Fresh re-import of the project. The prior history of the Heretek-AI/Android-RE repository was rebuilt from a single squashed initial commit per the project's vendor-neutrality policy (see CLAUDE.md for the policy and translation table). The audit trail for the rebuild is preserved at /tmp/sanitize/pre-destroy/ on the analyst host. The redaction spec is at /tmp/sanitize/redacts.json; the audit decision log is at /tmp/sanitize/audit-decision.md.
Android-RE
Claude Code skills and MCP servers for Android APK reverse engineering. Drop
in an APK, get a MASVS-aligned triage report in 60 seconds. Hook a method,
get a working Frida session. Inspect a .so file, get a hardening report.
This is a monorepo containing:
- 4 MCP servers (Python + TypeScript) that wrap and compose the existing Android RE ecosystem (Apktool, jadx, androguard, LIEF, Frida, ADB, etc.).
- 11 Claude Code skills that orchestrate the MCP tools into high-value workflows (triage, decompile, dynamic hooking, MASVS reporting, etc.).
- A shared Python core library (
android_re_core) used by every Python MCP server so APK parsing, frida sessions, and tool paths are defined once. - A unified
Output/folder convention — every run lands its deliverables atOutput/<apk>-<sha>/<subdir>/<file>. Seedocs/output-convention.mdfor the full convention anddocs/getting-started.mdfor the first-APK walkthrough.
Repository Layout
Input/ drop APKs here (git-ignored)
Output/ every deliverable lands here (git-ignored, env-var-overridable)
android_re_core/ shared Python library (androguard, LIEF, frida, ADB)
mcp_servers/ 4 Python MCP servers (static, native, dynamic, triage)
mcp_bridge/ 1 TypeScript MCP server (ADB device bridge)
skills/ 12 Claude Code skills (workflows that compose MCP tools)
bin/ install.sh, doctor.sh, pull-tools.sh, …
tools/ isolated subprocess runners (apkleaks, androwarn, …)
docs/ mkdocs site
examples/ end-to-end walkthroughs (deliberately-vulnerable training apps)
tests/ cross-component / E2E
Quick Start
Prerequisites: Python 3.12+, Node 24+, Java 17+, Android Platform Tools
(adb), and a rooted device or emulator (only for dynamic analysis).
# Install everything: Python packages, Node package, vendored jars, skill symlinks
./bin/install.sh
# Verify the toolchain
./bin/doctor.sh
# Drop an APK in and triage it
claude
> /android-re-triage-orchestrator
> triage path/to/app.apk
To install just the skills (and rely on the user installing the MCP servers separately):
./bin/install.sh --skills-only
See docs/getting-started.md for the full guide.
Architecture
See docs/architecture.md for an up-to-date
description of the components and how they fit together.
Skills (11)
| Skill | Purpose |
|---|---|
android-re-triage-orchestrator |
Drop-in APK → MASVS report |
android-re-static-triage |
5-minute static overview |
android-re-decompile |
Pull pseudocode/smali for specific methods |
android-re-dynamic-hook |
Hook a method, observe behavior on device |
android-re-native-triage |
Assess native library hardening |
android-re-network-intercept |
Capture HTTPS from app |
android-re-secrets-scan |
Deep secrets & risk findings |
android-re-sslpinning-bypass |
Bypass SSL pinning on a target app |
android-re-repackage |
Modify + repackage APK for testing |
android-re-masvs-report |
Single MASVS-aligned report |
android-re-frida-script-author |
Generate Frida scripts with helper templates |
MCP Servers (5)
| Server | Language | Purpose |
|---|---|---|
android-re-static |
Python | Static APK analysis (androguard) |
android-re-native |
Python | Native binary analysis (LIEF) |
android-re-dynamic |
Python | Device + Frida instrumentation |
android-re-triage |
Python | Orchestrates the other three |
mcp_bridge |
TypeScript | ADB / screencap / logcat / frida-ps |
Status
Phase 1 (Foundation) is in progress. See the project plan in
/home/john/.claude/plans/calm-juggling-clarke.md for the full 4-phase roadmap.
License
Apache-2.0. See LICENSE. Note that frida-server is bundled
under the wxWindows Library Licence with a personal-use restriction; see
LICENSE-3rdparty.md.
Contributing
See CONTRIBUTING.md.
Security
See SECURITY.md. Report vulnerabilities to
security@heretek-ai.example (replace with the real address when the org
sets up a security inbox).