A Claude Code skill that decompiles Android APK/XAPK/JAR/AAR files and extracts the HTTP APIs used by the app — Retrofit endpoints, OkHttp calls, hardcoded URLs, authentication patterns — so you can document and reproduce them without the original source code.
First-class Kotlin support: modern Android apps are Kotlin/KMP, heavily obfuscated with R8. This skill recovers the original Kotlin class names from metadata R8 cannot strip, and extracts APIs from Ktor, Apollo (GraphQL) and Koin — not just the classic Retrofit/OkHttp stack. See Kotlin name recovery below.
Windows / PowerShell support (experimental): The
*.ps1scripts alongside the bash ones are a recent community contribution, still being stabilised. For any issues please open an issue on this repository (not on the contributors' upstream forks): the PowerShell scripts are maintained here by @SimoneAvogadro.
- What it does
- Requirements
- Installation
- Usage
- Repository Structure
- References
- Acknowledgments
- Disclaimer
- License
| Capability | Description |
|---|---|
| Fingerprint first (Phase 0) | Triage an APK/XAPK in seconds — detect the framework (Flutter / React Native / Cordova / Xamarin / native-Kotlin), HTTP stack, obfuscation level and native libs before spending time on a full decompile |
| Decompile | APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower (single engine or side-by-side comparison) |
| Recover Kotlin names | Rebuild original *Repository / *ViewModel / *UseCase class names from R8-obfuscated binaries using Kotlin metadata that R8 cannot strip |
| Extract APIs | Retrofit, OkHttp, Volley and modern Kotlin/KMP stacks: Ktor, Apollo (GraphQL), Koin DI — endpoints, hardcoded URLs, auth headers, tokens and HMAC request-signing schemes |
| Trace call flows | From Activities/Fragments through ViewModels and repositories down to HTTP calls |
| Analyze structure | Manifest, packages, architecture patterns |
| Handle obfuscation | R8-resistant path/URL extraction plus strategies for navigating ProGuard/R8 output |
Required:
- Java JDK 17+
- jadx (CLI)
Optional (recommended):
- Vineflower or Fernflower — better output on complex Java code
- dex2jar — needed to use Fernflower on APK/DEX files
See plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.md for detailed installation instructions.
Inside Claude Code, run:
/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill
The skill will be permanently available in all future sessions.
git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.gitThen in Claude Code:
/plugin marketplace add /path/to/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill
/decompile path/to/app.apk
This runs the full workflow: dependency check, decompilation, and initial structure analysis.
The skill activates on phrases like:
- "Decompile this APK"
- "Reverse engineer this Android app"
- "Extract API endpoints from this app"
- "Follow the call flow from LoginActivity"
- "Analyze this AAR library"
The scripts can also be used standalone:
# Check dependencies
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh
# Install a missing dependency (auto-detects OS and package manager)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadx
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower
# Fingerprint an APK/XAPK BEFORE decompiling (Phase 0 triage):
# framework, HTTP stack, obfuscation level, native libs, notable SDKs
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/fingerprint.sh app.apk
# Decompile APK with jadx (default)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk
# Decompile XAPK (auto-extracts and decompiles each APK inside)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app-bundle.xapk
# Decompile with Fernflower
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower library.jar
# Run both engines and compare
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk
# Find API calls — defaults to a full scan across every supported stack
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --retrofit
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --urls
# Modern Kotlin/KMP stacks and obfuscation-resistant extraction
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --ktor # Ktor client
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --apollo # Apollo / GraphQL
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --paths # quoted path literals that survive R8 inliningMost real-world Kotlin/KMP apps ship through R8, so the decompiled classes come
out as a.b.c. R8 renames the JVM symbols but cannot strip the Kotlin
metadata strings — the Kotlin runtime (reflection, coroutines) needs the
original fully-qualified names at runtime. This skill mines those
@DebugMetadata / @Metadata annotations to rebuild an obfuscated → real
class-name map. On a typical app it recovers ~100 % of the
*Repository / *ViewModel / *UseCase / *Impl classes you actually want to
read.
# 1. Build the mapping from the decompiled sources
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/recover-kotlin-names.sh output/sources/ output/names/
# → output/names/mapping.tsv, mapping.json, by_package/
# 2. Query it: resolve an obfuscated name, search by real name, or grep
# the sources with each hit annotated with its recovered class name
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/lookup-name.sh output/names/ LoginRepository
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/lookup-name.sh output/names/ -o a.b.c
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/lookup-name.sh output/names/ --grep 'login' output/sources/android-reverse-engineering-skill/
├── .claude-plugin/
│ └── marketplace.json # Marketplace catalog
├── plugins/
│ └── android-reverse-engineering/
│ ├── .claude-plugin/
│ │ └── plugin.json # Plugin manifest
│ ├── skills/
│ │ └── android-reverse-engineering/
│ │ ├── SKILL.md # Core workflow (Phase 0–5)
│ │ ├── references/
│ │ │ ├── setup-guide.md
│ │ │ ├── jadx-usage.md
│ │ │ ├── fernflower-usage.md
│ │ │ ├── api-extraction-patterns.md
│ │ │ ├── kotlin-name-recovery.md
│ │ │ ├── third_party_hosts.txt # denylist for first/third-party bucketing
│ │ │ └── call-flow-analysis.md
│ │ └── scripts/
│ │ ├── check-deps.sh # Bash
│ │ ├── check-deps.ps1 # PowerShell
│ │ ├── install-dep.sh
│ │ ├── install-dep.ps1
│ │ ├── decompile.sh
│ │ ├── decompile.ps1
│ │ ├── fingerprint.sh # Phase 0 — pre-decompile triage
│ │ ├── recover-kotlin-names.sh # R8 → real Kotlin class names
│ │ ├── lookup-name.sh # query the recovered name map
│ │ ├── find-api-calls.sh
│ │ └── find-api-calls.ps1
│ └── commands/
│ └── decompile.md # /decompile slash command
├── LICENSE
└── README.md
- jadx — Dex to Java decompiler
- Fernflower — JetBrains analytical decompiler
- Vineflower — Fernflower community fork
- dex2jar — DEX to JAR converter
- apktool — Android resource decoder
Thanks to the contributors who have shaped this skill:
- @tajchert — Phase 0 fingerprinting, R8-resistant Kotlin name recovery (
recover-kotlin-names.sh,lookup-name.sh), and Ktor / Apollo / Koin / HMAC extraction patterns (#16) - @philjn — Native Windows / PowerShell support (
check-deps.ps1,install-dep.ps1,decompile.ps1,find-api-calls.ps1) and split/bundled APK detection indecompile.sh(#8) - @txhno — Migration to the maintained
ThexXTURBOXx/dex2jarfork (#12) - @muqiao215 — Decompile partial-success handling, Fernflower timeout safeguard, intermediate-artifact directory (#10)
- @kevinaimonster — Chinese localization (
SKILL.mddiscovery keywords) (#4)
This plugin is provided strictly for lawful purposes, including but not limited to:
- Security research and authorized penetration testing
- Interoperability analysis permitted under applicable law (e.g., EU Directive 2009/24/EC, US DMCA §1201(f))
- Malware analysis and incident response
- Educational use and CTF competitions
You are solely responsible for ensuring that your use of this tool complies with all applicable laws, regulations, and terms of service. Unauthorized reverse engineering of software you do not own or do not have permission to analyze may violate intellectual property laws and computer fraud statutes in your jurisdiction.
The authors disclaim any liability for misuse of this tool.
Apache 2.0 — see LICENSE