to a full scan across every supported stack
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --retrofit
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --urls

# Modern Kotlin/KMP stacks and obfuscation-resistant extraction
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --ktor    # Ktor client
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --apollo  # Apollo / GraphQL
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --paths   # quoted path literals that survive R8 inlining

Kotlin name recovery (R8 deobfuscation)

Most real-world Kotlin/KMP apps ship through R8, so the decompiled classes come out as a.b.c. R8 renames the JVM symbols but cannot strip the Kotlin metadata strings — the Kotlin runtime (reflection, coroutines) needs the original fully-qualified names at runtime. This skill mines those @DebugMetadata / @Metadata annotations to rebuild an obfuscated → real class-name map. On a typical app it recovers ~100 % of the *Repository / *ViewModel / *UseCase / *Impl classes you actually want to read.

# 1. Build the mapping from the decompiled sources
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/recover-kotlin-names.sh output/sources/ output/names/
#    → output/names/mapping.tsv, mapping.json, by_package/

# 2. Query it: resolve an obfuscated name, search by real name, or grep
#    the sources with each hit annotated with its recovered class name
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/lookup-name.sh output/names/ LoginRepository
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/lookup-name.sh output/names/ -o a.b.c
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/lookup-name.sh output/names/ --grep 'login' output/sources/

Repository Structure

android-reverse-engineering-skill/
├── .claude-plugin/
│   └── marketplace.json                    # Marketplace catalog
├── plugins/
│   └── android-reverse-engineering/
│       ├── .claude-plugin/
│       │   └── plugin.json                 # Plugin manifest
│       ├── skills/
│       │   └── android-reverse-engineering/
│       │       ├── SKILL.md                # Core workflow (Phase 0–5)
│       │       ├── references/
│       │       │   ├── setup-guide.md
│       │       │   ├── jadx-usage.md
│       │       │   ├── fernflower-usage.md
│       │       │   ├── api-extraction-patterns.md
│       │       │   ├── kotlin-name-recovery.md
│       │       │   ├── third_party_hosts.txt   # denylist for first/third-party bucketing
│       │       │   └── call-flow-analysis.md
│       │       └── scripts/
│       │           ├── check-deps.sh       # Bash
│       │           ├── check-deps.ps1      # PowerShell
│       │           ├── install-dep.sh
│       │           ├── install-dep.ps1
│       │           ├── decompile.sh
│       │           ├── decompile.ps1
│       │           ├── fingerprint.sh          # Phase 0 — pre-decompile triage
│       │           ├── recover-kotlin-names.sh # R8 → real Kotlin class names
│       │           ├── lookup-name.sh          # query the recovered name map
│       │           ├── find-api-calls.sh
│       │           └── find-api-calls.ps1
│       └── commands/
│           └── decompile.md                # /decompile slash command
├── LICENSE
└── README.md

References

Acknowledgments

Thanks to the contributors who have shaped this skill:

  • @tajchert — Phase 0 fingerprinting, R8-resistant Kotlin name recovery (recover-kotlin-names.sh, lookup-name.sh), and Ktor / Apollo / Koin / HMAC extraction patterns (#16)
  • @philjn — Native Windows / PowerShell support (check-deps.ps1, install-dep.ps1, decompile.ps1, find-api-calls.ps1) and split/bundled APK detection in decompile.sh (#8)
  • @txhno — Migration to the maintained ThexXTURBOXx/dex2jar fork (#12)
  • @muqiao215 — Decompile partial-success handling, Fernflower timeout safeguard, intermediate-artifact directory (#10)
  • @kevinaimonster — Chinese localization (SKILL.md discovery keywords) (#4)

Disclaimer

This plugin is provided strictly for lawful purposes, including but not limited to:

  • Security research and authorized penetration testing
  • Interoperability analysis permitted under applicable law (e.g., EU Directive 2009/24/EC, US DMCA §1201(f))
  • Malware analysis and incident response
  • Educational use and CTF competitions

You are solely responsible for ensuring that your use of this tool complies with all applicable laws, regulations, and terms of service. Unauthorized reverse engineering of software you do not own or do not have permission to analyze may violate intellectual property laws and computer fraud statutes in your jurisdiction.

The authors disclaim any liability for misuse of this tool.

License

Apache 2.0 — see LICENSE

// compatibility

Platformscli, api, web, mobile
Operating systems
AI compatibilityclaude
LicenseApache-2.0
Pricingopen-source
LanguageShell

// faq

What is android-reverse-engineering-skill?

Claude Code skill to support Android app's reverse engineering. It is open-source on GitHub.

Is android-reverse-engineering-skill free to use?

android-reverse-engineering-skill is open-source under the Apache-2.0 license, so it is free to use.

What category does android-reverse-engineering-skill belong to?

android-reverse-engineering-skill is listed under skills in the Claudeers registry of Claude-compatible tools.

0 views
6,318 stars
unclaimed
updated 15 days ago

// embed badge

android-reverse-engineering-skill on Claudeers
[![Claudeers](https://claudeers.com/api/badge/android-reverse-engineering-skill.svg)](https://claudeers.com/android-reverse-engineering-skill)

// retro hit counter

android-reverse-engineering-skill hit counter
[![Hits](https://claudeers.com/api/counter/android-reverse-engineering-skill.svg)](https://claudeers.com/android-reverse-engineering-skill)

// reviews

// guestbook

0/500

// related in DevOps & CI/CD

🔓

⭐AI-driven public opinion & trend monitor with multi-platform aggregation, RSS, and smart alerts.🎯 告别信息过载,你的 AI 舆情监控助手与热点筛选工具!聚合多平台热点 + RSS 订阅,支持关键词精准筛选。AI…

// devopssansan0/Python60,216GPL-3.0[ claude ]
🔓

Use Claude Code as the foundation for coding infrastructure, allowing you to decide how to interact with the model while enjoying updates from Anthropic.

// devopsmusistudio/TypeScript35,590MIT[ claude ]
🔓

Professional Antigravity Account Manager & Switcher. One-click seamless account switching for Antigravity Tools. Built with Tauri v2 + React (Rust).专业的 Antig…

// devopslbjlaq/Rust29,988NOASSERTION[ claude ]

// built by

→ see how android-reverse-engineering-skill connects across the ecosystem