Areclaw
Android Reverse Engineering Command-Line Automation Workspace. AI-driven security analysis with Claude Code.
Install / Use
/learn @TheQmaks/AreclawQuality Score
Category
Development & EngineeringSupported Platforms
README
areclaw
Android Reverse Engineering Command-Line Automation Workspace.
Self-contained environment for Android application security analysis: decompilation, traffic interception, dynamic instrumentation, secret scanning, and API discovery. Powered by Claude Code as the AI-driven orchestrator.
Quick Start
# 1. Install all tools (~1.5 GB, requires Java 17+, Python 3.10+)
python scripts/install.py
# 2. Set up environment (each shell session)
source scripts/setup-env.sh
# 3. Analyze an app
# via Claude Code agent:
claude /analyze-apk com.example.app
# or manually:
jadx -d workspace/output/com.example.app --deobf workspace/samples/app.apk
Platform
Developed and tested on Windows 10/11 with Git Bash. Linux and WSL are supported but less tested. The automated installer (install.py) downloads Windows binaries — Linux users will need to adjust tool downloads manually.
Requirements
- OS: Windows 10/11 with Git Bash (ships with Git for Windows)
- Java: 17+ (for jadx, apktool, Ghidra, deobfuscators)
- Python: 3.10+ with pip
- Android SDK: adb, aapt2 (see setup below)
- Device or emulator: rooted for Frida, traffic interception, runtime analysis
- Git: for narumii-deobfuscator build from source
- Disk: ~2 GB for tools + workspace
Android SDK Setup
Install Android Studio and use SDK Manager to install:
- SDK Platform-Tools (provides
adb) - SDK Build-Tools (provides
aapt2)
Set the environment variable so tools can find the SDK:
# Windows (Git Bash) — typically:
export ANDROID_HOME="$HOME/AppData/Local/Android/Sdk"
# Linux:
export ANDROID_HOME="$HOME/Android/Sdk"
setup-env.sh auto-detects the SDK location from ANDROID_HOME or standard paths.
Using an Emulator
Android Studio includes an emulator (AVD Manager). For security research, use a Google APIs system image (not Google Play — those are locked down):
# Create AVD via Android Studio: Tools → Device Manager → Create Device
# Choose a device, select "Google APIs" system image (API 34+)
# Or via command line:
sdkmanager "system-images;android-34;google_apis;x86_64"
avdmanager create avd -n test_device -k "system-images;android-34;google_apis;x86_64"
emulator -avd test_device -writable-system
For Frida on emulator — root access is available by default on Google APIs images:
adb root
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server -D &
Note: Some apps detect emulators. For these, a physical rooted device is recommended.
Architecture
areclaw/
├── scripts/
│ ├── install.py # Automated installer & updater (14 tools + 21 pip packages)
│ └── setup-env.sh # PATH configuration (auto-detects Git Bash / WSL / Linux)
├── pytools/
│ ├── ui_explorer.py # UIAutomator-based device interaction
│ ├── traffic_to_collection.py # Frida logs / HAR -> Postman collection
│ └── check_updates.py # Version checker for all tools
├── workspace/
│ ├── frida-scripts/ # 15 Frida instrumentation scripts
│ ├── samples/ # APK files
│ ├── output/ # Decompiled source (per-package)
│ ├── reports/ # Analysis reports (markdown)
│ ├── traffic/ # Intercepted HTTP traffic
│ ├── collections/ # Postman / OpenAPI collections
│ ├── credentials/ # Test account data
│ └── patches/ # Modified / repackaged APKs
├── tools/ # Binaries (downloaded by install.py)
├── .claude/
│ ├── agents/android-reverser.md # AI agent prompt (1000+ lines)
│ └── skills/ # 5 automation skills
├── CLAUDE.md # Project instructions for Claude Code
└── .tool_versions.json # Installed version tracking
Tools
Standalone (downloaded by install.py)
| Tool | Purpose | |------|---------| | jadx | DEX/APK -> Java decompiler | | apktool | APK disassembly / rebuild (smali, resources, manifest) | | dex2jar | DEX -> JAR converter | | Ghidra | Native binary (ARM/ARM64 .so) reverse engineering | | radare2 | Binary analysis, disassembly, scripting | | uber-apk-signer | APK signing (debug & release) | | apk.sh | Pull APKs, inject Frida gadget, patch | | Il2CppDumper | Unity IL2CPP metadata extraction | | trufflehog | Secret scanner (800+ detectors, live validation) | | java-deobfuscator | Java bytecode deobfuscation | | threadtear | Java deobfuscation (ZKM, Stringer, Allatori, etc.) | | simplify | Android deobfuscation via virtual execution | | narumii | Modern Java deobfuscator (built from source) | | phantom-frida | Stealth Frida server (anti-detection bypass) |
Pip packages (21)
frida-tools, objection, mitmproxy, androguard, apkid, lxml, requests, sosaver, clsdumper, jnitrace, fridump3, r2pipe, capstone, unicorn, mitmproxy2swagger, apkleaks, lief, triton-library, androidemu, justapk, tema
Python libraries
import lief # Parse/modify ELF, DEX, OAT, VDEX
import capstone # ARM/AArch64 disassembly
import unicorn # CPU emulation (ARM64)
import r2pipe # radare2 scripting
from triton import * # Symbolic execution (ARM deobfuscation)
from androidemu.emulator import Emulator # Android .so emulation (ARM32 JNI)
Frida Scripts
15 ready-to-use scripts for dynamic instrumentation on rooted devices:
| Script | Purpose |
|--------|---------|
| ssl-bypass.js | Universal SSL pinning bypass (OkHttp, Conscrypt, TrustManager, network_security_config) |
| root-bypass.js | Root detection bypass (RootBeer, file checks, shell, props, native) |
| anti-frida-bypass.js | Multi-layer anti-Frida evasion (maps, ports, strings, threads, ptrace) |
| http-logger.js | HTTP request/response logging (OkHttp, HttpURLConnection, WebView) |
| api-tracer.js | Retrofit interface discovery (endpoints, methods, annotations) |
| crypto-tracer.js | Cipher, MessageDigest, Mac, SecretKey operation tracing |
| enum-classes.js | List all loaded classes with framework filtering |
| shared-prefs-monitor.js | SharedPreferences read/write monitor |
| intent-monitor.js | Activity, Broadcast, Service intent monitor |
| dex-loader-monitor.js | Runtime DEX/SO loading detection + auto-dump |
| reflection-tracer.js | Reflection call tracing (Class.forName, Method.invoke, Proxy) |
| webview-interceptor.js | JS bridge monitoring, URL interception, security audit |
| stalker-tracer.js | Native instruction tracing via Frida Stalker (ARM64) |
| stacktrace-helper.js | Cross-thread stack trace linking (Thread, Executor, Coroutines) |
| hook-template.js | Customizable method hook template |
Usage:
frida -U -f com.example.app -l workspace/frida-scripts/ssl-bypass.js
# Combine multiple scripts:
frida -U -f com.example.app \
-l workspace/frida-scripts/ssl-bypass.js \
-l workspace/frida-scripts/http-logger.js
Claude Code Integration
Agent
The android-reverser agent provides an intelligent analysis session with decision frameworks, search patterns, and OWASP guidance:
claude /agent android-reverser
Skills
| Command | Description |
|---------|-------------|
| /analyze-apk <pkg> | Full 5-phase security analysis (static + dynamic) -> markdown report |
| /find-api <pkg> | API endpoint discovery -> documentation + Postman collection |
| /intercept <pkg> | Smart traffic interception (auto-adapts to pinning type) |
| /register <pkg> | Automated account registration with temporary email |
| /compare-versions <old> <new> | Diff permissions, APIs, security, code changes between APK versions |
Common Workflows
Download & decompile
justapk download com.example.app -o workspace/samples/
jadx -d workspace/output/com.example.app --deobf workspace/samples/com.example.app.apk
Secret scanning
# Static (decompiled source)
trufflehog filesystem workspace/output/com.example.app/ --json
apkleaks -f workspace/samples/app.apk --json -o workspace/reports/secrets.json
# Dynamic (runtime crypto)
frida -U -f com.example.app -l workspace/frida-scripts/crypto-tracer.js
Traffic interception
frida -U -f com.example.app \
-l workspace/frida-scripts/ssl-bypass.js \
-l workspace/frida-scripts/http-logger.js
# Convert logs to Postman collection
python pytools/traffic_to_collection.py frida workspace/traffic/app-traffic.json
Stealth Frida (anti-detection apps)
# Read server name and port from build-info.json
cat tools/phantom-frida/build-info.json
# Deploy and connect
adb push tools/phantom-frida/<name>-server /data/local/tmp/<name>-server
adb shell chmod 755 /data/local/tmp/<name>-server
adb shell /data/local/tmp/<name>-server -D &
adb forward tcp:<port> tcp:<port>
frida -H 127.0.0.1:<port> -f com.example.app -l workspace/frida-scripts/ssl-bypass.js
Modify & resign APK
java -jar tools/apktool/apktool.jar d app.apk -o workspace/patches/app-smali
# ... edit smali/resources ...
java -jar tools/apktool/apktool.jar b workspace/patches/app-smali -o workspace/patches/modified.apk
java -jar tools/uber-apk-signer/uber-apk-signer.jar -a workspace/patches/modified.apk
