JADX plug-in + standalone Python MCP server that lets LLMs (e.g. Claude) interact with decompiled Android APKs for live reverse-engineering, SAST and vulnerability hunting.
https://github.com/zinja-coder/jadx-ai-mcpDrop an APK into JADX, click a method, ask "What vulnerabilities exist here?" — and get instant, context-aware security analysis from Claude. No copy-pasting decompiled code, no switching between tools.
You're analyzing a suspicious APK. JADX decompiles it perfectly, but now you're staring at 15,000 lines of obfuscated Java across 200+ classes. Finding the actual security issues means:
JADX-AI-MCP eliminates this workflow entirely.
This isn't another "AI wrapper" — it's a native JADX plugin that creates a persistent MCP connection to Claude. Every class, method, and resource in your decompiled APK becomes instantly queryable through natural language.
Right-click any code element and ask:
Claude receives the full context — not just the code snippet, but the entire project structure, manifest permissions, and resource files.
Skip the context-switching dance: Analysis happens directly in JADX's interface. No tabs, no copy-paste, no losing your place in the codebase.
Get project-aware answers: Claude sees your entire APK context — manifest permissions, resource files, class relationships. Ask "What sensitive permissions does this class require?" and get answers based on actual usage patterns.
Accelerate vulnerability hunting: Instead of manually auditing every crypto implementation or network call, ask Claude to identify patterns across the entire codebase in seconds.
Decode obfuscation instantly: Those renamed classes like a.b.c.d? Claude can infer their actual purpose and suggest meaningful names based on their behavior.
Mobile Penetration Testing: Load a client's APK, immediately identify common vulnerability patterns (insecure storage, weak crypto, exposed APIs) without manual code review.
Malware Analysis: Upload suspicious APKs and quickly understand their behavior — data exfiltration methods, C&C communication, persistence mechanisms.
Code Audit Acceleration: For security consultants reviewing Android apps, this cuts analysis time from days to hours by automating the initial vulnerability discovery phase.
Research & Learning: Studying how popular apps implement features? Ask Claude to explain complex Android patterns in plain English with specific examples from the decompiled code.
The plugin installs in 30 seconds:
# Install directly into JADX
jadx plugins --install "github:zinja-coder:jadx-ai-mcp"
# Or download and drop the JAR into your JADX plugins folder
MCP server setup is equally straightforward — it's a single Python script with minimal dependencies. Works with Claude Desktop, local Ollama models, or any MCP-compatible endpoint.
Traditional approach: Decompile → manually identify interesting code → copy to Claude → explain context → get generic answer → repeat 50+ times per APK.
JADX-AI-MCP approach: Decompile → ask questions directly in context → get project-specific answers immediately.
The time savings compound exponentially with APK complexity. What used to take a full day of manual analysis now takes 2-3 hours of guided AI assistance.
The MCP integration provides 15+ specialized tools for Android analysis:
get_main_activity_class() — Jump directly to app entry pointsget_android_manifest() — Analyze permissions and componentssearch_method_by_name() — Find patterns across the entire codebaseget_smali_of_class() — Get low-level bytecode when Java isn't enoughget_strings() — Extract and analyze string resourcesThis isn't just "explain this code" — it's a complete Android analysis toolkit accessible through natural language.
Works with your existing setup. If you're already using JADX for Android reverse engineering, this plugin drops into your workflow without changing anything else.
The MCP server runs locally (for sensitive analysis) or connects to hosted Claude/OpenAI endpoints. Your APK data stays where you want it.
For teams doing regular mobile security assessments, the productivity improvement is immediately measurable. Junior analysts can perform senior-level analysis, and senior analysts can focus on complex logical vulnerabilities instead of grinding through basic code patterns.
This is Android reverse engineering with a proper AI assist — not another chat interface, but native tooling that makes you faster at what you already do.