Claude Code skill to support Android app's reverse engineering

Go to file

Simone Avogadro 79daacdaa2 chore: bump plugin version to 1.4.0 Reflects features added since 1.3.1: - Merged upstream master (PowerShell support, dex2jar fork migration, decompile partial-success + Fernflower timeout, Chinese localization, README badges/TOC/Acknowledgments) Updates: - .claude-plugin/marketplace.json (metadata.version + plugins[0].version) - plugins/android-reverse-engineering/.claude-plugin/plugin.json (version) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-04-27 23:00:12 +02:00
.claude-plugin	chore: bump plugin version to 1.4.0	2026-04-27 23:00:12 +02:00
plugins/android-reverse-engineering	chore: bump plugin version to 1.4.0	2026-04-27 23:00:12 +02:00
.gitattributes	ADDED: .gitattributes for better WSL/Windows cooperation	2026-03-02 11:36:38 +01:00
.gitignore	SDK Neutralizer v4: JSON registry with 29 SDKs and registry-scan.py	2026-04-27 09:43:39 +02:00
CLAUDE.md	SDK Neutralizer v4: JSON registry with 29 SDKs and registry-scan.py	2026-04-27 09:43:39 +02:00
LICENSE	Fix GitHub username in all repository URLs and LICENSE	2026-02-02 21:06:15 +01:00
README.md	Merge master into trackers-and-ads	2026-04-27 12:43:21 +02:00

README.md

Android Reverse Engineering & API Extraction — Claude Code skill

A Claude Code skill that decompiles Android APK/XAPK/JAR/AAR files, extracts HTTP APIs, audits privacy by detecting tracker/analytics and advertising SDKs, and neutralizes SDK telemetry at the smali bytecode level for enterprise deployment — so you can document endpoints, understand data collection, assess ad monetization, and produce sanitized APKs without the original source code.

Windows / PowerShell support (experimental): The *.ps1 scripts alongside the bash ones are a recent community contribution, still being stabilised. For any issues please open an issue on this repository (not on the contributors' upstream forks): the PowerShell scripts are maintained here by @SimoneAvogadro.

What it does
Requirements
Installation
Usage
Repository Structure
References
Acknowledgments
Disclaimer
License

What it does

Capability	Description
Decompile	APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower (single engine or side-by-side comparison)
Extract APIs	Retrofit endpoints, OkHttp calls, hardcoded URLs, auth headers and tokens
Trace call flows	From Activities/Fragments through ViewModels and repositories down to HTTP calls
Detect tracker/analytics SDKs	Firebase Analytics, Adjust, AppsFlyer, Mixpanel, Amplitude, Segment, Braze, CleverTap, Flurry — with deep analysis of init, events, user identification, consent, and data exfiltration endpoints
Detect advertising SDKs	AdMob, Unity Ads, IronSource/LevelPlay, AppLovin/MAX, Meta Audience Network, Vungle, InMobi, Chartboost, Pangle, Mintegral — with ad format mapping, mediation analysis, and consent framework detection
Neutralize SDK entry points	Replace tracker/ad SDK method bodies with no-op stubs at the smali level, disable manifest components, and rebuild a signed APK for enterprise sideloading
Analyze structure	Manifest, packages, architecture patterns
Handle obfuscation	Strategies for navigating ProGuard/R8 output

Requirements

Required:

Java JDK 17+
jadx (CLI)

Optional (recommended):

Vineflower or Fernflower — better output on complex Java code
dex2jar — needed to use Fernflower on APK/DEX files

For SDK neutralization (/neutralize):

apktool (required) — APK decode/rebuild
apksigner or jarsigner (required) — APK signing (apksigner required for XAPK)
zip (required for XAPK rebuild)

See plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.md for detailed installation instructions.

Installation

From GitHub (recommended)

Inside Claude Code, run:

/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill

The skill will be permanently available in all future sessions.

Permissions

Claude Code will ask for approval when the skill runs bash scripts (e.g., neutralize.sh, find-ads.sh, apktool). This is standard Claude Code security behaviour — allowed-tools in skills declares which tools may be used, but does not bypass your permission settings.

To avoid repeated prompts, you can either:

Per-session: when prompted, select "Yes, and don't ask again for: bash:*"
Permanent: add the following to your ~/.claude/settings.json:

{
  "permissions": {
    "allow": [
      "Bash(bash */sdk-neutralizer/scripts/*)",
      "Bash(bash */ad-analysis/scripts/*)",
      "Bash(bash */tracker-analysis/scripts/*)",
      "Bash(bash */android-reverse-engineering/scripts/*)",
      "Bash(apktool *)"
    ]
  }
}

From a local clone

git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git

Then in Claude Code:

/plugin marketplace add /path/to/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill

Usage

Slash commands

/decompile path/to/app.apk

Runs the full workflow: dependency check, decompilation, and initial structure analysis.

/find-trackers path/to/decompiled/sources/

Detects analytics/tracker SDKs and produces a privacy report with init patterns, events, user identification, consent handling, and data endpoints.

/find-ads path/to/decompiled/sources/

Detects advertising SDKs and produces a report with ad formats, mediation setup, ad unit IDs, and consent framework analysis.

/neutralize path/to/app.apk

Neutralizes tracker/ad SDK entry points in the APK, producing a sanitized APK for enterprise sideloading with telemetry disabled.

Warning: SDK neutralization modifies bytecode and can cause crashes, broken features, or unexpected behaviour. The APK signature is invalidated. Ensure you have authorization to modify the application and that your use complies with applicable laws and the app's EULA. See the Disclaimer for details.

Natural language

The skills activate on phrases like:

"Decompile this APK"
"Reverse engineer this Android app"
"Extract API endpoints from this app"
"Follow the call flow from LoginActivity"
"Analyze this AAR library"
"Find trackers in this app"
"What analytics SDKs does this app use?"
"Detect ad networks in this app"
"Show me the ad mediation setup"
"Neutralize trackers in this APK"
"Remove telemetry from this app"
"Sanitize this APK for enterprise deployment"

Manual scripts

The scripts can also be used standalone:

# Check dependencies
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh

# Install a missing dependency (auto-detects OS and package manager)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadx
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower

# Install ALL neutralizer dependencies at once (java, apktool, apksigner, zip)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh neutralize-all

# Decompile APK with jadx (default)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk

# Decompile XAPK (auto-extracts and decompiles each APK inside)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app-bundle.xapk

# Decompile with Fernflower
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower library.jar

# Run both engines and compare
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk

# Find API calls
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --retrofit
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --urls

# Find tracker/analytics SDKs
bash plugins/android-reverse-engineering/skills/tracker-analysis/scripts/find-trackers.sh output/sources/
bash plugins/android-reverse-engineering/skills/tracker-analysis/scripts/find-trackers.sh output/sources/ --firebase
bash plugins/android-reverse-engineering/skills/tracker-analysis/scripts/find-trackers.sh output/sources/ --adjust

# Find advertising SDKs
bash plugins/android-reverse-engineering/skills/ad-analysis/scripts/find-ads.sh output/sources/
bash plugins/android-reverse-engineering/skills/ad-analysis/scripts/find-ads.sh output/sources/ --admob
bash plugins/android-reverse-engineering/skills/ad-analysis/scripts/find-ads.sh output/sources/ --mediation

# Neutralize SDK entry points (decode → patch → rebuild)
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/decode-apk.sh app.apk -o app-decoded
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/neutralize.sh app-decoded --all --dry-run
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/neutralize.sh app-decoded --all
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/rebuild-apk.sh app-decoded --auto-keystore

# XAPK full round-trip — decode preserves splits, rebuild reassembles XAPK
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/decode-apk.sh app-bundle.xapk -o app-decoded
# .xapk-origin/ now contains splits/, manifest.json, metadata.json
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/neutralize.sh app-decoded --all --dry-run
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/neutralize.sh app-decoded --all
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/rebuild-apk.sh app-decoded --auto-keystore
# → produces app-decoded-neutralized.xapk with all splits re-signed

# Replay previous patches after re-decoding
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/neutralize.sh app-decoded --replay

Repository Structure

android-reverse-engineering-skill/
├── .claude-plugin/
│   └── marketplace.json                    # Marketplace catalog
├── plugins/
│   └── android-reverse-engineering/
│       ├── .claude-plugin/
│       │   └── plugin.json                 # Plugin manifest
│       ├── skills/
│       │   ├── android-reverse-engineering/ # Core RE skill
│       │   │   ├── SKILL.md                # 5-phase workflow
│       │   │   ├── references/
│       │   │   │   ├── setup-guide.md
│       │   │   │   ├── jadx-usage.md
│       │   │   │   ├── fernflower-usage.md
│       │   │   │   ├── api-extraction-patterns.md
│       │   │   │   └── call-flow-analysis.md
│       │   │   └── scripts/
│       │   │       ├── check-deps.sh       # Bash
│       │   │       ├── check-deps.ps1      # PowerShell
│       │   │       ├── install-dep.sh
│       │   │       ├── install-dep.ps1
│       │   │       ├── decompile.sh
│       │   │       ├── decompile.ps1
│       │   │       ├── find-api-calls.sh
│       │   │       └── find-api-calls.ps1
│       │   ├── tracker-analysis/            # Tracker/analytics SDK detection
│       │   │   ├── SKILL.md                # 4-phase workflow
│       │   │   ├── references/
│       │   │   │   ├── tracker-sdk-catalog.md
│       │   │   │   ├── tracker-init-patterns.md
│       │   │   │   └── data-exfiltration-patterns.md
│       │   │   └── scripts/
│       │   │       └── find-trackers.sh
│       │   ├── ad-analysis/                 # Advertising SDK detection
│       │   │   ├── SKILL.md                # 3-phase workflow
│       │   │   ├── references/
│       │   │   │   ├── ad-sdk-catalog.md
│       │   │   │   ├── mediation-patterns.md
│       │   │   │   └── ad-format-patterns.md
│       │   │   └── scripts/
│       │   │       └── find-ads.sh
│       │   └── sdk-neutralizer/             # SDK neutralization for enterprise
│       │       ├── SKILL.md                # 6-phase workflow
│       │       ├── references/
│       │       │   ├── neutralization-guide.md
│       │       │   └── smali-patterns.md
│       │       └── scripts/
│       │           ├── check-neutralize-deps.sh
│       │           ├── decode-apk.sh
│       │           ├── merge-splits.sh
│       │           ├── neutralize.sh
│       │           ├── rebuild-apk.sh
│       │           └── registry-scan.py
│       └── commands/
│           ├── decompile.md                # /decompile slash command
│           ├── find-trackers.md            # /find-trackers slash command
│           ├── find-ads.md                 # /find-ads slash command
│           └── neutralize.md               # /neutralize slash command
├── LICENSE
└── README.md

References

Acknowledgments

Thanks to the contributors who have shaped this skill:

@philjn — Native Windows / PowerShell support (check-deps.ps1, install-dep.ps1, decompile.ps1, find-api-calls.ps1) and split/bundled APK detection in decompile.sh (#8)
@txhno — Migration to the maintained ThexXTURBOXx/dex2jar fork (#12)
@muqiao215 — Decompile partial-success handling, Fernflower timeout safeguard, intermediate-artifact directory (#10)
@kevinaimonster — Chinese localization (SKILL.md discovery keywords) (#4)

Disclaimer

This plugin is provided strictly for lawful purposes, including but not limited to:

Security research and authorized penetration testing
Interoperability analysis permitted under applicable law (e.g., EU Directive 2009/24/EC, US DMCA §1201(f))
Malware analysis and incident response
Educational use and CTF competitions
Enterprise privacy compliance and data minimisation (GDPR Art. 5(1)(c))
Authorized internal distribution of sanitized applications

SDK neutralization modifies APK bytecode and invalidates the original signature. The resulting APK will fail Play Integrity checks and is intended only for enterprise sideloading via MDM or authorized internal distribution. Using this feature to circumvent digital rights management for unauthorized purposes is prohibited.

You are solely responsible for ensuring that your use of this tool complies with all applicable laws, regulations, and terms of service. Unauthorized reverse engineering of software you do not own or do not have permission to analyze may violate intellectual property laws and computer fraud statutes in your jurisdiction.

The authors disclaim any liability for misuse of this tool.

License

Apache 2.0 — see LICENSE