Static Android app reverse-analysis workflow for exporting APKs from ADB, handling split APKs, decompiling with JADX/apktool/Vineflower, inventorying static artifacts, detecting packers, extracting API endpoints, and producing evidence-labeled reports. Use when the user asks to reverse engineer, decompile, inspect APKs, pull installed apps, dump packages, run jadx/apktool/smali/vineflower/dex2jar, analyze /tmp APK or JADX outputs, detect Android packers/native code, extract Retrofit/OkHttp/Volley/custom HTTP endpoints, find leaked static secrets, trace Android call flows, or says '用jadx逆向', '从手机导出安装包', '提取接口', '查包名并反编译', '检测加固', '提取泄露'.
Android Static App Reverse
IRON LAW: STATIC ANALYSIS ONLY. Never bypass licensing, authentication, encryption, payments, anti-cheat, or access controls; do not extract private user data or credentials.
Workflow
Copy this checklist and check off items as you complete them:
Android Static App Reverse Progress:
- [ ] Step 1: Scope and safety check ⚠️ REQUIRED
- [ ] 1.1 Identify requested apps, package IDs, or local APK folders
- [ ] 1.2 Confirm the task is static reverse engineering only
- [ ] 1.3 Decide output layout: timestamped safe output or explicit /tmp flat paths
- [ ] Step 2: Preflight ⛔ BLOCKING
- [ ] 2.1 Check `jadx --version`
- [ ] 2.2 Check optional tools only when needed; load `references/tooling-and-commands.md` for command variants, APKiD/apkleaks, and build-tools lookup
- [ ] 2.3 If pulling from device, check `adb devices`; prefer `--serial` or ANDROID_SERIAL when multiple devices exist
- [ ] 2.4 Resolve app labels/names to package IDs
- [ ] 2.5 For APKs >50MB or >10 DEX files, plan to use `--parallel --jadx-timeout 600 --apkleaks-timeout 300`
- [ ] 2.6 For Windows/PowerShell or non-POSIX shells, load `references/cross-platform.md`
- [ ] Step 3: Extract and decompile
- [ ] 3.1 Pull all split APKs with `adb shell pm path` and `adb pull`
- [ ] 3.2 Run JADX on device APKs or local APK/XAPK/JAR/AAR inputs
- [ ] 3.3 Run apktool with a writable framework path when manifest/resources/smali precision matters
- [ ] 3.4 Run dex2jar + Vineflower for secondary Java output when requested or when JADX needs cross-checking
- [ ] Step 4: Verify outputs ⚠️ REQUIRED
- [ ] 4.1 Confirm APK/JADX directories and `sources/`
- [ ] 4.2 For APK/XAPK, confirm `resources/AndroidManifest.xml` or document why absent
- [ ] 4.3 If apktool ran, confirm decoded `AndroidManifest.xml`, `res/`, and `smali*/`
- [ ] 4.4 If packer/security/coverage analysis is requested or completeness is uncertain, run APKiD; otherwise run lightweight artifact inventory or document skip reason
- [ ] 4.5 If endpoint/secret/security analysis is requested, run apkleaks; if unavailable or timed out, confirm fallback ran
- [ ] 4.6 Record hashes, package/version metadata, and signing/certificate status when available
- [ ] 4.7 If JADX timed out, verify `sources/` has usable content before continuing
- [ ] Step 5: Analyze requested surface area
- [ ] 5.1 For API/network extraction, load `references/endpoint-extraction.md`
- [ ] 5.2 For manifest/WebView/storage/crypto/deep-link review, load `references/security-triage.md`
- [ ] 5.3 For packer/runtime DEX/native/Unity/Flutter/RN/Cordova/Xamarin, load `references/native-packer-triage.md`
- [ ] 5.4 For native-held static configuration, JNI-returned values, or client-side secret triage, load `references/native-config-extraction.md`
- [ ] Step 6: Report concise results with coverage and confidence labels
Step 1: Scope and Safety Check
Ask:
Is the user asking for static APK/source/resource inspection, or runtime bypass/cracking?
Did the user provide app labels, package IDs, local APK paths, or a mix?
Are output paths likely to overwrite existing work?
Refuse or narrow requests for credential extraction, payment bypass, DRM/license bypass, cheating, malware modification, or exfiltrating private app data. Continue for benign static analysis, compatibility research, hook target discovery, logging/debugging, or security review of apps the user is authorized to inspect.
Confirmation gate: before using --force, state which directories will be replaced and get explicit user approval unless the user already asked to overwrite.
Step 2: Preflight ⛔ BLOCKING
Run:
jadx --version
Load references/tooling-and-commands.md when selecting optional tools, resolving Android SDK build-tools outside PATH, or choosing APKiD/apkleaks/metadata commands.
Optional tool families: apktool, vineflower, dex2jar (d2j-dex2jar or d2j-dex2jar.sh), aapt/aapt2, apksigner, apkid, apkleaks, and androguard.
For native configuration extraction, also check binary inspection tools and load references/native-config-extraction.md:
Default mode: for plain decompile/export requests, produce APK/JADX inventory first. Run APKiD/apkleaks when the user asks for security, packer, endpoint, secret, or coverage analysis, or when static completeness is uncertain.
Tool priority for packer detection: APKiD > inventory script keyword matching; fall back to inventory only when APKiD is unavailable.
Tool priority for secret/URL leak detection: apkleaks > find_static_anchors.py regex; fall back to the bundled script only when apkleaks is unavailable or times out.
If pulling from a phone, run:
adb devices
ADB parsing rule: treat a device as authorized only when the whitespace-delimited second column is device; do not depend on a literal tab. If multiple devices exist, use --serial <serial> or set ANDROID_SERIAL.
If the bundled script's ADB preflight fails but manual adb devices looks usable, do not stop. Try the manual fallback:
Then run the script on the pulled local APK directory.
For app names rather than package IDs, resolve against local device package data. If an app name is ambiguous, ask for the package ID instead of guessing.
If --out is omitted, the script writes to the system temp directory (tempfile.gettempdir()). Load references/tooling-and-commands.md for full command variants such as --serial, --jadx-mode fallback, --apktool-framework-dir, and combined scanner runs. Use references/cross-platform.md for Windows/PowerShell command equivalents.
For APKs >50MB or >10 DEX files, use --parallel, --jadx-timeout 600, and --apkleaks-timeout 300; load references/large-apk-handling.md if output stalls or partial JADX output needs triage.
When editing scripts, validate syntax before delivery:
If apksigner fails, report the exact failure. Then run jarsigner -verify -verbose -certs <apk> as a fallback to recover JAR signer subject, weak algorithm warnings, missing v2/v3 signature hints, or "signature stripped" evidence. Label the APK as "does not verify" when apksigner fails even if jarsigner can read a certificate subject.
When packer/security/coverage analysis is requested or completeness is uncertain, use APKiD first. If APKiD is unavailable, fall back to artifact inventory:
When endpoint/secret/security analysis is requested, use apkleaks first. It can hang on large multi-DEX APKs; use the script's --apkleaks-timeout and load references/large-apk-handling.md for stall triage.
If apkleaks is unavailable or failed/timed out, fall back to:
If apktool ran, does output contain decoded AndroidManifest.xml, res/, and one or more smali* directories?
If Vineflower ran, does <output>/<app>/vineflower/sources/ or <output>/<app>_vineflower/sources/ contain Java output?
Does APKiD or artifact inventory show packer/protector hints, runtime-loaded DEX/JAR/APK, Unity IL2CPP, Flutter, React Native Hermes, Cordova, Xamarin, or important native libraries?
Are aapt/apksigner unavailable? If yes, state the signing/provenance gap.
Did jadx return exit code 3, and if so, are usable outputs still present?
Step 5: Analyze
Load references only for the requested analysis:
API extraction, network stacks, hook targets, or feature tracing -> references/endpoint-extraction.md
Manifest, WebView, IPC, storage, crypto, deep links, or Android config review -> references/security-triage.md
Cross-platform path, temp directory, PowerShell, or command-equivalent questions -> references/cross-platform.md
Record file paths and line numbers for every claim. Separate direct evidence from inference.
Step 6: Report
Use this table:
App
Package
APK dir
JADX dir
Apktool dir
Vineflower dir
Status
Mention jadx errors plainly: "exit code 3 means partial decompilation errors; generated sources/resources may still be usable." Do not overstate completeness.
