Android Reverse Engineering & API Extraction — Claude Code skill
Decompile Android APK, XAPK, JAR, and AAR files using jadx or Fernflower/Vineflower. Reverse engineer Android apps, extract HTTP API endpoints (Retrofit, OkHttp, Volley), and trace call flows from UI to network layer. Use when the user wants to decompile, analyze, or reverse engi.
Rank signal78/100
This rank signal uses GitHub stars, measured star growth, and recent maintenance. It is not a safety score or install approval.
Why we list it
Worth reviewing before you install
Worth a closer look if the use case fits. It has adoption, measured growth, and recent maintenance. No primary install command was extracted, so review the upstream source first.
Approved public shortlistSKILL.md evidenceAlternatives kept nearby
Best for
Security teams. Channel tag: Claude Code. Treat this as a search fit signal, not compatibility proof. Best when you can review the repo manually before adoption. Start with...
Review before install
Inspect plugins/android-reverse-engineering/skills/android-reverse-engineering/SKILL.md and the install command before adding it to a shared agent workflow. No actionable warning was returned for this snapshot.
Compare alternatives
Compare nearby security skills in the Claude Code channel when 6,063 GitHub stars, source freshness, or install notes are close. This one still needs manual install review, so a nearby skill may be easier to adopt.
How to install Android Reverse Engineering & API Extraction — Claude Code skill
No install command was extracted. Treat this as a manual review case.
SKILL.md and source review
Primary path: plugins/android-reverse-engineering/skills/android-reverse-engineering/SKILL.md
78/100 from GitHub star count, star growth rate, and recent update.
78/100 from GitHub star count, star growth rate, and recent update.
34/45 points. Star count is log-scaled so large repos lead without completely hiding newer projects.
23.9/35 points from 1,813 net stars over 53.3 observed day(s).
20/20 points. Most recent GitHub activity: 2026-06-10T13:03:36Z.
- GitHub ranking score uses star count, measured star growth rate, and recent repository update only.
- 5,359 stars at last scan.
- 1,042 stars/week measured from 2026-04-22 to 2026-04-29T10:47:22.044Z.
- Most recent GitHub activity was 2026-04-27T21:21:06Z.
Source evidence preview
We show selected README/SKILL.md excerpts, not a full mirror of the repo. Use the focus cards for install notes, usage, and skill rules, then open GitHub before installing.
Install evidence
Sections found: Installation, Install a missing dependency (auto-detects OS and package manager).
Usage evidence
Sections found: Usage, Workflow.
Skill rules
Sections found: Workflow.
Installation
From GitHub (recommended)
Inside Claude Code, run:
/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skillThe skill will be permanently available in all future sessions.
Usage
Slash command
/decompile path/to/app.apkThis runs the full workflow: dependency check, decompilation, and initial structure analysis.
Install a missing dependency (auto-detects OS and package manager)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadx bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower
Need the full source? Read full README on GitHub
Prerequisites
This skill requires Java JDK 17+ and jadx to be installed. Fernflower/Vineflower and dex2jar are optional but recommended for better decompilation quality. Run the dependency checker to verify:
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.shOn Windows (PowerShell):
& "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.ps1"If anything is missing, follow the installation instructions in ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/setup-guide.md.
Workflow
Phase 2: Decompile
Use the decompile wrapper script to process the target file. The script supports three engines: jadx, fernflower, and both.
Action: Choose the engine and run the decompile script. The script handles APK, XAPK, JAR, and AAR files.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/decompile.sh [OPTIONS] <file>On Windows (PowerShell):
& "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/decompile.ps1" [OPTIONS] <file>For XAPK files (ZIP bundles containing multiple APKs, used by APKPure and similar stores): the script automatically extracts the archive, identifies all APK files inside (base + split APKs), and decompiles each one into a separate subdirectory. The XAPK manifest is copied to the output for reference.
Split/bundled APK detection: Some APKs are actually bundle wrappers — the outer APK contains base.apk plus split_config.*.apk files inside its resources directory. When this happens, jadx will decompile the thin wrapper and produce very few Java files. The decompile scripts automatically detect this (≤10 Java files + inner APKs present) and re-decompile base.apk into an /base/ subdirectory. Config-only splits (ABI, language, density) are skipped. The main decompiled source will be in /base/sources/.
Options:
-o— Custom output directory (default:-decompiled)--deobf— Enable deobfuscation (recommended for obfuscated apps)--no-res— Skip resources, decompile code only (faster)--engine ENGINE—jadx(default),fernflower, orboth
Engine selection strategy:
| Situation | Engine |
|---|---|
| First pass on any APK | jadx (fastest, handles resources) |
| JAR/AAR library analysis | fernflower (better Java output) |
| jadx output has warnings/broken code | both (compare and pick best per class) |
| Complex lambdas, generics, streams | fernflower |
| Quick overview of a large APK | jadx --no-res |
When using --engine both, the outputs go into /jadx/ and /fernflower/ respectively, with a comparison summary at the end showing file counts and jadx warning counts. Review classes with jadx warnings in the Fernflower output for better code.
For APK files with Fernflower, the script automatically uses dex2jar as an intermediate step. dex2jar must be installed for this to work.
See ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/jadx-usage.md and ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/fernflower-usage.md for the full CLI references.
Phase 5: Extract and Document APIs
Find all API endpoints and produce structured documentation.
Action: Run the API search script for a broad sweep.
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/On Windows (PowerShell):
& "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.ps1" <output>/sources/Targeted searches:
# Only auth patterns
bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh /sources/ --authOn Windows (PowerShell):
Need the full source? Read full SKILL.md on GitHub