jadx-mcp-server
JADX-MCP-Server is a Python-based Model Context Protocol server that bridges Android reverse engineering tools (JADX decompiler) with large language models like Claude. It enables AI-assisted analysis of Android APKs, including decompilation, vulnerability detection, and manifest parsing.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | zinja-coder/jadx-mcp-server |
| Owner | zinja-coder |
| Primary language | Python |
| License | Apache-2.0 — OSI-approved |
| Stars | 690 |
| Forks | 112 |
| Open issues | 3 |
| Latest release | Unknown |
| Last updated | 2026-05-28 |
| Source | https://github.com/zinja-coder/jadx-mcp-server |
What jadx-mcp-server is
An MCP server implementation in Python that exposes 20+ tools for querying a modified JADX-GUI instance over HTTP, including class/method extraction, smali bytecode retrieval, manifest parsing, and resource file access. Requires a corresponding JADX-AI-MCP plugin running locally to function.
Get the jadx-mcp-server source
Clone the repository and explore it locally.
git clone https://github.com/zinja-coder/jadx-mcp-server.gitcd jadx-mcp-server# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Python 3.10+ runtime and active JADX-GUI instance with JADX-AI-MCP plugin; deployment is multi-component and not single-binary.
- MCP server communicates over HTTP with the plugin; network latency between components may affect LLM response time in interactive workflows.
- No authentication/authorization mechanism documented; suitable only for local development or trusted environments, not production-facing services.
- Tool output quality depends on JADX decompilation accuracy; heavily obfuscated or packed APKs may return unintelligible class names and method signatures.
- Data retention and caching strategy unknown; verify what APK context is stored in memory or on disk during analysis sessions.
When to avoid it — and what to weigh
- No Local JADX Setup Required — This server requires JADX-GUI and JADX-AI-MCP plugin already running locally; it cannot work standalone or as a cloud SaaS solution.
- Analyzing Non-Android Binaries — The tool is Android-specific; it cannot analyze iOS, web, or other binary formats outside the Android ecosystem.
- Offline or Air-Gapped Environments — Requires active HTTP communication between the MCP server and JADX plugin; incompatible with fully disconnected networks.
- Closed-Source APKs Without Decompilation — Only useful if the target APK can be legally decompiled and analyzed; encrypted, obfuscated, or proprietary APKs may yield limited insights.
License & commercial use
Licensed under Apache License 2.0, a permissive OSI-approved license allowing modification, distribution, and commercial use with attribution and liability disclaimers.
Apache 2.0 permits commercial use without runtime licensing fees or approval. However, verify that your use case does not involve distributing proprietary APK analysis or bypassing app protections in violation of local law or terms of service. The license covers the server tool itself, not the legality of analyzing third-party software.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Limited |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Possible |
| Assessment confidence | Medium |
No authentication or encryption documented between MCP server and JADX plugin; sensitive APK analysis occurs over plaintext HTTP. Running on localhost mitigates remote exposure but does not address local privilege escalation risks. APK decompilation inherently involves reverse engineering; verify legal compliance for your jurisdiction and target applications. No security audit, vulnerability disclosure policy, or dependency scanning results are provided.
Alternatives to consider
Frida + LLM Integration
Dynamic instrumentation alternative for runtime APK analysis; does not require offline decompilation but is better suited for behavioral analysis than static code review.
Androguard + Custom MCP Wrapper
Pure Python Android analysis library; could be wrapped as an MCP server without JADX dependency, though decompilation quality may differ.
Manual JADX-GUI + Claude Context Window
Simpler alternative: copy decompiled code manually into Claude; eliminates integration complexity but sacrifices automation and real-time context updates.
Build on jadx-mcp-server with DEV.co software developers
Devco can help architect, integrate, and maintain a secure JADX-MCP pipeline tailored to your mobile security audit workflow. Contact us for a consultation.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
jadx-mcp-server FAQ
Do I need to install JADX separately?
Can I use this with ChatGPT or other LLMs besides Claude?
Is this tool suitable for analyzing APKs from the Google Play Store?
What happens if JADX-GUI crashes during analysis?
Software development & web development with DEV.co
Need help beyond evaluating jadx-mcp-server? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and mcp servers integrations — and maintain them long-term.
Need AI-Assisted Android Security Analysis?
Devco can help architect, integrate, and maintain a secure JADX-MCP pipeline tailored to your mobile security audit workflow. Contact us for a consultation.