SimoneAvogadro / android-reverse-engineering-skill
Summary
A new Claude Code skill enables the decompilation of Android APK, XAPK, JAR, and AAR files to extract and document HTTP APIs without requiring the original source code. This tool utilizes `jadx` and optionally `Fernflower` or `Vineflower` for decompilation, supporting single-engine or side-by-side comparisons. It identifies Retrofit endpoints, OkHttp calls, hardcoded URLs, and authentication patterns, while also tracing call flows from UI components to HTTP requests. The skill analyzes app structure, including manifests and architecture, and incorporates strategies for navigating obfuscated code produced by ProGuard/R8. It requires Java JDK 17+ and `jadx`, with `Vineflower` or `Fernflower` and `dex2jar` recommended for enhanced functionality.
Key takeaway
For security researchers or malware analysts needing to understand Android application behavior without source code, this Claude Code skill streamlines the reverse engineering process. You can quickly extract critical API endpoints, authentication methods, and call flows, which is invaluable for vulnerability assessment, interoperability analysis, or incident response. Ensure your use complies with all applicable laws and terms of service.
Key insights
Decompile Android apps to extract HTTP API details and call flows, even from obfuscated code.
Principles
- Automate API extraction from compiled Android binaries.
- Support multiple decompilation engines for robustness.
Method
The skill decompiles Android binaries using `jadx` (and optionally `Fernflower`/`Vineflower`), then analyzes the resulting source to identify API calls, authentication patterns, and trace call flows from UI components.
In practice
- Use `/decompile path/to/app.apk` for full workflow.
- Specify `--engine fernflower` for alternative decompilation.
- Run `find-api-calls.sh` on decompiled sources.
Topics
- Android Reverse Engineering
- API Extraction
- Decompilation
- jadx
- Obfuscated Code Analysis
Code references
- skylot/jadx
- Vineflower/vineflower
- JetBrains/fernflower
- pxb1988/dex2jar
- SimoneAvogadro/android-reverse-engineering-skill
Best for: AI Security Engineer, Security Engineer, Research Scientist
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Github Trending: All languages.