⚡ Fully automated MCP server built on top of apktool to analyze Android APKs using LLMs like Claude — uncover vulnerabilities, parse manifests, and reverse engineer effortlessly. Image generated using AI tools. apktool-mcp-server is a MCP server for the Apk Tool that integrates directly with Model Context Protocol (MCP) to provide live reverse engineering support with LLMs like Claude. Think: "Dec
Add this skill
npx mdskills install zinja-coder/apktool-mcp-serverComprehensive MCP server enabling AI-driven Android APK reverse engineering with 13 well-documented tools
1<div align="center">23# apktool-mcp-server (Part of Zin's Reverse Engineering MCP Suite)45⚡ Fully automated MCP server built on top of apktool to analyze Android APKs using LLMs like Claude — uncover vulnerabilities, parse manifests, and reverse engineer effortlessly.6789101112[](http://www.apache.org/licenses/LICENSE-2.0.html)1314</div>1516<!-- It is a still in early stage of development, so expects bugs, crashes and logical erros.-->1718<div align="center">19 <img alt="banner" height="480px" widht="620px" src="https://github.com/user-attachments/assets/eb9037f2-d1c7-45e0-8871-ca8aaade0dd0">20</div>2122<!---->2324Image generated using AI tools.2526---2728## 🤖 What is apktool-mcp-server?2930**apktool-mcp-server** is a MCP server for the [Apk Tool](https://github.com/iBotPeaches/apktool) that integrates directly with [Model Context Protocol (MCP)](https://github.com/anthropic/mcp) to provide **live reverse engineering support with LLMs like Claude**.3132Think: "Decompile → Context-Aware Code Review → AI Recommendations" — all in real time.3334Watch the demo!3536https://github.com/user-attachments/assets/d50251b8-6b1c-4341-b18e-ae54eb24a8473738- **Solving the CTFs**39404142https://github.com/user-attachments/assets/c783a604-a636-4e70-9fa8-37e3d219b20b434445## Other projects in Zin MCP Suite46 - **[JADX-AI-MCP](https://github.com/zinja-coder/jadx-ai-mcp)**47 - **[JADX-MCP-Server](https://github.com/zinja-coder/jadx-mcp-server)**48 - **[ZIN-MCP-Client](https://github.com/zinja-coder/zin-mcp-client)**4950## Current MCP Tools5152The following MCP tools are available:5354- `build_apk()` — Build an APK from a decoded APKTool Project.55- `get_manifest()` — Get the AndroidManifest.xml content from a decoded APK project.56- `get_apktool_yml()` — Get apktool.yml information from a decoded APK project.57- `list_smali_directories()` — List all smali directories in a project.58- `list_smali_files()` — List smali files in a specific smali directory, optinally filtered by package prefix.59- `get_smali_file()` — Get content of a specific smali file by class name.60- `modify_smali_file()` — Modify the content of a specific smali file.61- `list_resources()` — List resources in a project, optionally filtered by resource type.62- `get_resource_file()` — Get Content of a specific resource file.63- `modify_resource_file()` — Modify the content of a specific resource file.64- `search_in_file()` — Search for a pattern in files with specified extensions.65- `clean_project()` — Clean a project directory to prepare for rebuilding.66- `decode_apk()` — Decode an APK file using APKTool, extracting resources and smali code.6768---6970## 🗒️ Sample Prompts717273### 🔍 Basic Code Understanding7475- “List all smali directories for the dvac project.”7677- “Show me all the smali files under the package prefix com.vulnerable.component in the dvac project.”7879- “Get the smali code for the class com.vulnerable.component.MainActivity.”8081- “Compare MainActivity.smali with its previous version and show differences.”8283- “Search for usage of startActivity in smali files of dvac project.”8485### 🛡️ Vulnerability Detection8687- “Analyze declared permissions in the dvac AndroidManifest.xml and flag dangerous ones.”8889- “Search for hardcoded URLs or IPs in all .xml and .smali files in the project.”9091- “Find all uses of PendingIntent.getActivity in smali files.”9293- “Check for exported activities or receivers in dvac’s AndroidManifest.xml.”9495- “List all smali files that access android.permission.SEND_SMS or READ_CONTACTS.”9697### 🛠️ Reverse Engineering Helpers9899- “Decode this APK: dvac.apk and create a project called dvac.”100101- “Create a new APKTool project called test-harness.”102103- “Clean the dvac project before rebuild.”104105- “Extract DEX files from dvac project for external analysis.”106107- “Modify MainActivity.smali to insert a log line at the beginning of onCreate().”108109### 📦 Static Analysis110111- “Get the complete AndroidManifest.xml from dvac project.”112113- “Show the contents of apktool.yml for the dvac project.”114115- “List all resource files of type layout.”116117- “Search for the word password in all resource and smali files.”118119- “Check which permissions are used and compare them against typical over-permissioning risks.”120121### 🤖 AI Code Modification122123- “Modify the onCreate() method in MainActivity.smali to add a toast message.”124125- “Replace all http:// links with https:// in strings.xml.”126127- “Add the android:exported=false attribute to all activities in the AndroidManifest.xml.”128129- “Patch the method validateLogin in LoginManager.smali to always return true.”130131- “Add logging statements to every method in MainActivity.smali.”132133### 📄 Documentation & Metadata134135- “List all decoded APKTool projects in the workspace.”136137- “Show me the apktool.yml config to review the version, original APK metadata, and compression settings.”138139- “Get all available Android devices connected via ADB. (To be migrated to ADB MCP Server.)”140141- “Get metadata about the project dvac from its apktool.yml.”142143- “Check which APKTool version is currently installed on the server.”144---145146## 🛠️ Getting Started147### 1. Downlaod from Releases: https://github.com/zinja-coder/apktool-mcp-server/releases148149```bash150# 0. Download and install apktool151https://apktool.org/docs/install152153# 1. Test whether apktool has been correctly configured in the environment variables154$ apktool -version155156# 2. Download the apktool-mcp-server-<version>.zip157https://github.com/zinja-coder/apktool-mcp-server/releases158159# 3.160unzip apktool-mcp-server-<version>.zip161162├apktool-mcp-server/163 ├── apktool_mcp_server.py164 ├── requirements.txt165 ├── README.md166 ├── LICENSE167168# 4. Navigate to apktool-mcp-server directory169cd apktool-mcp-server170171# 5. This project uses uv - https://github.com/astral-sh/uv instead of pip for dependency management.172 ## a. Install uv (if you dont have it yet)173curl -LsSf https://astral.sh/uv/install.sh | sh174 ## b. OPTIONAL, if for any reasons, you get dependecy errors in apktool-mcp-server, Set up the environment175uv venv176source .venv/bin/activate # or .venv\Scripts\activate on Windows177 ## c. OPTIONAL Install dependencies178uv pip install httpx fastmcp179180# The setup for apktool-mcp-server is done.181```182183## 2. Running on Local LLM Using Ollama and Zin MCP Client - Recommended184185<div align="center">186 <a href="https://github.com/zinja-coder/zin-mcp-client">187 <img alt="zin-mcp-client" height="360px" widht="480px" src="https://github.com/user-attachments/assets/0e8e0ecd-0520-422e-a007-03dc62c4118e">188 </a>189</div>190191⚡ Lightweight, Fast, Simple, CLI-Based MCP Client for STDIO MCP Servers, to fill the gap and provide bridge between your local LLMs running Ollama and MCP Servers.192193Check Now: https://github.com/zinja-coder/zin-mcp-client194195Demo: Coming soon...196197## 🤖 3. Claude Desktop Setup198199Make sure Claude Desktop is running with MCP enabled.200201For instance, I have used following for Kali Linux: https://github.com/aaddrick/claude-desktop-debian202203Configure and add MCP server to LLM file:204```bash205nano ~/.config/Claude/claude_desktop_config.json206```207208 - Windows: `%APPDATA%\Claude\claude_desktop_config.json`209 - macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`210211And following content in it:212```json213{214 "mcpServers": {215 "apktool-mcp-server": {216 "command": "/<path>/<to>/uv",217 "args": [218 "--directory",219 "</PATH/TO/>apktool-mcp-server/",220 "run",221 "apktool_mcp_server.py"222 ]223 }224 }225}226```227228Replace:229230- `path/to/uv` with the actual path to your `uv` executable231- `path/to/apktool-mcp-server` with the absolute path to where you cloned this232repository233234Then, navigate code and interact via real-time code review prompts using the built-in integration.235236## 4. Cherry Studio Setup237238If you want to configure the MCP tool in Cherry Studio, you can refer to the following configuration.239- Type: stdio240- command: uv241- argument:242```bash243--directory244path/to/apktool-mcp-server245run246apktool_mcp_server.py247```248- `path/to/apktool-mcp-server` with the absolute path to where you cloned this249repository250251## To report bugs, issues, feature suggestion, Performance issue, general question, Documentation issue.252 - Kindly open an issue with respective template.253254 - Tested on Claude Desktop Client, support for other AI will be tested soon!255256## 🙏 Credits257258This project is a MCP Server for [Apktool](https://github.com/iBotPeaches/apktool), an amazing open-source Android reverse engineering tool created and maintained by [@iBotPeaches](https://github.com/iBotPeaches). All core APK decoding and resource processing logic belongs to them. I have only extended it to support my MCP server with AI capabilities.259260[📎 Original README (Apktool)](https://github.com/iBotPeaches/apktool)261262The original README.md from Apktool is included here in this repository for reference and credit.263264Also huge thanks to [@aaddrick](https://github.com/aaddrick) for developing Claude desktop for Debian based Linux.265266And in last, thanks to [@anthropics](https://github.com/anthropics) for developing the Model Context Protocol and [@FastMCP](https://github.com/jlowin/fastmcp) team.267268And all open source project maintainers and contributos which provies libraries and dependencies to make project like this possible.269270## 📄 License271272apktool-mcp-server and all related projects inherits the Apache 2.0273274## ⚖️ Legal Warning275276**Disclaimer**277278The tools `apktool-mcp-server` and all related tools under this project are intended strictly for educational, research, and ethical security assessment purposes. They are provided "as-is" without any warranties, expressed or implied. Users are solely responsible for ensuring that their use of these tools complies with all applicable laws, regulations, and ethical guidelines.279280By using `apktool-mcp-server`, you agree to use them only in environments you are authorized to test, such as applications you own or have explicit permission to analyze. Any misuse of these tools for unauthorized reverse engineering, infringement of intellectual property rights, or malicious activity is strictly prohibited.281282The developers of `apktool-mcp-server` shall not be held liable for any damage, data loss, legal consequences, or other consequences resulting from the use or misuse of these tools. Users assume full responsibility for their actions and any impact caused by their usage.283284Use responsibly. Respect intellectual property. Follow ethical hacking practices.285286---287288## 🙌 Contribute or Support289290## Contributing291292[](CONTRIBUTE.md)293294- Found it useful? Give it a ⭐️295- Got ideas? Open an [issue](https://github.com/zinja-coder/apktool-mcp-server/issues) or submit a PR296- Built something on top? DM me or mention me — I’ll add it to the README!297298---299## Audited and Received Assessment Badge300301[](https://mseep.ai/app/zinja-coder-apktool-mcp-server)302303Thank you Mseep.net for auditing and providing Assessment Badge.304---305306Built with ❤️ for the reverse engineering and AI communities.307
Full transparency — inspect the skill content before installing.