jadx-ai-mcp
JADX-AI-MCP is a plugin for the JADX Android decompiler that integrates with Claude and other LLMs via Model Context Protocol (MCP) to analyze decompiled APK code in real time. It enables vulnerability discovery, code review, and reverse engineering through AI-assisted workflows without leaving the decompiler interface.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | zinja-coder/jadx-ai-mcp |
| Owner | zinja-coder |
| Primary language | Java |
| License | Apache-2.0 — OSI-approved |
| Stars | 2.4k |
| Forks | 229 |
| Open issues | 6 |
| Latest release | v6.4.0 (2026-05-28) |
| Last updated | 2026-05-28 |
| Source | https://github.com/zinja-coder/jadx-ai-mcp |
What jadx-ai-mcp is
A Java plugin for JADX that exposes decompiled Android app context (classes, methods, smali, manifest) via MCP tools, communicating with a companion Python MCP server that LLM clients invoke. Provides ~17 MCP tool endpoints for code retrieval, search, and metadata extraction; requires Java 11+ and Python 3.10+.
Get the jadx-ai-mcp source
Clone the repository and explore it locally.
git clone https://github.com/zinja-coder/jadx-ai-mcp.gitcd jadx-ai-mcp# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires JADX installed and running locally; plugin must be built and placed in JADX plugins directory. Java 11+ is a hard requirement.
- JADX MCP Server (Python 3.10+) must run separately and be configured with LLM client credentials (e.g., Anthropic API key for Claude).
- Large APKs may slow down class listing and search operations; test performance with target app sizes before full deployment.
- Ensure network connectivity between JADX plugin, MCP server, and LLM endpoint; latency will affect interactive analysis experience.
- Team must understand MCP protocol basics and LLM API costs; Claude usage will accumulate with frequent queries over large codebases.
When to avoid it — and what to weigh
- Need out-of-box iOS analysis — JADX-AI-MCP is Android-specific; iOS apps require separate tooling and workflows.
- Offline-only environments — Requires network access to MCP-compatible LLM endpoints (Claude or equivalent); cannot operate in fully air-gapped networks without local model hosting.
- Non-Java/Android tech stacks — If your team does not analyze Android apps or works primarily with iOS, web, or backend systems, this tool offers limited value.
- Fully automated, hands-off scanning — This is an interactive, human-in-the-loop tool; it does not replace standalone SAST scanners for unattended CI/CD pipeline integration.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and liability disclaimer.
Apache-2.0 is a permissive license that explicitly permits commercial use. You may use this tool in commercial security assessments, pentesting firms, and corporate mobile security programs. Attribute the original authors and include a copy of the license. No commercial support or SLA is mentioned in the repository; verify support terms separately if relying on this in a production security workflow.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Strong |
| Assessment confidence | High |
JADX-AI-MCP processes decompiled APK code and sends it to remote LLM endpoints (Claude, etc.). Consider: (1) Sensitive code exposure to third-party LLM services—review data retention and compliance requirements (HIPAA, PCI, GDPR); (2) Plugin runs with JADX process privileges—verify no privilege escalation paths; (3) MCP server exposes HTTP endpoints—secure network access and validate input; (4) No explicit mention of code sanitization or prompt injection mitigations; (5) Ensure LLM API credentials are protected (environment variables, not hardcoded). Conduct threat model review before analyzing proprietary or regulated APKs.
Alternatives to consider
Frida + Custom Scripts + Claude API
Runtime instrumentation instead of static decompilation; offers dynamic behavior analysis but requires target device and lacks JADX's UI ergonomics.
Semgrep + Custom Rules + OpenAI API
Lightweight SAST with LLM integration for pattern-based vuln discovery; simpler deployment but less context-aware than interactive decompiler-LLM fusion.
MobSF (Mobile Security Framework) + Custom Plugins
Standalone comprehensive mobile analysis platform with SAST, dynamic analysis, and reporting; more mature but heavier than JADX-AI-MCP and does not integrate live LLM context.
Build on jadx-ai-mcp with DEV.co software developers
Deploy JADX-AI-MCP in your pentesting workflow today. Review the docs, set up the plugin and MCP server, and start querying decompiled APK code with Claude. Contact us if you need integration support.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
jadx-ai-mcp FAQ
Do I need to modify my LLM subscription or pay extra?
Can I use this offline?
Does this work with iOS apps?
How do I report security issues in APKs I analyze?
Custom software development services
Adopting jadx-ai-mcp is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate mcp servers software in production.
Ready to automate Android security analysis?
Deploy JADX-AI-MCP in your pentesting workflow today. Review the docs, set up the plugin and MCP server, and start querying decompiled APK code with Claude. Contact us if you need integration support.