Android Reverse Engineering - Claude Code Skill
Author: incogbyte
Claude Code skill that automates Android application reverse engineering. Decompiles APK, XAPK, AAB, DEX, JAR, and AAR files, extracts HTTP endpoints (Retrofit, OkHttp, Volley, GraphQL, WebSocket), traces call flows, analyzes security patterns, documents discovered APIs, and performs adaptive dynamic analysis with Frida — generating custom bypass scripts based on static analysis findings and iterating through crash logs to defeat runtime protections (RASP, root detection, SSL pinning, anti-tamper).
What this skill does
- Decompiles APK, XAPK, AAB, DEX, JAR, and AAR using jadx or Fernflower/Vineflower (individually or side by side for comparison)
- Extracts HTTP APIs: Retrofit endpoints, OkHttp calls, Volley, GraphQL queries/mutations, WebSocket connections, hardcoded URLs, authentication headers
- Traces call flows from Activities/Fragments to network calls, through ViewModels, Repositories, coroutines/Flow, and RxJava chains
- Analyzes app structure: AndroidManifest, packages, architectural pattern (MVP, MVVM, Clean Architecture)
- Audits security: certificate pinning, disabled SSL verification, exposed secrets, debug flags, weak crypto
- Dynamic analysis with Frida: adaptive bypass loop that generates custom scripts based on decompiled code, runs them, captures crash logs, and iterates until protections are bypassed
- Bypasses runtime protections: RASP, root detection (RootBeer, SafetyNet), SSL pinning, anti-tamper, Frida detection — all via targeted hooks generated from static analysis, not generic scripts
- Handles obfuscated code: strategies for navigating ProGuard/R8 output, using strings and annotations as anchors
- Generates reports: structured Markdown reports with all findings
Required tools
Mandatory
| Tool | Minimum version | Purpose |
|---|
| Java JDK | 17+ | Runtime for jadx and Fernflower |
| jadx | any | Primary decompiler (APK/DEX/JAR/AAR to Java) |
Optional (recommended)
| Tool | Purpose |
|---|
| Vineflower (Fernflower fork) | Higher quality decompilation for lambdas, generics, and complex Java code |
| dex2jar | Convert DEX to JAR (required to use Fernflower with APKs/DEX files) |
| bundletool | Convert AAB (App Bundle) to APK for decompilation |
| apktool | Resource decoding (XML, drawables) when jadx fails |
| adb | Extract APKs directly from a connected Android device |
For dynamic analysis (Phase 7)
| Tool | Purpose |
|---|
| Python 3.8+ | Runtime for frida-tools (installed in a venv, never globally) |
| adb | Communication with device/emulator |
| frida-server | Runs on the Android device/emulator (the skill detects if you already have it) |
| frida-tools | Client-side Frida CLI — auto-installed in a venv matching your server version |
How to install the tools
The skill includes a script that automatically detects the OS and package manager:
# Check what is installed and what is missing
bash scripts/check-deps.sh
# Install dependencies individually (detects brew/apt/dnf/pacman)
bash scripts/install-dep.sh java
bash scripts/install-dep.sh jadx
bash scripts/install-dep.sh vineflower
bash scripts/install-dep.sh dex2jar
bash scripts/install-dep.sh bundletool
The script installs without sudo when possible (local download to ~/.local/). When sudo is needed, it asks for confirmation. If it cannot install, it prints manual instructions.
Frida setup
The Frida setup is handled by a dedicated script that detects your existing environment first before changing anything:
# Detect everything: device, frida-server version, create matching venv
bash scripts/setup-frida.sh
# If frida-server is not on the device, auto-download and push it:
bash scripts/setup-frida.sh --install-server
What setup-frida.sh does:
- Checks adb — verifies a device/emulator is connected, gets architecture (arm64, x86, etc.)
- Finds existing frida-server — checks
/data/local/tmp/frida-server and running processes on the device
- Gets frida-server version — extracts version from the binary on device
- Checks Python 3 + venv module — required for frida-tools
- Creates a venv at
~/.local/share/frida-re/venv — frida-tools is never installed globally
- Installs frida-tools matching your server version — avoids version mismatch errors
- Tests connectivity — runs
frida-ps -U to verify everything works
If you already have frida-server on your device (most users do), the script just creates the venv and matches the client version. No unnecessary reinstalls.
Manual Frida installation
# 1. Create venv (always use a venv, never install globally)
python3 -m venv ~/.local/share/frida-re/venv
# 2. Check your frida-server version on device
adb shell /data/local/tmp/frida-server --version
