Repository files navigation

JADX-MCP-SERVER (Part of Zin's Reverse Engineering MCP Suite)

⚡ Fully automated MCP server built to communicate with JADX-AI-MCP Plugin to analyze Android APKs using LLMs like Claude — uncover vulnerabilities, parse manifests, and reverse engineer effortlessly.

⭐ Contributors

Thanks to these wonderful people for their contributions ⭐

badmonkey7

tainn

ljt270864457

ZERO-A-ONE

neoz

SamadiPour

wuseluosi

CainYzb

tbodt

LikNick0101

lwsinclair

JADX MCP Server is a standalone Python server that interacts with a modified version ofjadx-gui (see:jadx-ai-mcp) via MCP (Model Context Protocol). It lets LLMs communicate with the decompiled Android app context live.

JADX-AI-MCP is a plugin for theJADX decompiler that integrates directly withModel Context Protocol (MCP) to providelive reverse engineering support with LLMs like Claude.

Think: "Decompile → Context-Aware Code Review → AI Recommendations" — all in real time.

sequenceDiagramLLM CLIENT->>JADX MCP SERVER: INVOKE MCP TOOLJADX MCP SERVER->>JADX AI MCP PLUGIN: INVOKE HTTP REQUESTJADX AI MCP PLUGIN->>REQUEST HANDLERS: INVOKE HTTP REQUEST HANDLERREQUEST HANDLERS->>JADX GUI: PERFORM ACTION/GATHER DATAJADX GUI->>REQUEST HANDLERS: ACTION PERFORMED/DATA GATHEREDREQUEST HANDLERS->>JADX AI MCP PLUGIN: CRAFT HTTP RESPONSEJADX AI MCP PLUGIN->>JADX MCP SERVER:HTTP RESPONSEJADX MCP SERVER->>LLM CLIENT: MCP TOOL RESULT

Watch the demos!

• Perform quick analysis

• Quickly find vulnerabilities

• Multiple AI Agents Support

• Analyze The APK Resources

• Your AI Assistant during debugging of APK using JADX

It is combination of two tools:

1. JADX-AI-MCP
2. JADX MCP SERVER

• APKTool-MCP-Server
• JAD-AI-MCP-Plugin
• ZIN-MCP-Client

The following MCP tools are available:

• fetch_current_class() — Get the class name and full source of selected class
• get_selected_text() — Get currently selected text
• get_all_classes() — List all classes in the project
• get_class_source() — Get full source of a given class
• get_method_by_name() — Fetch a method’s source
• search_method_by_name() — Search method across classes
• search_classes_by_keyword() — Search for classes whose source code contains a specific keyword (supports pagination)
• get_methods_of_class() — List methods in a class
• get_fields_of_class() — List fields in a class
• get_smali_of_class() — Fetch smali of class
• get_main_activity_class() — Fetch main activity from jadx mentioned in AndroidManifest.xml file.
• get_main_application_classes_code() — Fetch all the main application classes' code based on the package name defined in the AndroidManifest.xml.
• get_main_application_classes_names() — Fetch all the main application classes' names based on the package name defined in the AndroidManifest.xml.
• get_android_manifest() — Retrieve and return the AndroidManifest.xml content.
• get_strings() : Fetches the strings.xml file
• get_all_resource_file_names() : Retrieve all resource files names that exists in application
• get_resource_file() : Retrieve resource file content
• debug_get_stack_frames() : Get the stack frames from jadx debugger
• debug_get_threads() : Get the insights of threads from jadx debugger
• debug_get_variables() : Get the variables from jadx debugger

🔍 Basic Code Understanding

"Explain what this class does in one paragraph.""Summarize the responsibilities of this method.""Is there any obfuscation in this class?""List all Android permissions this class might require."

🛡️ Vulnerability Detection

"Are there any insecure API usages in this method?""Check this class for hardcoded secrets or credentials.""Does this method sanitize user input before using it?""What security vulnerabilities might be introduced by this code?"

🛠️ Reverse Engineering Helpers

"Deobfuscate and rename the classes and methods to something readable.""Can you infer the original purpose of this smali method?""What libraries or SDKs does this class appear to be part of?"

📦 Static Analysis

"List all network-related API calls in this class.""Identify file I/O operations and their potential risks.""Does this method leak device info or PII?"

🤖 AI Code Modification

"Refactor this method to improve readability.""Add comments to this code explaining each step.""Rewrite this Java method in Python for analysis."

📄 Documentation & Metadata

"Generate Javadoc-style comments for all methods.""What package or app component does this class likely belong to?""Can you identify the Android component type (Activity, Service, etc.)?"

🐞 Debugger Assistant

   "Fetch stack frames, varirables and threads from debugger and provide summary"   "Based the stack frames from debugger, explain the execution flow of the application"   "Based on the state of variables, is there security threat?"

READ HERE

Demo:Perform Code Review to Find Vulnerabilities locally

• Add Support for apktool

• Add support for hermes code (ReactNative Application)

• Add docker support

• Add more useful MCP Tools

• Make LLM be able to modify code on JADX

• Add prompts templates, give llm access to Android APK Files as Resources

• Build MCP Client to support Local LLM

• END-GOAL : Make all android reverse engineering and APK modification tools Connect with single MCP server to make reverse engineering apk files as easy as possible purely from vibes.

• The files related to JADX-AI-MCP can be foundhere

• The files related tojadx-mcp-server can be found in this repository only.

This project is a plugin for JADX, an amazing open-source Android decompiler created and maintained by@skylot. All core decompilation logic belongs to them. I have only extended it to support my MCP server with AI capabilities.

📎 Original README (JADX)

The original README.md from jadx is included here in this repository for reference and credit.

This MCP server is made possible by the extensibility of JADX-GUI and the amazing Android reverse engineering community.

Also huge thanks to@aaddrick for developing Claude desktop for Debian based linux.

And in last thanks to@anthropics for developing the Model Context Protocol and@FastMCP team

And all open source maintainers and contributors that makes libraries and dependencies which allows project like this possible.

Thank you Mseep.net for auditing and providing Assessment Badge.

This project uses following awesome libraries.

• Plugin - Java

  • Javalin -https://javalin.io/ - Apache 2.0 License
  • SLF4J -https://slf4j.org/ - MIT License
  • org.w3c.dom -https://mvnrepository.com/artifact/org.w3c.dom - W3C Software and Document License

• MCP Server - Python

  • FastMCP -https://github.com/jlowin/fastmcp - Apache 2.0 License
  • httpx -https://www.python-httpx.org - BSD-3-Clause (“BSD licensed”)

This plugin inherits the Apache 2.0 License from the original JADX repository.

Disclaimer

The toolsjadx-ai-mcp andjadx_mcp_server are intended strictly for educational, research, and ethical security assessment purposes. They are provided "as-is" without any warranties, expressed or implied. Users are solely responsible for ensuring that their use of these tools complies with all applicable laws, regulations, and ethical guidelines.

By usingjadx-ai-mcp orjadx_mcp_server, you agree to use them only in environments you are authorized to test, such as applications you own or have explicit permission to analyze. Any misuse of these tools for unauthorized reverse engineering, infringement of intellectual property rights, or malicious activity is strictly prohibited.

The developers ofjadx-ai-mcp andjadx_mcp_server shall not be held liable for any damage, data loss, legal consequences, or other consequences resulting from the use or misuse of these tools. Users assume full responsibility for their actions and any impact caused by their usage.

Use responsibly. Respect intellectual property. Follow ethical hacking practices.

• Found it useful? Give it a ⭐️
• Got ideas? Open anissue or submit a PR
• Built something on top? DM me or mention me — I’ll add it to the README!

Built with ❤️ for the reverse engineering and AI communities.