DEV.co
MCP Servers · zinja-coder

jadx-mcp-server

JADX-MCP-Server is a Python-based Model Context Protocol server that bridges Android reverse engineering tools (JADX decompiler) with large language models like Claude. It enables AI-assisted analysis of Android APKs, including decompilation, vulnerability detection, and manifest parsing.

Source: GitHub — github.com/zinja-coder/jadx-mcp-server
690
GitHub stars
112
Forks
Python
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryzinja-coder/jadx-mcp-server
Ownerzinja-coder
Primary languagePython
LicenseApache-2.0 — OSI-approved
Stars690
Forks112
Open issues3
Latest releaseUnknown
Last updated2026-05-28
Sourcehttps://github.com/zinja-coder/jadx-mcp-server

What jadx-mcp-server is

An MCP server implementation in Python that exposes 20+ tools for querying a modified JADX-GUI instance over HTTP, including class/method extraction, smali bytecode retrieval, manifest parsing, and resource file access. Requires a corresponding JADX-AI-MCP plugin running locally to function.

Quickstart

Get the jadx-mcp-server source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/zinja-coder/jadx-mcp-server.gitcd jadx-mcp-server# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

AI-Assisted Android Security Audits

Streamline APK vulnerability discovery by having Claude analyze decompiled code in real-time context, reducing manual code review time for security assessments.

Reverse Engineering Workflow Automation

Automate repetitive decompilation tasks, method searches, and bytecode inspection for large Android applications without manual JADX navigation.

Interactive Code Analysis with LLM Agents

Enable multi-agent security analysis pipelines where Claude agents collaboratively examine class hierarchies, manifest configurations, and resource usage patterns.

Implementation considerations

  • Requires Python 3.10+ runtime and active JADX-GUI instance with JADX-AI-MCP plugin; deployment is multi-component and not single-binary.
  • MCP server communicates over HTTP with the plugin; network latency between components may affect LLM response time in interactive workflows.
  • No authentication/authorization mechanism documented; suitable only for local development or trusted environments, not production-facing services.
  • Tool output quality depends on JADX decompilation accuracy; heavily obfuscated or packed APKs may return unintelligible class names and method signatures.
  • Data retention and caching strategy unknown; verify what APK context is stored in memory or on disk during analysis sessions.

When to avoid it — and what to weigh

  • No Local JADX Setup Required — This server requires JADX-GUI and JADX-AI-MCP plugin already running locally; it cannot work standalone or as a cloud SaaS solution.
  • Analyzing Non-Android Binaries — The tool is Android-specific; it cannot analyze iOS, web, or other binary formats outside the Android ecosystem.
  • Offline or Air-Gapped Environments — Requires active HTTP communication between the MCP server and JADX plugin; incompatible with fully disconnected networks.
  • Closed-Source APKs Without Decompilation — Only useful if the target APK can be legally decompiled and analyzed; encrypted, obfuscated, or proprietary APKs may yield limited insights.

License & commercial use

Licensed under Apache License 2.0, a permissive OSI-approved license allowing modification, distribution, and commercial use with attribution and liability disclaimers.

Apache 2.0 permits commercial use without runtime licensing fees or approval. However, verify that your use case does not involve distributing proprietary APK analysis or bypassing app protections in violation of local law or terms of service. The license covers the server tool itself, not the legality of analyzing third-party software.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationLimited
License clarityClear
Deployment complexityHigh
DEV.co fitPossible
Assessment confidenceMedium
Security considerations

No authentication or encryption documented between MCP server and JADX plugin; sensitive APK analysis occurs over plaintext HTTP. Running on localhost mitigates remote exposure but does not address local privilege escalation risks. APK decompilation inherently involves reverse engineering; verify legal compliance for your jurisdiction and target applications. No security audit, vulnerability disclosure policy, or dependency scanning results are provided.

Alternatives to consider

Frida + LLM Integration

Dynamic instrumentation alternative for runtime APK analysis; does not require offline decompilation but is better suited for behavioral analysis than static code review.

Androguard + Custom MCP Wrapper

Pure Python Android analysis library; could be wrapped as an MCP server without JADX dependency, though decompilation quality may differ.

Manual JADX-GUI + Claude Context Window

Simpler alternative: copy decompiled code manually into Claude; eliminates integration complexity but sacrifices automation and real-time context updates.

Software development agency

Build on jadx-mcp-server with DEV.co software developers

Devco can help architect, integrate, and maintain a secure JADX-MCP pipeline tailored to your mobile security audit workflow. Contact us for a consultation.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

jadx-mcp-server FAQ

Do I need to install JADX separately?
Yes. This server acts as a bridge to JADX-GUI; you must separately install JADX and the JADX-AI-MCP plugin. The server alone does not include decompilation capability.
Can I use this with ChatGPT or other LLMs besides Claude?
The MCP protocol is Claude-native. Support for other LLM clients is not documented. You may need custom integration work or a separate MCP client implementation.
Is this tool suitable for analyzing APKs from the Google Play Store?
Technically possible but legally risky without explicit permission. Reverse engineering third-party apps may violate terms of service, copyright law, or anti-circumvention regulations. Consult legal counsel before analyzing proprietary applications.
What happens if JADX-GUI crashes during analysis?
The MCP server will fail to retrieve results. No fallback, caching, or graceful degradation mechanism is documented. Manual restart of JADX-GUI and the server is required.

Software development & web development with DEV.co

Need help beyond evaluating jadx-mcp-server? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and mcp servers integrations — and maintain them long-term.

Need AI-Assisted Android Security Analysis?

Devco can help architect, integrate, and maintain a secure JADX-MCP pipeline tailored to your mobile security audit workflow. Contact us for a consultation.