Android Reverse Engineering & API Extraction — Claude Code skill
A Claude Code skill that decompiles Android APK/XAPK/JAR/AAR files and extracts the HTTP APIs used by the app — Retrofit endpoints, OkHttp calls, hardcoded URLs, authentication patterns — so you can document and reproduce them without the original source code.
Windows / PowerShell support (experimental): The *.ps1 scripts alongside the bash ones are a recent community contribution, still being stabilised. For any issues please open an issue on this repository (not on the contributors' upstream forks): the PowerShell scripts are maintained here by @SimoneAvogadro.
Table of Contents
What it does
| Capability | Description |
|---|
| Decompile | APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower (single engine or side-by-side comparison) |
| Extract APIs | Retrofit endpoints, OkHttp calls, hardcoded URLs, auth headers and tokens |
| Trace call flows | From Activities/Fragments through ViewModels and repositories down to HTTP calls |
| Analyze structure | Manifest, packages, architecture patterns |
| Handle obfuscation | Strategies for navigating ProGuard/R8 output |
Requirements
Required:
Optional (recommended):
See plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.md for detailed installation instructions.
Installation
From GitHub (recommended)
Inside Claude Code, run:
/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill
The skill will be permanently available in all future sessions.
From a local clone
git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git
Then in Claude Code:
/plugin marketplace add /path/to/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill
Usage
Slash command
/decompile path/to/app.apk
This runs the full workflow: dependency check, decompilation, and initial structure analysis.
Natural language
The skill activates on phrases like:
- "Decompile this APK"
- "Reverse engineer this Android app"
- "Extract API endpoints from this app"
- "Follow the call flow from LoginActivity"
- "Analyze this AAR library"
Manual scripts
The scripts can also be used standalone:
# Check dependencies
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh
# Install a missing dependency (auto-detects OS and package manager)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadx
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower
# Decompile APK with jadx (default)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk
# Decompile XAPK (auto-extracts and decompiles each APK inside)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app-bundle.xapk
# Decompile with Fernflower
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower library.jar
# Run both engines and compare
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk
incogbyte
jygzyc
trailofbits
hyperb1iss