Which integrations are available for this server?

Decompiles Android APK/XAPK/JAR/AAR files and extracts HTTP APIs, Retrofit endpoints, OkHttp calls, hardcoded URLs, and authentication patterns for reverse engineering and documentation.

How do I use android-reverse-engineering-mcp-server?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@android-reverse-engineering-mcp-server Decompile app.apk and extract HTTP APIs" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

Android Reverse Engineering MCP Server

A Python MCP server (FastMCP) that decompiles Android APK/XAPK/JAR/AAR files and extracts the HTTP APIs used by the app — Retrofit endpoints, OkHttp calls, hardcoded URLs, authentication patterns — so you can document and reproduce them without the original source code.

What it does

Decompiles APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower (single engine or side-by-side comparison)
Extracts and documents APIs: Retrofit endpoints, OkHttp calls, hardcoded URLs, auth headers and tokens
Traces call flows from Activities/Fragments through ViewModels and repositories down to HTTP calls
Analyzes app structure: manifest, packages, architecture patterns
Handles obfuscated code: strategies for navigating ProGuard/R8 output

Requirements

Required:

Python 3.10+
Java JDK 17+
jadx (CLI)

Optional (recommended):

Vineflower or Fernflower — better output on complex Java code
dex2jar — needed to use Fernflower on APK/DEX files

See docs/references/setup-guide.md for detailed installation instructions.

MCP Server Usage

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python server.py

The server runs over stdio by default (FastMCP). Configure your MCP client to launch python server.py in this repository.

Add to Claude Desktop

Open Claude Desktop settings and locate the MCP servers configuration file. Common locations (may vary by install):
- macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
- Windows: %APPDATA%\Claude\claude_desktop_config.json
- Linux: ~/.config/Claude/claude_desktop_config.json
Add a server entry like this (update the path to your repo):

{
	"mcpServers": {
		"android-reverse-engineering": {
			"command": "python3",
			"args": ["server.py"],
			"cwd": "/Users/yourname/path/android-reverse-engineering-mcp-server"
		}
	}
}

Restart Claude Desktop.

Add to VS Code

Install an MCP-compatible extension (such as an MCP client extension).
Add a server entry using the same command/args/cwd as above.
Restart VS Code and enable the server in the extension UI.

MCP Tools

check_dependencies — runs scripts/check-deps.sh and returns missing required/optional tools
install_dependency — runs scripts/install-dep.sh for a named dependency
decompile — wraps scripts/decompile.sh with engine/flags
find_api_calls — wraps scripts/find-api-calls.sh for Retrofit/OkHttp/URL/auth searches
workflow — runs dependency check, decompile, and API scan in one step

Workflow output schema: docs/workflow-schema.json

Manual Scripts

The scripts can also be used standalone:

# Check dependencies
bash scripts/check-deps.sh

# Install a missing dependency (auto-detects OS and package manager)
bash scripts/install-dep.sh jadx
bash scripts/install-dep.sh vineflower

# Decompile APK with jadx (default)
bash scripts/decompile.sh app.apk

# Decompile XAPK (auto-extracts and decompiles each APK inside)
bash scripts/decompile.sh app-bundle.xapk

# Decompile with Fernflower
bash scripts/decompile.sh --engine fernflower library.jar

# Run both engines and compare
bash scripts/decompile.sh --engine both --deobf app.apk

# Find API calls
bash scripts/find-api-calls.sh output/sources/
bash scripts/find-api-calls.sh output/sources/ --retrofit
bash scripts/find-api-calls.sh output/sources/ --urls

References

Disclaimer

This tool is provided strictly for lawful purposes, including but not limited to:

Security research and authorized penetration testing
Interoperability analysis permitted under applicable law (e.g., EU Directive 2009/24/EC, US DMCA §1201(f))
Malware analysis and incident response
Educational use and CTF competitions

You are solely responsible for ensuring that your use of this tool complies with all applicable laws, regulations, and terms of service. Unauthorized reverse engineering of software you do not own or do not have permission to analyze may violate intellectual property laws and computer fraud statutes in your jurisdiction.

The authors disclaim any liability for misuse of this tool.

License

Apache 2.0 — see LICENSE

This server cannot be installed

A

license - permissive license

-

quality - not tested

C

maintenance

How are these scores calculated?

Resources

GitHub Repository

Need Help?

Related Servers

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

android-reverse-engineering-mcp-server