apktool-mcp-server: Fully Automated MCP Server Analyzes APKs with LLMs Like Claude

Fully automated MCP server built on top of apktool to analyze Android APKs using LLMs like Claude — uncover vulnerabilities, parse manifests, and reverse engineer effortlessly.

apktool-mcp-server is a MCP server for the Apk Tool that integrates directly with Model Context Protocol (MCP) to provide live reverse engineering support with LLMs like Claude.

Think: “Decompile → Context-Aware Code Review → AI Recommendations” — all in real time.

Current MCP Tools

The following MCP tools are available:

• build_apk() — Build an APK from a decoded APKTool Project.
• get_manifest() — Get the AndroidManifest.xml content from a decoded APK project.
• get_apktool_yml() — Get apktool.yml information from a decoded APK project.
• list_smali_directories() — List all smali directories in a project.
• list_smali_files() — List smali files in a specific smali directory, optinally filtered by package prefix.
• get_smali_file() — Get content of a specific smali file by class name.
• modify_smali_file() — Modify the content of a specific smali file.
• list_resources() — List resources in a project, optionally filtered by resource type.
• get_resource_file() — Get Content of a specific resource file.
• modify_resource_file() — Modify the content of a specific resource file.
• search_in_file() — Search for a pattern in files with specified extensions.
• clean_project() — Clean a project directory to prepare for rebuilding.
• decode_apk() — Decode an APK file using APKTool, extracting resources and smali code.

• “List all smali directories for the dvac project.”
• “Show me all the smali files under the package prefix com.vulnerable.component in the dvac project.”
• “Get the smali code for the class com.vulnerable.component.MainActivity.”
• “Compare MainActivity.smali with its previous version and show differences.”
• “Search for usage of startActivity in smali files of dvac project.”

• “Analyze declared permissions in the dvac AndroidManifest.xml and flag dangerous ones.”
• “Search for hardcoded URLs or IPs in all .xml and .smali files in the project.”
• “Find all uses of PendingIntent.getActivity in smali files.”
• “Check for exported activities or receivers in dvac’s AndroidManifest.xml.”
• “List all smali files that access android.permission.SEND_SMS or READ_CONTACTS.”

• “Decode this APK: dvac.apk and create a project called dvac.”
• “Create a new APKTool project called test-harness.”
• “Clean the dvac project before rebuild.”
• “Extract DEX files from dvac project for external analysis.”
• “Modify MainActivity.smali to insert a log line at the beginning of onCreate().”

• “Get the complete AndroidManifest.xml from dvac project.”
• “Show the contents of apktool.yml for the dvac project.”
• “List all resource files of type layout.”
• “Search for the word password in all resource and smali files.”
• “Check which permissions are used and compare them against typical over-permissioning risks.”

• “Modify the onCreate() method in MainActivity.smali to add a toast message.”
• “Replace all http:// links with https:// in strings.xml.”
• “Add the android:exported=false attribute to all activities in the AndroidManifest.xml.”
• “Patch the method validateLogin in LoginManager.smali to always return true.”
• “Add logging statements to every method in MainActivity.smali.”

• “List all decoded APKTool projects in the workspace.”
• “Show me the apktool.yml config to review the version, original APK metadata, and compression settings.”
• “Get all available Android devices connected via ADB. (To be migrated to ADB MCP Server.)”
• “Get metadata about the project dvac from its apktool.yml.”
• “Check which APKTool version is currently installed on the server.”

Install