redcap-droid — Android decompilation and call-flow tracing

redcap-droid — Android decompilation and call-flow tracing

Credit: Adopted from SimoneAvogadro/android-reverse-engineering-skill under Apache 2.0. Path placeholders rebranded for the redcap suite and a compile-time-gate workflow added (Phase 6); the decompile / trace / extract core is Simone's work, with thanks.

Decompile Android APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower, trace call flows through application code and libraries, and produce structured documentation of extracted APIs. Two decompiler engines are supported — jadx for broad Android coverage and Fernflower for higher-quality output on complex Java code — and can be used together for comparison.

Prerequisites

Java JDK 17+ and jadx required. Fernflower/Vineflower and dex2jar optional but recommended. Run the dependency checker:

bash ${CLAUDE_PLUGIN_ROOT}/skills/redcap-droid/scripts/check-deps.sh

If anything is missing, follow ${CLAUDE_PLUGIN_ROOT}/skills/redcap-droid/references/setup-guide.md.

Workflow

Phase 1: Verify and install dependencies

bash ${CLAUDE_PLUGIN_ROOT}/skills/redcap-droid/scripts/check-deps.sh

Parse INSTALL_REQUIRED:<dep> and INSTALL_OPTIONAL:<dep> lines. For required misses, install:

bash ${CLAUDE_PLUGIN_ROOT}/skills/redcap-droid/scripts/install-dep.sh <dep>

Script handles macOS / Linux package managers, falls back to user-local installs in ~/.local/. Re-run check-deps.sh to verify before proceeding.

Phase 2: Decompile

bash ${CLAUDE_PLUGIN_ROOT}/skills/redcap-droid/scripts/decompile.sh [OPTIONS] <file>

Options:

• -o <dir> — output directory
• --deobf — enable deobfuscation (recommended for obfuscated apps)
• --no-res — skip resources (faster, for large APKs)
• --engine ENGINE — jadx (default), fernflower, or both

Engine selection:

Situation	Engine
First pass on APK	jadx (fast, handles resources)
JAR/AAR library	fernflower (better Java output)
jadx output has warnings	both (compare per class)
Complex lambdas/generics/streams	fernflower
Quick overview of large APK	jadx --no-res

See references/jadx-usage.md and references/fernflower-usage.md.

Phase 3: Analyze structure

1. Read AndroidManifest.xml from <output>/resources/AndroidManifest.xml:

   • Main launcher Activity
   • All Activities, Services, BroadcastReceivers, ContentProviders
   • Permissions (especially INTERNET, ACCESS_NETWORK_STATE, SYSTEM_ALERT_WINDOW)
   • Application class (android:name on <application>)

2. Survey <output>/sources/ packages:

   • Main app package and sub-packages
   • Distinguish app code from third-party libraries
   • Look for api, network, data, repository, service, retrofit, http packages

3. Identify architecture pattern:

   • MVP: Presenter classes
   • MVVM: ViewModel + LiveData / StateFlow
   • Clean Architecture: domain / data / presentation packages

Phase 4: Trace call flows

1. From entry points (main Activity, Application class):

   • onCreate() → view setup → click listeners
   • Click handler → ViewModel / Presenter method
   • ViewModel → Repository → API service interface
   • API service → actual HTTP call

2. Follow initialization: Application.onCreate() usually sets up HTTP client, base URL, DI framework. Read this first.

3. Map DI bindings (Dagger / Hilt): find @Module classes.

4. Handle obfuscated code: when class names are mangled, use string literals and library API calls as anchors. Retrofit annotations and URL strings are never obfuscated.

See references/call-flow-analysis.md for grep commands and techniques.

Phase 5: Extract and document APIs

bash ${CLAUDE_PLUGIN_ROOT}/skills/redcap-droid/scripts/find-api-calls.sh <output>/sources/
bash ${CLAUDE_PLUGIN_ROOT}/skills/redcap-droid/scripts/find-api-calls.sh <output>/sources/ --retrofit
bash ${CLAUDE_PLUGIN_ROOT}/skills/redcap-droid/scripts/find-api-calls.sh <output>/sources/ --urls
bash ${CLAUDE_PLUGIN_ROOT}/skills/redcap-droid/scripts/find-api-calls.sh <output>/sources/ --auth

For each endpoint document: HTTP method, path, base URL, path / query params, request body shape, headers (especially auth), response type, call chain. Format per references/api-extraction-patterns.md.

Phase 6: Compile-time gate hunt (redcap-specific)

For engineering-mode / feature-flag / consumer-rights investigation, after decompiling the admin JAR or system app, grep for compile-time gates:

grep -rInE '(em_support|engineer_?mode|engineering_?mode|factory_?mode|debug_?mode|developer_?mode|hidden_?menu|show_[0-9]+g|feature_[a-z_]+_support|brand_[0-9]+|admin_?mode|test_?mode|diag_?mode)' <output>/sources/

For each match, trace:

• Where is the flag defined? Compile-time constant, config resource, XML, properties file?
• Where is it checked? if / switch guards on UI rendering or API handlers
• What methods does it gate? These are the hidden capabilities — the payoff

Then hand off:

• To redcap-kernel if a firmware re-flash is needed to flip the flag at rest
• To the user for manual review + decision
• To redcap-payloads if the gate is bypassable via runtime request manipulation

Output

At the end of the workflow, deliver:

1. Decompiled source in the output directory
2. Architecture summary — app structure, main packages, pattern used
3. API documentation — endpoints + call chains
4. Call flow map — UI → network paths (especially auth and main features)
5. Compile-time gate map — flag names, definitions, guarded methods (Phase 6 only)

Optional — programmatic analysis with Androguard

Androguard is a Python library / CLI for static DEX-level analysis. It's complementary to jadx/Fernflower:

• jadx / Fernflower — lexical: human-readable source for reading + grep
• Androguard — structural: programmatic call-graph, cross-reference, and CFG queries on DEX bytecode

Use Androguard when the question is "which methods reference X?", "call graph from Activity Y?", "every xref to WebView.loadUrl". Faster than grep-walking jadx sources for Phase 4 and Phase 6.

Install (optional):

bash ${CLAUDE_PLUGIN_ROOT}/skills/redcap-droid/scripts/install-dep.sh androguard

Full usage: references/androguard-usage.md.

References

• references/setup-guide.md — installing Java, jadx, Fernflower/Vineflower, dex2jar
• references/jadx-usage.md — jadx CLI options and workflows
• references/fernflower-usage.md — Fernflower/Vineflower CLI, APK workflow via dex2jar
• references/api-extraction-patterns.md — library-specific search patterns + documentation template
• references/call-flow-analysis.md — call-flow tracing techniques and grep recipes
• references/androguard-usage.md — Androguard (optional) programmatic static analysis, call graphs, xrefs

Pairing with other siblings

• With redcap-kernel: patch a decompiled JAR's feature-gate, repack, hand to kernel for partition re-flash workflow.
• With redcap-payloads: test extracted API endpoints against the payload library for injection vulnerabilities.
• With redcap-imhex: when the APK ships proprietary binary formats in assets/ or lib/, hand those to ImHex for pattern parsing.
• With redcap-compliance: if the target is an Android device, cross-check its config against Android / CIS mobile baselines.