New merge-splits.sh script merges XAPK split APK contents (native libs,
resources, manifest cleanup) into the decoded base directory, enabling
single APK output installable via standard adb install. rebuild-apk.sh
gains --single-apk flag with auto-detection via .merged marker. SKILL.md
updated with Phase 5a/5b/5c workflow for XAPK rebuild choice.
Fixed plugin.json version from 1.0.0 to 1.2.0 to match marketplace.json.
Added versioning guidance to CLAUDE.md to prevent future mismatches.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- decode-apk.sh preserves XAPK structure (.xapk-origin/) with splits, manifest, and metadata for automatic reassembly
- rebuild-apk.sh detects .xapk-origin/, re-signs all split APKs, and assembles final .xapk output
- Add --auto-keystore flag: prioritizes ~/.android/debug.keystore → previous debug key → generated key
- Add neutralize-all compound target to install-dep.sh (java + apktool + apksigner + zip in one command)
- Add apktool version check (>= 2.9.0) with automatic upgrade from GitHub releases
- Add install_zip() and zip dependency check for XAPK rebuild
- All scripts now prepend ~/.local/bin to PATH for user-local tool installs
- Update SKILL.md Phase 3 with built-in catalog detection workflow and custom SDK discovery using Claude Code tools
- Update neutralize.md, CLAUDE.md, and README.md with XAPK and auto-keystore documentation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Bump marketplace/plugin version to 1.2.0 with sdk-neutralizer keywords
- Add smali/baksmali and apksigner installers to install-dep.sh
- Add --entrypoints flag to find-trackers.sh for app-code-only SDK call detection
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Six improvements from real-world testing on Water Sort Puzzle XAPK:
- Fix manifest patching creating duplicate android:enabled attributes when
the component already has android:enabled="true" (3-way check logic)
- Add decode-apk.sh with XAPK support (auto-extracts base APK, skips splits)
- Add apktool >= 2.9.0 minimum version check in check-neutralize-deps.sh
- Add --no-res fallback in rebuild-apk.sh when apktool build fails on resources
- Add 13 missing manifest components (Vungle new SDK, Meta AN provider,
AppLovin/BidMachine/IronSource init providers, Amazon APS, Pangle/Mintegral
activities, Smaato, AppsFlyer internal receiver)
- Add patch persistence via neutralize-manifest.json and --replay flag
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Introduces two new skills for privacy auditing of decompiled Android apps:
- tracker-analysis: 4-phase workflow detecting Firebase, Adjust, AppsFlyer,
Mixpanel, Amplitude, Segment, Braze, CleverTap, Flurry with init/events/
consent/data exfiltration analysis
- ad-analysis: 3-phase workflow detecting AdMob, Unity, IronSource, AppLovin,
Meta AN, Vungle, InMobi, Chartboost, Pangle, Mintegral with ad format
mapping, mediation analysis, and consent framework detection
Key addition: --entrypoints flag in find-ads.sh distinguishes SDKs actively
called by app code from passive mediation adapter dependencies, enabling
accurate "Ad Architecture" classification (single mediator / multiple direct /
hybrid).
Also improves install-dep.sh sudo detection for non-interactive environments
(Claude Code, CI, pipes) and adds CLAUDE.md project instructions.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add keywords, skills and commands paths to plugin.json
- Add argument-hint to decompile command for better UX
- Add description to SKILL.md frontmatter for skill auto-matching
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Simone Avogadro