android-reverse-engineering-mcp-server

android-reverse-engineering-mcp-server

A Python MCP server that decompiles Android APK/XAPK/JAR/AAR files and extracts HTTP APIs used by the app.

Category
Visit Server

README

Android Reverse Engineering MCP Server

A Python MCP server (FastMCP) that decompiles Android APK/XAPK/JAR/AAR files and extracts the HTTP APIs used by the app — Retrofit endpoints, OkHttp calls, hardcoded URLs, authentication patterns — so you can document and reproduce them without the original source code.

What it does

  • Decompiles APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower (single engine or side-by-side comparison)
  • Extracts and documents APIs: Retrofit endpoints, OkHttp calls, hardcoded URLs, auth headers and tokens
  • Traces call flows from Activities/Fragments through ViewModels and repositories down to HTTP calls
  • Analyzes app structure: manifest, packages, architecture patterns
  • Handles obfuscated code: strategies for navigating ProGuard/R8 output

Requirements

Required:

  • Python 3.10+
  • Java JDK 17+
  • jadx (CLI)

Optional (recommended):

See docs/references/setup-guide.md for detailed installation instructions.

MCP Server Usage

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python server.py

The server runs over stdio by default (FastMCP). Configure your MCP client to launch python server.py in this repository.

Add to Claude Desktop

  1. Open Claude Desktop settings and locate the MCP servers configuration file. Common locations (may vary by install):
    • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
    • Windows: %APPDATA%\Claude\claude_desktop_config.json
    • Linux: ~/.config/Claude/claude_desktop_config.json
  2. Add a server entry like this (update the path to your repo):
{
	"mcpServers": {
		"android-reverse-engineering": {
			"command": "python3",
			"args": ["server.py"],
			"cwd": "/Users/yourname/path/android-reverse-engineering-mcp-server"
		}
	}
}
  1. Restart Claude Desktop.

Add to VS Code

  1. Install an MCP-compatible extension (such as an MCP client extension).
  2. Add a server entry using the same command/args/cwd as above.
  3. Restart VS Code and enable the server in the extension UI.

MCP Tools

  • check_dependencies — runs scripts/check-deps.sh and returns missing required/optional tools
  • install_dependency — runs scripts/install-dep.sh for a named dependency
  • decompile — wraps scripts/decompile.sh with engine/flags
  • find_api_calls — wraps scripts/find-api-calls.sh for Retrofit/OkHttp/URL/auth searches
  • workflow — runs dependency check, decompile, and API scan in one step

Workflow output schema: docs/workflow-schema.json

Manual Scripts

The scripts can also be used standalone:

# Check dependencies
bash scripts/check-deps.sh

# Install a missing dependency (auto-detects OS and package manager)
bash scripts/install-dep.sh jadx
bash scripts/install-dep.sh vineflower

# Decompile APK with jadx (default)
bash scripts/decompile.sh app.apk

# Decompile XAPK (auto-extracts and decompiles each APK inside)
bash scripts/decompile.sh app-bundle.xapk

# Decompile with Fernflower
bash scripts/decompile.sh --engine fernflower library.jar

# Run both engines and compare
bash scripts/decompile.sh --engine both --deobf app.apk

# Find API calls
bash scripts/find-api-calls.sh output/sources/
bash scripts/find-api-calls.sh output/sources/ --retrofit
bash scripts/find-api-calls.sh output/sources/ --urls

References

Disclaimer

This tool is provided strictly for lawful purposes, including but not limited to:

  • Security research and authorized penetration testing
  • Interoperability analysis permitted under applicable law (e.g., EU Directive 2009/24/EC, US DMCA §1201(f))
  • Malware analysis and incident response
  • Educational use and CTF competitions

You are solely responsible for ensuring that your use of this tool complies with all applicable laws, regulations, and terms of service. Unauthorized reverse engineering of software you do not own or do not have permission to analyze may violate intellectual property laws and computer fraud statutes in your jurisdiction.

The authors disclaim any liability for misuse of this tool.

License

Apache 2.0 — see LICENSE

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured