DEV.co
MCP Servers · zinja-coder

jadx-ai-mcp

JADX-AI-MCP is a plugin for the JADX Android decompiler that integrates with Claude and other LLMs via Model Context Protocol (MCP) to analyze decompiled APK code in real time. It enables vulnerability discovery, code review, and reverse engineering through AI-assisted workflows without leaving the decompiler interface.

Source: GitHub — github.com/zinja-coder/jadx-ai-mcp
2.4k
GitHub stars
229
Forks
Java
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryzinja-coder/jadx-ai-mcp
Ownerzinja-coder
Primary languageJava
LicenseApache-2.0 — OSI-approved
Stars2.4k
Forks229
Open issues6
Latest releasev6.4.0 (2026-05-28)
Last updated2026-05-28
Sourcehttps://github.com/zinja-coder/jadx-ai-mcp

What jadx-ai-mcp is

A Java plugin for JADX that exposes decompiled Android app context (classes, methods, smali, manifest) via MCP tools, communicating with a companion Python MCP server that LLM clients invoke. Provides ~17 MCP tool endpoints for code retrieval, search, and metadata extraction; requires Java 11+ and Python 3.10+.

Quickstart

Get the jadx-ai-mcp source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/zinja-coder/jadx-ai-mcp.gitcd jadx-ai-mcp# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Android Security Assessments

Enable security researchers to query decompiled APK code in real time through Claude, quickly identify permission misuse, insecure API calls, and data flow issues without manual code tracing.

Rapid APK Vulnerability Discovery

Integrate LLM analysis directly into JADX workflow to detect OWASP Mobile Top 10 risks, hardcoded credentials, insecure storage patterns, and network vulnerabilities across large codebases.

Reverse Engineering with AI Assistance

Combine JADX's decompilation with Claude's code comprehension to understand obfuscated logic, rename variables intelligently, and document app behavior during mobile pentesting engagements.

Implementation considerations

  • Requires JADX installed and running locally; plugin must be built and placed in JADX plugins directory. Java 11+ is a hard requirement.
  • JADX MCP Server (Python 3.10+) must run separately and be configured with LLM client credentials (e.g., Anthropic API key for Claude).
  • Large APKs may slow down class listing and search operations; test performance with target app sizes before full deployment.
  • Ensure network connectivity between JADX plugin, MCP server, and LLM endpoint; latency will affect interactive analysis experience.
  • Team must understand MCP protocol basics and LLM API costs; Claude usage will accumulate with frequent queries over large codebases.

When to avoid it — and what to weigh

  • Need out-of-box iOS analysis — JADX-AI-MCP is Android-specific; iOS apps require separate tooling and workflows.
  • Offline-only environments — Requires network access to MCP-compatible LLM endpoints (Claude or equivalent); cannot operate in fully air-gapped networks without local model hosting.
  • Non-Java/Android tech stacks — If your team does not analyze Android apps or works primarily with iOS, web, or backend systems, this tool offers limited value.
  • Fully automated, hands-off scanning — This is an interactive, human-in-the-loop tool; it does not replace standalone SAST scanners for unattended CI/CD pipeline integration.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and liability disclaimer.

Apache-2.0 is a permissive license that explicitly permits commercial use. You may use this tool in commercial security assessments, pentesting firms, and corporate mobile security programs. Attribute the original authors and include a copy of the license. No commercial support or SLA is mentioned in the repository; verify support terms separately if relying on this in a production security workflow.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

JADX-AI-MCP processes decompiled APK code and sends it to remote LLM endpoints (Claude, etc.). Consider: (1) Sensitive code exposure to third-party LLM services—review data retention and compliance requirements (HIPAA, PCI, GDPR); (2) Plugin runs with JADX process privileges—verify no privilege escalation paths; (3) MCP server exposes HTTP endpoints—secure network access and validate input; (4) No explicit mention of code sanitization or prompt injection mitigations; (5) Ensure LLM API credentials are protected (environment variables, not hardcoded). Conduct threat model review before analyzing proprietary or regulated APKs.

Alternatives to consider

Frida + Custom Scripts + Claude API

Runtime instrumentation instead of static decompilation; offers dynamic behavior analysis but requires target device and lacks JADX's UI ergonomics.

Semgrep + Custom Rules + OpenAI API

Lightweight SAST with LLM integration for pattern-based vuln discovery; simpler deployment but less context-aware than interactive decompiler-LLM fusion.

MobSF (Mobile Security Framework) + Custom Plugins

Standalone comprehensive mobile analysis platform with SAST, dynamic analysis, and reporting; more mature but heavier than JADX-AI-MCP and does not integrate live LLM context.

Software development agency

Build on jadx-ai-mcp with DEV.co software developers

Deploy JADX-AI-MCP in your pentesting workflow today. Review the docs, set up the plugin and MCP server, and start querying decompiled APK code with Claude. Contact us if you need integration support.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

jadx-ai-mcp FAQ

Do I need to modify my LLM subscription or pay extra?
No. JADX-AI-MCP is free (Apache-2.0). You use your existing Claude (or other MCP LLM) API credentials and account; LLM API costs depend on your token usage and LLM provider's pricing.
Can I use this offline?
Not fully. The JADX plugin can run locally, but it requires a live connection to the JADX MCP Server and an LLM endpoint (Claude, etc.). Requires internet access.
Does this work with iOS apps?
No. JADX is Android-specific. iOS reverse engineering requires different tools (Ghidra, Hopper, IDA, etc.).
How do I report security issues in APKs I analyze?
JADX-AI-MCP is a tool; how you handle findings is your responsibility. Use standard responsible disclosure practices with the app vendor. Ensure compliance with laws and the app's terms of service.

Custom software development services

Adopting jadx-ai-mcp is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate mcp servers software in production.

Ready to automate Android security analysis?

Deploy JADX-AI-MCP in your pentesting workflow today. Review the docs, set up the plugin and MCP server, and start querying decompiled APK code with Claude. Contact us if you need integration support.