e06f794112
Six improvements from real-world testing on Water Sort Puzzle XAPK: - Fix manifest patching creating duplicate android:enabled attributes when the component already has android:enabled="true" (3-way check logic) - Add decode-apk.sh with XAPK support (auto-extracts base APK, skips splits) - Add apktool >= 2.9.0 minimum version check in check-neutralize-deps.sh - Add --no-res fallback in rebuild-apk.sh when apktool build fails on resources - Add 13 missing manifest components (Vungle new SDK, Meta AN provider, AppLovin/BidMachine/IronSource init providers, Amazon APS, Pangle/Mintegral activities, Smaato, AppsFlyer internal receiver) - Add patch persistence via neutralize-manifest.json and --replay flag Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .claude-plugin | ||
| plugins/android-reverse-engineering | ||
| .gitattributes | ||
| CLAUDE.md | ||
| LICENSE | ||
| README.md | ||
README.md
Android Reverse Engineering & API Extraction — Claude Code skill
A Claude Code skill that decompiles Android APK/XAPK/JAR/AAR files, extracts HTTP APIs, audits privacy by detecting tracker/analytics and advertising SDKs, and neutralizes SDK telemetry at the smali bytecode level for enterprise deployment — so you can document endpoints, understand data collection, assess ad monetization, and produce sanitized APKs without the original source code.
What it does
- Decompiles APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower (single engine or side-by-side comparison)
- Extracts and documents APIs: Retrofit endpoints, OkHttp calls, hardcoded URLs, auth headers and tokens
- Traces call flows from Activities/Fragments through ViewModels and repositories down to HTTP calls
- Detects tracker/analytics SDKs: Firebase Analytics, Adjust, AppsFlyer, Mixpanel, Amplitude, Segment, Braze, CleverTap, Flurry — with deep analysis of init, events, user identification, consent, and data exfiltration endpoints
- Detects advertising SDKs: AdMob, Unity Ads, IronSource/LevelPlay, AppLovin/MAX, Meta Audience Network, Vungle, InMobi, Chartboost, Pangle, Mintegral — with ad format mapping, mediation analysis, and consent framework detection
- Neutralizes SDK entry points: replaces tracker/ad SDK method bodies with no-op stubs at the smali level, disables manifest components, and rebuilds a signed APK for enterprise sideloading
- Analyzes app structure: manifest, packages, architecture patterns
- Handles obfuscated code: strategies for navigating ProGuard/R8 output
Requirements
Required:
- Java JDK 17+
- jadx (CLI)
Optional (recommended):
- Vineflower or Fernflower — better output on complex Java code
- dex2jar — needed to use Fernflower on APK/DEX files
For SDK neutralization (/neutralize):
- apktool (required) — APK decode/rebuild
- apksigner or jarsigner (required) — APK signing
See plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.md for detailed installation instructions.
Installation
From GitHub (recommended)
Inside Claude Code, run:
/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill
The skill will be permanently available in all future sessions.
Permissions
Claude Code will ask for approval when the skill runs bash scripts (e.g., neutralize.sh, find-ads.sh, apktool). This is standard Claude Code security behaviour — allowed-tools in skills declares which tools may be used, but does not bypass your permission settings.
To avoid repeated prompts, you can either:
- Per-session: when prompted, select "Yes, and don't ask again for: bash:*"
- Permanent: add the following to your
~/.claude/settings.json:
{
"permissions": {
"allow": [
"Bash(bash */sdk-neutralizer/scripts/*)",
"Bash(bash */ad-analysis/scripts/*)",
"Bash(bash */tracker-analysis/scripts/*)",
"Bash(bash */android-reverse-engineering/scripts/*)",
"Bash(apktool *)"
]
}
}
From a local clone
git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git
Then in Claude Code:
/plugin marketplace add /path/to/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill
Usage
Slash commands
/decompile path/to/app.apk
Runs the full workflow: dependency check, decompilation, and initial structure analysis.
/find-trackers path/to/decompiled/sources/
Detects analytics/tracker SDKs and produces a privacy report with init patterns, events, user identification, consent handling, and data endpoints.
/find-ads path/to/decompiled/sources/
Detects advertising SDKs and produces a report with ad formats, mediation setup, ad unit IDs, and consent framework analysis.
/neutralize path/to/app.apk
Neutralizes tracker/ad SDK entry points in the APK, producing a sanitized APK for enterprise sideloading with telemetry disabled.
Warning: SDK neutralization modifies bytecode and can cause crashes, broken features, or unexpected behaviour. The APK signature is invalidated. Ensure you have authorization to modify the application and that your use complies with applicable laws and the app's EULA. See the Disclaimer for details.
Natural language
The skills activate on phrases like:
- "Decompile this APK"
- "Reverse engineer this Android app"
- "Extract API endpoints from this app"
- "Follow the call flow from LoginActivity"
- "Analyze this AAR library"
- "Find trackers in this app"
- "What analytics SDKs does this app use?"
- "Detect ad networks in this app"
- "Show me the ad mediation setup"
- "Neutralize trackers in this APK"
- "Remove telemetry from this app"
- "Sanitize this APK for enterprise deployment"
Manual scripts
The scripts can also be used standalone:
# Check dependencies
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh
# Install a missing dependency (auto-detects OS and package manager)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadx
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower
# Decompile APK with jadx (default)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk
# Decompile XAPK (auto-extracts and decompiles each APK inside)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app-bundle.xapk
# Decompile with Fernflower
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower library.jar
# Run both engines and compare
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk
# Find API calls
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --retrofit
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --urls
# Find tracker/analytics SDKs
bash plugins/android-reverse-engineering/skills/tracker-analysis/scripts/find-trackers.sh output/sources/
bash plugins/android-reverse-engineering/skills/tracker-analysis/scripts/find-trackers.sh output/sources/ --firebase
bash plugins/android-reverse-engineering/skills/tracker-analysis/scripts/find-trackers.sh output/sources/ --adjust
# Find advertising SDKs
bash plugins/android-reverse-engineering/skills/ad-analysis/scripts/find-ads.sh output/sources/
bash plugins/android-reverse-engineering/skills/ad-analysis/scripts/find-ads.sh output/sources/ --admob
bash plugins/android-reverse-engineering/skills/ad-analysis/scripts/find-ads.sh output/sources/ --mediation
# Neutralize SDK entry points (decode → patch → rebuild)
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/decode-apk.sh app.apk -o app-decoded
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/neutralize.sh app-decoded --all --dry-run
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/neutralize.sh app-decoded --all
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/rebuild-apk.sh app-decoded --debug-key
# XAPK support — decode-apk.sh extracts the base APK automatically
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/decode-apk.sh app-bundle.xapk -o app-decoded
# Replay previous patches after re-decoding
bash plugins/android-reverse-engineering/skills/sdk-neutralizer/scripts/neutralize.sh app-decoded --replay
Repository Structure
android-reverse-engineering-skill/
├── .claude-plugin/
│ └── marketplace.json # Marketplace catalog
├── plugins/
│ └── android-reverse-engineering/
│ ├── .claude-plugin/
│ │ └── plugin.json # Plugin manifest
│ ├── skills/
│ │ ├── android-reverse-engineering/ # Core RE skill
│ │ │ ├── SKILL.md # 5-phase workflow
│ │ │ ├── references/
│ │ │ │ ├── setup-guide.md
│ │ │ │ ├── jadx-usage.md
│ │ │ │ ├── fernflower-usage.md
│ │ │ │ ├── api-extraction-patterns.md
│ │ │ │ └── call-flow-analysis.md
│ │ │ └── scripts/
│ │ │ ├── check-deps.sh
│ │ │ ├── install-dep.sh
│ │ │ ├── decompile.sh
│ │ │ └── find-api-calls.sh
│ │ ├── tracker-analysis/ # Tracker/analytics SDK detection
│ │ │ ├── SKILL.md # 4-phase workflow
│ │ │ ├── references/
│ │ │ │ ├── tracker-sdk-catalog.md
│ │ │ │ ├── tracker-init-patterns.md
│ │ │ │ └── data-exfiltration-patterns.md
│ │ │ └── scripts/
│ │ │ └── find-trackers.sh
│ │ ├── ad-analysis/ # Advertising SDK detection
│ │ │ ├── SKILL.md # 3-phase workflow
│ │ │ ├── references/
│ │ │ │ ├── ad-sdk-catalog.md
│ │ │ │ ├── mediation-patterns.md
│ │ │ │ └── ad-format-patterns.md
│ │ │ └── scripts/
│ │ │ └── find-ads.sh
│ │ └── sdk-neutralizer/ # SDK neutralization for enterprise
│ │ ├── SKILL.md # 6-phase workflow
│ │ ├── references/
│ │ │ ├── neutralization-guide.md
│ │ │ └── smali-patterns.md
│ │ └── scripts/
│ │ ├── check-neutralize-deps.sh
│ │ ├── decode-apk.sh
│ │ ├── neutralize.sh
│ │ └── rebuild-apk.sh
│ └── commands/
│ ├── decompile.md # /decompile slash command
│ ├── find-trackers.md # /find-trackers slash command
│ ├── find-ads.md # /find-ads slash command
│ └── neutralize.md # /neutralize slash command
├── LICENSE
└── README.md
References
- jadx — Dex to Java decompiler
- Fernflower — JetBrains analytical decompiler
- Vineflower — Fernflower community fork
- dex2jar — DEX to JAR converter
- apktool — Android resource decoder
Disclaimer
This plugin is provided strictly for lawful purposes, including but not limited to:
- Security research and authorized penetration testing
- Interoperability analysis permitted under applicable law (e.g., EU Directive 2009/24/EC, US DMCA §1201(f))
- Malware analysis and incident response
- Educational use and CTF competitions
- Enterprise privacy compliance and data minimisation (GDPR Art. 5(1)(c))
- Authorized internal distribution of sanitized applications
SDK neutralization modifies APK bytecode and invalidates the original signature. The resulting APK will fail Play Integrity checks and is intended only for enterprise sideloading via MDM or authorized internal distribution. Using this feature to circumvent digital rights management for unauthorized purposes is prohibited.
You are solely responsible for ensuring that your use of this tool complies with all applicable laws, regulations, and terms of service. Unauthorized reverse engineering of software you do not own or do not have permission to analyze may violate intellectual property laws and computer fraud statutes in your jurisdiction.
The authors disclaim any liability for misuse of this tool.
License
Apache 2.0 — see LICENSE