Return apktool / androguard / java availability.

Active backend is one of "apktool" (apktool jar on PATH and a JRE), "androguard" (pure-Python fallback), or "none" (server can't analyse anything).

The MCP layer prefers apktool when both are present because apktool's Smali output is closer to the canonical AOSP form. androguard is the always-on fallback for the header

• class enumeration + manifest-decoding tools.

Return a structural summary of the APK at path.

Output includes:

• package / version / min+target SDK

• activities, services, receivers, providers

• permissions list

• signature scheme (v1 / v2 / v3)

• debuggable + allowBackup flags

• per-file entry inventory + DEX / native lib / asset counts

Uses androguard for the manifest-backed fields, falls back to a zipfile-only walk for the entry list when androguard is missing.

Enumerate every class in every classes*.dex in the APK.

Returns one record per class::

{
  "fqn": "com.foo.Bar",
  "access": "public",
  "method_count": N
}

plus a per-dex summary. Use this for the "what's actually compiled into this APK" view — class names are the structural fact, not the implementation. Apktool would give a Smali dump; the MCP surface sticks to the typed class graph so the analyst can ask Claude "what classes are in this APK" without dragging the full bytecode into context.

Decode the APK's AndroidManifest.xml.

Returns the manifest as text (androguard's AXMLPrinter output) plus the parsed activity / service / receiver / provider / permission lists.

When the manifest is binary-only (some closed-source protectors encrypt it) androguard fails — the analyst falls back to apktool d directly. The MCP layer surfaces the error in the response rather than silently returning a half-decoded manifest.

Walk the APK + every classes*.dex for known protection patterns.

Uses the vendored data/apkid-signatures.json catalog. Returns a list of {category, evidence, evidence_offset, evidence_file} records with category-only labels ("apk_packager", "dex_obfuscator", "ssl_pinning", etc.). The category names describe observable patterns; no specific commercial product is named.

Args: path: path to the APK max_per_category: per-category match cap (default 50)

Returns::

{
  "path": "...",
  "matches": [{"category": "...", "evidence": "...",
               "evidence_offset": N, "evidence_file": "...",
               "match_pattern": "...", "id": "..."}, ...],
  "by_category": {"dex-obfuscator": 12, "ssl_pinning": 2, ...},
  "truncated": {"per_category": bool}
}

The signature table is matched against:

• classes.dex string table (DEX class names + method signatures + string literals);

• every lib/*.so for the native-section + string-literal categories;

• the manifest's application / meta-data elements.

The implementation lives in servers/re-apktool/src/re_apktool/classify.py.