Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From android-reverse-engineering
Decompile and analyze Android packages (APK, AAB, etc.), extract API endpoints, trace call flows, audit security, and perform dynamic analysis with Frida.
npx claudepluginhub incogbyte/android-reverse-engineering-claude-skill --plugin android-reverse-engineeringHow this skill is triggered — by the user, by Claude, or both
Slash command
/android-reverse-engineering:android-reverse-engineeringThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Decompile Android APK, XAPK, AAB, DEX, JAR, and AAR files using jadx and Fernflower/Vineflower, trace call flows through application code and libraries, analyze security patterns, produce structured documentation of extracted APIs, and perform adaptive dynamic analysis with Frida — generating custom bypass scripts based on what the static analysis finds, iterating through crash logs to refine h...
references/api-extraction-patterns.mdreferences/call-flow-analysis.mdreferences/fernflower-usage.mdreferences/firebase-google-api-testing.mdreferences/jadx-usage.mdreferences/setup-guide.mdscripts/adb-crash-capture.shscripts/check-deps.shscripts/decompile.shscripts/find-api-calls.shscripts/find-firebase-config.shscripts/frida-run.shscripts/install-dep.shscripts/setup-frida.shscripts/test-firebase-google.shDecompiles Android APK, XAPK, JAR, and AAR files using jadx or Fernflower/Vineflower. Extracts HTTP API endpoints (Retrofit, OkHttp, Volley) and traces call flows from UI to network layer.
Decompiles Android APK files to readable Java source using jadx. Useful for security analysis, vulnerability discovery, finding hardcoded credentials, and understanding app internals.
Automates Android APK red-team analysis: acquisition from Play Store/APKPure/APKMirror, decompilation with jadx, secret/URL/JWT/Firebase grep, Frida instrumentation, and exported-component enumeration.
Share bugs, ideas, or general feedback.
Decompile Android APK, XAPK, AAB, DEX, JAR, and AAR files using jadx and Fernflower/Vineflower, trace call flows through application code and libraries, analyze security patterns, produce structured documentation of extracted APIs, and perform adaptive dynamic analysis with Frida — generating custom bypass scripts based on what the static analysis finds, iterating through crash logs to refine hooks until protections are bypassed. Two decompiler engines are supported — jadx for broad Android coverage and Fernflower for higher-quality output on complex Java code — and can be used together for comparison.
This skill requires Java JDK 17+ and jadx to be installed. Fernflower/Vineflower and dex2jar are optional but recommended for better decompilation quality. bundletool is required for AAB (App Bundle) files. For dynamic analysis (Phase 7), Python 3.8+, adb, and a device/emulator with frida-server are needed — the setup-frida.sh script handles the full setup. Run the dependency checker to verify:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.sh
If anything is missing, follow the installation instructions in ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/setup-guide.md.
Before decompiling, confirm that the required tools are available — and install any that are missing.
Action: Run the dependency check script.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.sh
The output contains machine-readable lines:
INSTALL_REQUIRED:<dep> — must be installed before proceedingINSTALL_OPTIONAL:<dep> — recommended but not blockingIf required dependencies are missing (exit code 1), install them automatically:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/install-dep.sh <dep>
The install script detects the OS and package manager, then:
~/.local/share/, symlinks in ~/.local/bin/)For optional dependencies, ask the user if they want to install them. Vineflower and dex2jar are recommended for best results.
After installation, re-run check-deps.sh to confirm everything is in place. Do not proceed to Phase 2 until all required dependencies are OK.
Use the decompile wrapper script to process the target file. The script supports three engines: jadx, fernflower, and both.
Action: Choose the engine and run the decompile script. The script handles APK, XAPK, AAB, DEX, JAR, and AAR files.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/decompile.sh [OPTIONS] <file>
For XAPK files (ZIP bundles containing multiple APKs, used by APKPure and similar stores): the script automatically extracts the archive, identifies all APK files inside (base + split APKs), and decompiles each one into a separate subdirectory. The XAPK manifest is copied to the output for reference.
For AAB files (Android App Bundles): the script uses bundletool to generate a universal APK from the bundle, then decompiles it. bundletool must be installed (run install-dep.sh bundletool).
For DEX files: jadx handles them natively. For Fernflower, dex2jar is used as an intermediate step (same as APK files).
Options:
-o <dir> — Custom output directory (default: <filename>-decompiled)--deobf — Enable deobfuscation (recommended for obfuscated apps)--no-res — Skip resources, decompile code only (faster)--engine ENGINE — jadx (default), fernflower, or bothEngine selection strategy:
| Situation | Engine |
|---|---|
| First pass on any APK/AAB | jadx (fastest, handles resources) |
| JAR/AAR library analysis | fernflower (better Java output) |
| jadx output has warnings/broken code | both (compare and pick best per class) |
| Complex lambdas, generics, streams | fernflower |
| Quick overview of a large APK | jadx --no-res |
| DEX file analysis | jadx (native support) or fernflower (via dex2jar) |
When using --engine both, the outputs go into <output>/jadx/ and <output>/fernflower/ respectively, with a comparison summary at the end showing file counts and jadx warning counts. Review classes with jadx warnings in the Fernflower output for better code.
For APK files with Fernflower, the script automatically uses dex2jar as an intermediate step. dex2jar must be installed for this to work.
See ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/jadx-usage.md and ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/fernflower-usage.md for the full CLI references.
Navigate the decompiled output to understand the app's architecture.
Actions:
Read AndroidManifest.xml from <output>/resources/AndroidManifest.xml:
INTERNET, ACCESS_NETWORK_STATE)android:name on <application>)Survey the package structure under <output>/sources/:
api, network, data, repository, service, retrofit, http — these are where API calls liveIdentify the architecture pattern:
Presenter classesViewModel classes and LiveData/StateFlowdomain, data, presentation packagesFollow execution paths from user-facing entry points down to network calls.
Actions:
Start from entry points: Read the main Activity or Application class identified in Phase 3.
Follow the initialization chain: Application.onCreate() often sets up the HTTP client, base URL, and DI framework. Read this first.
Trace user actions: From an Activity, follow:
onCreate() → view setup → click listenersMap DI bindings (if Dagger/Hilt is used): Find @Module classes to understand which implementations are provided for which interfaces.
Handle obfuscated code: When class names are mangled, use string literals and library API calls as anchors. Retrofit annotations and URL strings are never obfuscated.
See ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/call-flow-analysis.md for detailed techniques and grep commands.
Find all API endpoints and produce structured documentation.
Action: Run the API search script for a broad sweep.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/
Additional options:
--context N — Show N lines of context around each match (recommended: --context 3)--report FILE — Export results as a structured Markdown report--dedup — Deduplicate results by endpoint/URLTargeted searches:
# Only Retrofit
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --retrofit
# Only hardcoded URLs
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --urls
# Only auth patterns
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --auth
# Only Kotlin coroutines/Flow patterns
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --kotlin
# Only RxJava patterns
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --rxjava
# Only GraphQL patterns
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --graphql
# Only WebSocket patterns
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --websocket
# Only security patterns (cert pinning, exposed secrets, debug flags)
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --security
# Full analysis with context and Markdown report
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --context 3 --dedup --report report.md
Then, for each discovered endpoint, read the surrounding source code to extract:
Document each endpoint using this format:
### `METHOD /path`
- **Source**: `com.example.api.ApiService` (ApiService.java:42)
- **Base URL**: `https://api.example.com/v1`
- **Path params**: `id` (String)
- **Query params**: `page` (int), `limit` (int)
- **Headers**: `Authorization: Bearer <token>`
- **Request body**: `{ "email": "string", "password": "string" }`
- **Response**: `ApiResponse<User>`
- **Called from**: `LoginActivity → LoginViewModel → UserRepository → ApiService`
See ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/api-extraction-patterns.md for library-specific search patterns and the full documentation template.
Use Frida to observe and modify app behavior at runtime. Do not use pre-built generic bypass scripts. Instead, generate custom Frida scripts based on what the static analysis (Phases 3–6) revealed in the decompiled code, then iterate based on crash logs and runtime behavior.
This phase requires a connected device/emulator. The user likely already has frida-server on their device — detect it first before offering to install anything.
Action: Run the Frida setup script. It detects the existing environment before changing anything.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/setup-frida.sh
The script performs these checks in order:
/data/local/tmp/frida-server, etc.) and running processes~/.local/share/frida-re/venv, installs frida-tools matching the device's frida-server versionfrida-ps -U to verify end-to-endIf frida-server is missing from the device, the script prints instructions. To auto-install:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/setup-frida.sh --install-server
Important: The venv ensures frida-tools never pollutes the global Python environment. The version matching ensures client and server are compatible. If the user already has a working frida-server, the script adapts to their version instead of forcing an upgrade.
Read the machine-readable output lines (FRIDA_VENV=, FRIDA_SERVER_VERSION=, FRIDA_DEVICE=, FRIDA_STATUS=) to configure subsequent steps.
Before writing any Frida script, check if the app even runs on this device. Many apps with RASP will crash immediately on rooted devices/emulators.
Action: Launch the app and capture crash diagnostics.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/adb-crash-capture.sh -p <package>
Options:
-t <seconds> — monitoring window (default: 10)-a <activity> — launch specific activity instead of auto-detect-o <dir> — save logcat/crash logs to directory-v — include full logcat in outputRead the machine-readable output:
APP_STATUS=running — app is fine, proceed to runtime analysisAPP_STATUS=crashed — check CRASH_SIGNAL, CRASH_EXCEPTION, CRASH_MESSAGEAPP_STATUS=exited — app quit without a visible crash (common RASP pattern: System.exit() or Process.killProcess())The script also outputs:
FATAL EXCEPTIONIf the app runs fine (status=running), skip to Step 7.4 for runtime analysis. If the app crashes or exits, proceed to Step 7.3.
This is the core of dynamic analysis. Use the decompiled code from previous phases combined with crash logs to understand WHY the app is dying, then generate a targeted Frida script to bypass that specific check.
The loop:
1. Read crash output from Step 7.2 (or previous iteration)
2. Identify the protection mechanism:
- Cross-reference crash class/method with decompiled code
- Follow the stack trace back to the triggering check
- Look for the RASP/security indicators in logs
3. Read the relevant decompiled source to understand the check logic
4. Generate a Frida script that specifically disables that check
5. Run the script and capture new crash output
6. If still crashing: repeat from step 1 (new crash = new check to bypass)
7. If running: proceed to Step 7.4
How to identify protection mechanisms from crash data:
| Crash Pattern | Likely Cause | Where to Look in Decompiled Code |
|---|---|---|
System.exit(0) in stack trace | RASP calling System.exit() | Search for System.exit and Process.killProcess calls |
SecurityException | Permission or integrity check | Search for the exception class in decompiled code |
SIGABRT from native code | Native anti-tamper (frida detection, lib integrity) | Check .so libraries loaded by the app, search for dlopen, ptrace, frida strings |
| App starts then immediately closes (no crash) | finish() called on Activity, or System.exit() in onCreate | Read the launcher Activity's onCreate(), look for conditional finish() calls |
RootBeer, SafetyNet, Play Integrity in logs | Root/integrity detection SDK | Search for the SDK's package in decompiled code |
ssl, certificate, pin in crash | SSL pinning preventing traffic inspection | Search for CertificatePinner, TrustManager, network security config |
frida, xposed, substrate in logs | Instrumentation framework detection | Search for string constants checking process names, ports, or loaded modules |
How to generate the bypass script:
Read the decompiled source of the method that performs the check. Understand:
onCreate) or continuously (background thread)?Then write a Frida script that hooks that specific method. Examples of patterns (adapt to actual code):
For a Java method returning boolean:
Java.perform(function() {
var cls = Java.use('com.example.security.RootChecker');
cls.isDeviceRooted.implementation = function() {
console.log('[bypass] RootChecker.isDeviceRooted() called, returning false');
return false;
};
});
For a native function:
var funcAddr = Module.findExportByName("libsecurity.so", "Java_com_example_NativeCheck_verify");
if (funcAddr) {
Interceptor.replace(funcAddr, new NativeCallback(function() {
console.log('[bypass] native verify() called, returning 0');
return 0;
}, 'int', []));
}
For System.exit() prevention (when you don't know the exact check yet):
Java.perform(function() {
var System = Java.use('java.lang.System');
System.exit.implementation = function(code) {
console.log('[bypass] System.exit(' + code + ') blocked');
// Don't call the original — app stays alive
// Check the stack trace to find who's calling this:
console.log(Java.use("android.util.Log").getStackTraceString(
Java.use("java.lang.Throwable").$new()
));
};
});
Action: Save the generated script to a temp file and run it:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/frida-run.sh \
-p <package> -l /tmp/bypass.js -t 15
Options:
-t <seconds> — timeout (default: 30)--pause — suspend app on spawn, useful for early hooks before any app code runs--attach — attach to running process instead of spawning-e "<code>" — inline JavaScript instead of a file--output-dir <dir> — save stdout/stderr/crash to filesRead the output:
FRIDA_RESULT=success — bypass worked, app is runningFRIDA_RESULT=crash — check the CRASH LOG section, identify the next check to bypassFRIDA_RESULT=connection_failed — frida-server issue, re-run setup-frida.shFRIDA_RESULT=timeout — app ran for the full timeout window (usually means success)If the app crashes again: read the new crash log, cross-reference with decompiled code, identify the NEXT protection check, add another hook to the script, and run again. Each iteration should bypass one more check. Common pattern: apps have 3–5 layered checks.
Important considerations:
--pause (spawn gating) when the check runs in Application.onCreate() — this ensures hooks are in place before any app code executesThread.start() or the specific Runnable to neutralize itptrace(PTRACE_TRACEME), hook ptrace via Interceptor.replacefrida-server -l 0.0.0.0:1337Once the app is running (with or without bypass scripts), use Frida for the actual analysis goals.
Generate analysis scripts based on what static analysis found. Do not use generic scripts — target the specific classes, methods, and patterns identified in Phases 3–6.
Common analysis patterns (adapt to the actual code found):
Intercept HTTP traffic — hook the specific HTTP client the app uses (identified in Phase 5):
// Example: if static analysis found OkHttp usage
Java.perform(function() {
var OkHttpClient = Java.use('okhttp3.OkHttpClient');
var RealCall = Java.use('okhttp3.internal.connection.RealCall');
// Hook based on actual classes found in the decompiled code
});
Monitor crypto operations — hook the specific encryption methods found in Phase 6:
// Example: if static analysis found AES usage in com.example.crypto.CryptoHelper
Java.perform(function() {
var helper = Java.use('com.example.crypto.CryptoHelper');
// Hook the specific encrypt/decrypt methods found
});
Trace method calls — when static analysis shows a call flow but you need to verify it at runtime:
# Use frida-trace for quick method tracing (uses the venv)
$FRIDA_VENV/bin/frida-trace -U -f <package> -j 'com.example.api.*!*'
Action: Write the analysis script, run it, and interpret results:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/frida-run.sh \
-p <package> -l /tmp/analysis.js -t 60 --output-dir ./frida-output/
If bypass hooks are needed alongside analysis hooks, combine them in a single script — bypass hooks first, then analysis hooks.
After each Frida run, document:
Feed runtime findings back into the API documentation from Phase 5 — runtime analysis often reveals:
(Previously Phase 6 — the security scan from find-api-calls.sh --security remains the same, but now also incorporates findings from Phase 7's dynamic analysis.)
Scan for security-relevant patterns in the decompiled code.
Action: Run the security-focused search:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --security --context 3
Look for and flag:
TrustManager that trusts all certs, ALLOW_ALL_HOSTNAME_VERIFIERBuildConfig.DEBUG checks, staging URLs, verbose loggingres/xml/network_security_config.xml for cleartextTrafficPermitted="true" or overly broad trust anchorsOnly run this phase if the decompiled app contains Google API keys or Firebase configuration. If none are present, skip it entirely — do not invent keys, do not hit Google endpoints speculatively.
This phase is strictly for apps the user is authorized to test (their own apps, signed engagements, or bug-bounty programs that explicitly permit it). Confirm authorization before running write/create probes (Realtime DB PUT, Dynamic Links creation, FCM send) or billable probes (Maps, Vision, Translate, etc.).
Action: Run the detection script against the decompiled output. Its exit code drives the rest of the phase.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-firebase-config.sh \
<output>/ --env /tmp/fb-env.sh --json /tmp/fb-env.json
The script scans res/values/strings.xml, AndroidManifest.xml, assets/google-services.json, assets/appsettings.json, and the full decompiled tree for values matching AIza[0-9A-Za-z_\-]{35} and known Firebase keys (google_api_key, project_id, firebase_database_url, gcm_defaultSenderId, google_app_id, google_storage_bucket, default_web_client_id).
Read the machine-readable output:
FIREBASE_FOUND=true or GOOGLE_API_KEY_FOUND=true (exit 0) → proceed to Step 9.2.false (exit 2) → skip the rest of Phase 9 entirely and move on to the final deliverables.The --env file produced on success is ready to source before running any Firebase/Google request (API_KEY, PROJECT_ID, DB_URL, APP_ID, GCM_SENDER_ID, PACKAGE, OAUTH_CLIENT_ID, STORAGE_BUCKET, plus an API_KEYS array for apps that ship multiple keys).
Before running any probe, confirm with the user that the app is in scope for Firebase/Google API testing. If the user has not authorized this, stop and report the configuration findings only. Do not proceed to Step 9.3.
Action: Run the automated matrix against the extracted configuration.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/test-firebase-google.sh \
--env /tmp/fb-env.sh --report <output>/firebase-google-report.md
Useful flags:
--skip-billable — skip Section 9 (Maps/AI/YouTube) to avoid billable calls on the target project.--skip-writes — skip Realtime DB PUT, Dynamic Links creation, and FCM send (use when authorization covers reads only).--only auth,rtdb,firestore — restrict to specific sections (auth, rtdb, firestore, remoteconfig, storage, dynamiclinks, fcm, gemini, billable).--api-key <KEY> — override the key (useful when iterating through multiple keys from API_KEYS).The script runs the full playbook in ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/firebase-google-api-testing.md — Firebase Auth (signup, signin, OIDC providers, phone, OOB codes, enumeration), Realtime DB (unauth and authenticated reads, rules, write test), Firestore (list root, common collections, authenticated Bearer), Remote Config (firebase:fetch), Cloud Storage (both bucket conventions), Dynamic Links (open redirect / phishing check), FCM legacy send, Gemini (/files, /models, /cachedContents, gemini-pro:generateContent — TruffleSecurity vector), and billable Maps/AI/YouTube/Cloud Functions probes.
Each probe is classified as VULNERABLE, SAFE, BLOCKED, NOT_FOUND, OK, ERROR-200, INFO, or NETWORK_ERROR. When Firebase Auth returns an idToken (anonymous or email signup open), the script captures it and reuses it as $JWT for the authenticated Realtime DB / Firestore / lookup probes in the same run.
Read the final machine-readable output:
PROBE_COUNT=<n> — how many endpoints were exercised.VULN_COUNT=<n> — how many returned exploitable data.REPORT_FILE=<path> — Markdown report with per-probe status, verdict, and response excerpt.If find-firebase-config.sh reported API_KEY_COUNT > 1, re-run test-firebase-google.sh with each additional key (source /tmp/fb-env.sh && test-firebase-google.sh --api-key "${API_KEYS[1]}" --report <output>/firebase-google-report-key2.md). Different keys often belong to different GCP projects with different APIs enabled — a key that looks safe on project A may be wide open on project B.
See ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/firebase-google-api-testing.md for the full response-interpretation table (SERVICE_DISABLED, PERMISSION_DENIED, ADMIN_ONLY_OPERATION, OPERATION_NOT_ALLOWED, NO_TEMPLATE, etc.) and for the raw curl commands to re-run any single probe manually.
At the end of the workflow, deliver:
find-firebase-config.sh output / env file)test-firebase-google.sh (the Markdown report)VULNERABLE findings with the response excerpt and impactUse --report report.md on find-api-calls.sh to generate a structured Markdown report automatically.
${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/setup-guide.md — Installing Java, jadx, Fernflower/Vineflower, dex2jar, and optional tools${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/jadx-usage.md — jadx CLI options and workflows${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/fernflower-usage.md — Fernflower/Vineflower CLI options, when to use, APK workflow${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/api-extraction-patterns.md — Library-specific search patterns and documentation template${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/call-flow-analysis.md — Techniques for tracing call flows in decompiled code${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/firebase-google-api-testing.md — Phase 9 playbook: Firebase Auth, Realtime DB, Firestore, Remote Config, Storage, Dynamic Links, FCM, Gemini, billable Maps/AI probes${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/setup-guide.md — Frida setup section covers Python venv, frida-server, and version matching