# Decompile Android APKs with jadx Android APK review is slow when bytecode and resources are hard to inspect. This skill guides Claude, Codex, and Claude Code through jadx workflows for readable source analysis. ## Install ```bash npx skillstore add brownfinesecurity/jadx ``` ## Metadata - - Slug: brownfinesecurity-jadx - - Version: 1.0.0 - - Author: BrownFineSecurity - - GitHub username: BrownFineSecurity - - License: MIT - - Repository: https://github.com/BrownFineSecurity/iothackbot/tree/master/skills/jadx - - Ref: master - - Supported tools: Claude, Codex, Claude Code - - Risk level: medium - - Risk factors: external\_commands - - Quality score: 72 - - Public page: https://skillstore.pages.dev/skills/brownfinesecurity-jadx - - Manifest: https://skillstore.pages.dev/api/skills/brownfinesecurity-jadx/manifest ## Capabilities - Explains basic and advanced jadx command-line decompilation options. - Shows how to decompile APKs with deobfuscation, fallback mode, and resource controls. - Provides grep-based workflows for finding secrets, URLs, crypto code, and authentication logic. - Compares jadx with apktool for code, resources, and smali review. - Outlines GUI workflows for browsing classes, search results, and cross-references. - Includes security and ethics guidance for authorized APK analysis. ## Use Cases - Review a Mobile App for Secrets: Decompile an authorized APK and search extracted source for hardcoded credentials, tokens, URLs, and storage risks. - Understand Android App Behavior: Convert DEX bytecode into readable Java and trace activities, services, APIs, and authentication flows. - Analyze IoT Companion Apps: Extract device endpoints, discovery logic, and protocol clues from an IoT mobile application. ## Prompt Templates ### Basic APK Decompile ``` Use the jadx skill to decompile this authorized APK. Explain the output folders and list the first files I should inspect. ``` ### Search for Sensitive Data ``` Use the jadx workflow to search the decompiled source for API keys, credentials, tokens, URLs, and database connection strings. ``` ### Trace Authentication Logic ``` Guide me through finding login, authorization, JWT, bearer token, and API client code in the jadx output. ``` ### Build a Security Review Plan ``` Create a jadx-based review plan for this obfuscated APK, including deobfuscation, crypto checks, WebView checks, storage checks, and runtime validation steps. ``` ## Limitations - Requires jadx, Java, and enough disk space to be installed locally. - Decompiled Java is approximate and may not match original source exactly. - Heavily obfuscated or protected APKs may produce incomplete output. - Does not verify findings without runtime analysis or manual review. ## Best Practices - Only decompile APKs that you own or have explicit permission to assess. - Use deobfuscation for production apps and keep the original APK unchanged. - Confirm static findings with manual review and runtime testing before reporting. ## Anti Patterns - Do not run generated commands without checking file paths and output directories. - Do not treat decompiled Java as exact original source code. - Do not distribute proprietary decompiled source without authorization. ## Security Audit - - Safe to publish: true - - Audited at: 2026-06-28T18:09:57.519\+00:00 - - Summary: The static analyzer flagged many shell, secret, crypto, and reconnaissance terms, but review shows they are examples in a jadx usage guide. The confirmed risk is legitimate but sensitive external command guidance for decompiling APKs and searching extracted source, which requires authorization and careful path handling. ## Stats - - Views: 306 - - Downloads: 17 - - Favorites: 1 - - Popularity score: 0