One command. Full Android security audit.
A Claude Code plugin that tears apart APKs so you don't have to.
/apk-audit that israeli parking app
That's it. Claude finds the app on Google Play, downloads the APK, decompiles it, maps every API endpoint, traces the auth flow, identifies what's callable without a token, writes PoC scripts to prove it, and hands you a structured security report.
| Phase | What happens |
|---|---|
| 0. Resolve | Describe the app in plain English — Claude searches Google Play and finds the package name |
| 1. Download | Fetches the APK via apkeep |
| 2. Decompile | Runs jadx via the android-reverse-engineering-skill (bundled as submodule) |
| 3. Analyze | Parallel agents extract API endpoints, auth mechanisms, SSL pinning, third-party SDKs |
| 4. Unauth scan | Identifies endpoints callable without authentication — the money shot |
| 5. Live test | Generates and runs Python PoC scripts to confirm findings |
| 6. Report | Produces a severity-rated markdown report |
Marketplace:
/plugin marketplace add siabdularif/bejir
Manual:
git clone --recurse-submodules git@github.com:siabdularif/bejir.git/plugin add /path/to/apkre
Pass anything — a description, a package name, or a file path:
/apk-audit that food delivery app everyone uses in Israel
/apk-audit com.example.app
/apk-audit ./downloads/com.example.app.xapk./
├── myapp/
│ ├── com.example.app.xapk # Downloaded APK
│ ├── myapp_report.md # Security audit report
│ ├── anon_probe.py # PoC: unauthenticated endpoint tests
│ ├── anon_login.py # PoC: anonymous session creation
│ └── ...
└── com.example.app-decompiled/ # Full decompiled source
└── com.example.app/
├── resources/
│ └── AndroidManifest.xml
└── sources/ # Java/Kotlin source
The report includes: app metadata, full endpoint map, unauthenticated endpoints with risk ratings, auth flow analysis, SSL pinning status, third-party SDK inventory, live test results, and prioritized recommendations.
- Obfuscated code — Knows R8/ProGuard annotation mappings, uses string literals as anchors
- React Native / Hermes — Extracts strings from Hermes bytecode bundles
- Hybrid apps — Searches Capacitor/Cordova JS bundles alongside native code
- GraphQL — Tests introspection, maps schemas, checks per-resolver auth
- Split APKs — Handles XAPK bundles with multiple split APKs
MIT