Decompiles Android APK, XAPK, JAR, AAR files using jadx or Fernflower. Extracts API endpoints from Retrofit, OkHttp, Volley and traces UI-to-network call flows.
From android-reverse-engineeringnpx claudepluginhub simoneavogadro/android-reverse-engineering-skill --plugin android-reverse-engineeringThis skill uses the workspace's default tool permissions.
references/api-extraction-patterns.mdreferences/call-flow-analysis.mdreferences/fernflower-usage.mdreferences/jadx-usage.mdreferences/setup-guide.mdscripts/check-deps.shscripts/decompile.shscripts/find-api-calls.shscripts/install-dep.shGuides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.
Optimizes cloud costs on AWS, Azure, GCP via rightsizing, tagging strategies, reserved instances, spot usage, and spending analysis. Use for expense reduction and governance.
Decompile Android APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower, trace call flows through application code and libraries, and produce structured documentation of extracted APIs. Two decompiler engines are supported — jadx for broad Android coverage and Fernflower for higher-quality output on complex Java code — and can be used together for comparison.
This skill requires Java JDK 17+ and jadx to be installed. Fernflower/Vineflower and dex2jar are optional but recommended for better decompilation quality. Run the dependency checker to verify:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.sh
If anything is missing, follow the installation instructions in ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/setup-guide.md.
Before decompiling, confirm that the required tools are available — and install any that are missing.
Action: Run the dependency check script.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.sh
The output contains machine-readable lines:
INSTALL_REQUIRED:<dep> — must be installed before proceedingINSTALL_OPTIONAL:<dep> — recommended but not blockingIf required dependencies are missing (exit code 1), install them automatically:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/install-dep.sh <dep>
The install script detects the OS and package manager, then:
~/.local/share/, symlinks in ~/.local/bin/)For optional dependencies, ask the user if they want to install them. Vineflower and dex2jar are recommended for best results.
After installation, re-run check-deps.sh to confirm everything is in place. Do not proceed to Phase 2 until all required dependencies are OK.
Use the decompile wrapper script to process the target file. The script supports three engines: jadx, fernflower, and both.
Action: Choose the engine and run the decompile script. The script handles APK, XAPK, JAR, and AAR files.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/decompile.sh [OPTIONS] <file>
For XAPK files (ZIP bundles containing multiple APKs, used by APKPure and similar stores): the script automatically extracts the archive, identifies all APK files inside (base + split APKs), and decompiles each one into a separate subdirectory. The XAPK manifest is copied to the output for reference.
Options:
-o <dir> — Custom output directory (default: <filename>-decompiled)--deobf — Enable deobfuscation (recommended for obfuscated apps)--no-res — Skip resources, decompile code only (faster)--engine ENGINE — jadx (default), fernflower, or bothEngine selection strategy:
| Situation | Engine |
|---|---|
| First pass on any APK | jadx (fastest, handles resources) |
| JAR/AAR library analysis | fernflower (better Java output) |
| jadx output has warnings/broken code | both (compare and pick best per class) |
| Complex lambdas, generics, streams | fernflower |
| Quick overview of a large APK | jadx --no-res |
When using --engine both, the outputs go into <output>/jadx/ and <output>/fernflower/ respectively, with a comparison summary at the end showing file counts and jadx warning counts. Review classes with jadx warnings in the Fernflower output for better code.
For APK files with Fernflower, the script automatically uses dex2jar as an intermediate step. dex2jar must be installed for this to work.
See ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/jadx-usage.md and ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/fernflower-usage.md for the full CLI references.
Navigate the decompiled output to understand the app's architecture.
Actions:
Read AndroidManifest.xml from <output>/resources/AndroidManifest.xml:
INTERNET, ACCESS_NETWORK_STATE)android:name on <application>)Survey the package structure under <output>/sources/:
api, network, data, repository, service, retrofit, http — these are where API calls liveIdentify the architecture pattern:
Presenter classesViewModel classes and LiveData/StateFlowdomain, data, presentation packagesFollow execution paths from user-facing entry points down to network calls.
Actions:
Start from entry points: Read the main Activity or Application class identified in Phase 3.
Follow the initialization chain: Application.onCreate() often sets up the HTTP client, base URL, and DI framework. Read this first.
Trace user actions: From an Activity, follow:
onCreate() → view setup → click listenersMap DI bindings (if Dagger/Hilt is used): Find @Module classes to understand which implementations are provided for which interfaces.
Handle obfuscated code: When class names are mangled, use string literals and library API calls as anchors. Retrofit annotations and URL strings are never obfuscated.
See ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/call-flow-analysis.md for detailed techniques and grep commands.
Find all API endpoints and produce structured documentation.
Action: Run the API search script for a broad sweep.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/
Targeted searches:
# Only Retrofit
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --retrofit
# Only hardcoded URLs
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --urls
# Only auth patterns
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --auth
Then, for each discovered endpoint, read the surrounding source code to extract:
Document each endpoint using this format:
### `METHOD /path`
- **Source**: `com.example.api.ApiService` (ApiService.java:42)
- **Base URL**: `https://api.example.com/v1`
- **Path params**: `id` (String)
- **Query params**: `page` (int), `limit` (int)
- **Headers**: `Authorization: Bearer <token>`
- **Request body**: `{ "email": "string", "password": "string" }`
- **Response**: `ApiResponse<User>`
- **Called from**: `LoginActivity → LoginViewModel → UserRepository → ApiService`
See ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/api-extraction-patterns.md for library-specific search patterns and the full documentation template.
At the end of the workflow, deliver:
${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/setup-guide.md — Installing Java, jadx, Fernflower/Vineflower, dex2jar, and optional tools${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/jadx-usage.md — jadx CLI options and workflows${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/fernflower-usage.md — Fernflower/Vineflower CLI options, when to use, APK workflow${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/api-extraction-patterns.md — Library-specific search patterns and documentation template${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/call-flow-analysis.md — Techniques for tracing call flows in decompiled code