Android Reverse Engineering Skill: Unpacking APKs Like a Pro

TL;DR

What it solves: Decompiles Android APK/XAPK/JAR/AAR files and extracts HTTP APIs, endpoints, and auth flows - no source code needed.
Why it matters: Saves hours of manual reverse engineering for security, pentesting, and app analysis.
Best for: Security researchers, malware analysts, and devs who need to understand Android app internals.
Best use case: Extracting API endpoints and network flows from compiled Android apps for security or interoperability.
Main differentiator: Automates API extraction and call flow mapping, even on obfuscated or ProGuarded code.

I’m staring at a black box. The client wants to know what their Android app is really sending over the wire. No source code, just a 90MB APK and a deadline. The last time I tried this, I spent a weekend with JADX, grep, and a growing sense of futility. This time, I want the answer before my coffee gets cold.

There’s a physicality to reverse engineering. APKs are like locked suitcases: you can shake them, but you won’t know what’s inside until you find the right tool. Most days, the zipper jams. Sometimes, you slice it open and everything spills out - strings, endpoints, secrets, the works. But most of the time, you’re left with a mess and a headache.

What This Skill Actually Does

This repo is a Claude Code skill that takes an Android APK (or XAPK, JAR, AAR) and does the dirty work for you. It decompiles the app, extracts all HTTP endpoints - Retrofit, OkHttp, hardcoded URLs, auth flows - and maps out the call structure. You get a clear picture of what the app is doing on the network, even if the code is obfuscated or you have zero Java experience.

The task: Make Android API reverse engineering systematic, fast, and reproducible. No more “grep and pray.”

Real-World Use Cases

Security audits: Find every endpoint an app talks to, even if the code is a spaghetti mess.
Penetration testing: Map out authentication flows and spot weak points in mobile APIs.
Malware analysis: See what a suspicious APK is exfiltrating - no source required.
Interoperability: Document APIs for integration when the vendor won’t share docs.
Educational: Learn how real-world apps structure their network calls.

Walkthrough: Before/After

Before:
You have an APK. You want to know what servers it talks to. You try JADX, but the code is obfuscated, and the endpoints are buried in a maze of classes.

After:
You run one command. The tool decompiles the APK, extracts all HTTP endpoints, and gives you a neat list - Retrofit, OkHttp, even weird hardcoded URLs. You see the call flow, auth patterns, and can reproduce the requests.

Markdy animation

How to Use It

Inside Claude Code:

/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill

Or clone locally:

git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git
# Then in Claude Code:
# /plugin marketplace add /path/to/android-reverse-engineering-skill
# /plugin install android-reverse-engineering@android-reverse-engineering-skill

Requirements:

Java JDK 17+
jadx (CLI)
(Optional) Vineflower/Fernflower, dex2jar

Manual Script Usage:

# Check dependencies
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh

# Decompile APK
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk

# Find API calls
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/

Obfuscated or Complex Apps:

bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk

Configuration & Customization

Decompilation engine: Pick between JADX, Fernflower, Vineflower, or both. Use both for tricky, obfuscated apps.
API extraction: Filter for Retrofit, OkHttp, or all URLs - focus on what matters.
Dependency management: Scripts auto-detect your OS and install missing tools (when possible).

Where It Fits (And Where It Doesn’t)

This skill is for anyone who needs to reverse engineer Android apps without source code - security pros, pentesters, malware analysts, or the terminally curious. It shines when you need to extract APIs and network flows quickly, especially from obfuscated or ProGuarded apps.

It’s not for you if you already have the source code, or if reverse engineering is legally or ethically off-limits in your situation. It also won’t magically deobfuscate everything - some apps are just too tangled.

The Rough Edges

Dependencies: You must install decompilers (jadx, Vineflower/Fernflower, dex2jar) yourself. The scripts help, but don’t expect magic.
Obfuscation: Some apps are so mangled that even this tool can’t untangle them. You’ll get partial results at best.
Security: No install/build scripts or risky patterns were flagged in the docs, but always review before running on sensitive systems.
Support: If you’re not comfortable with Bash scripts or Java, expect a learning curve.

Getting Started

Install Java JDK 17+ and jadx.
Add the skill in Claude Code or clone the repo.
Run /decompile path/to/app.apk or use the scripts directly.
Review the extracted endpoints and call flows.
Profit (or at least, save your weekend).

FAQ

Can it extract APIs from any APK?
It works on most APK/XAPK/JAR/AAR files, but heavy obfuscation may limit results.
Do I need to install anything extra?
Yes - Java JDK 17+, jadx, and optionally Vineflower/Fernflower, dex2jar.
Is it safe to use?
No risky patterns were found in the docs, but always review scripts before running.
Can I use it outside Claude Code?
Yes, the scripts can be run manually for automation or custom workflows.
What if I have the source code?
You don’t need this tool - just read the code!

Final Thoughts

I started with a locked suitcase and a headache. Now, with one command, I have a map of every API an app calls - no source, no drama. For 2,781 stargazers, that’s 2,781 weekends saved (and a few headaches avoided).