APK reverse engineering code knowledge graph query engine for AI agents.
Code Graph parses Android apk files into a Neo4j graph database, enabling structured queries about code relationships, call chains, security boundaries, and data flow — designed for AI agents performing automated reverse analysis.
APK Upload → Multi-layer Parsing (Smali + Native + Manifest) → Neo4j Graph → REST API → AI Agent
↕
MCP Server
| Layer | Technology |
|---|---|
| Backend | Java 21, Spring Boot 3.3, Neo4j 5 |
| Frontend | React 19, Ant Design 6, TypeScript, Vite |
| MCP Server | TypeScript, @modelcontextprotocol/sdk |
| Deployment | Docker Compose, GitHub Actions CI |
code-graph/
├── graph-model/ # Shared data models (BaseNode, BaseEdge)
├── parser-smali/ # DEX/Smali parsing (Baksmali)
├── parser-native/ # Native SO parsing
├── parser-apk/ # APK manifest parsing
├── cross-layer/ # JNI bridge analysis
├── graph-store/ # Neo4j repository + analysis engines
├── web-server/ # REST API + MCP Server config
├── frontend/ # React web UI
├── mcp-server/ # MCP Server for agent integration
└── docs/ # Roadmap and planning docs
docker compose up -dOpens:
- Frontend: http://localhost:43231
- Backend API: http://localhost:43230/api/v1
- Neo4j Browser: http://localhost:7474
# Start Neo4j
docker run -d --name neo4j -p 7474:7474 -p 7687:7687 \
-e NEO4J_AUTH=neo4j/password neo4j:5
# Backend (port 43230)
mvn spring-boot:run -pl web-server
# Frontend (port 43231, proxies /api to backend)
cd frontend && npm run dev| Category | Endpoints | Description |
|---|---|---|
| Graph Stats | GET /stats |
Node/edge counts, type distribution |
| Node Queries | GET /nodes, /nodes/detail, /nodes/neighbors |
Browse, search, traverse |
| Call Chains | /nodes/callchain, /nodes/callers |
Forward + reverse tracing |
| Path Finding | /nodes/path, /nodes/reachability |
Shortest path + all paths |
| String Analysis | /strings, /strings/backref |
Search + reverse reference |
| Pattern Detection | /patterns/{type}, /patterns/detect |
Crypto, network, frameworks |
| Security | /security/assessment, /chain/permissions |
Vulnerability + permission scan |
| Semantic Analysis | /nodes/semantics |
Role tagging + risk labeling |
| Data Flow | GET /dataflow |
Field/variable flow tracing |
| Entry Points | GET /entrypoints |
Android component analysis |
| Project Diff | GET /diff |
Cross-version comparison |
| Batch | POST /batch |
Multi-query in one request |
| Export | GET /export |
JSON/CSV export |
Direct integration with Claude, LangChain, and other agent frameworks:
search_nodes, trace_callchain, find_callers, get_scope, find_path,
search_strings, detect_patterns, analyze_reachability, analyze_permissions,
analyze_semantics, batch_query, analyze_entrypoints, assess_security,
detect_frameworks, compare_projects, trace_dataflow
- Dashboard — Project overview with stats, security risk, entry points
- Chain Explorer — Interactive call chain visualization
- Graph Explorer — Full graph visualization with AntV G6
- Analysis Dashboard — Reachability, permissions, semantics, data flow
- Security Assessment — Vulnerability findings with severity charts
- Entry Points — Android component entry analysis
- Framework Detection — Library and anti-analysis detection
- Project Diff — Cross-version comparison
- String Search, Pattern Search, Node Browser
# Backend tests (41 tests)
mvn test -B
# Frontend tests (98 tests)
cd frontend && npm test
# MCP Server tests (23 tests)
cd mcp-server && npm test
# All tests via Makefile
make test
# CI runs automatically on push/PR via GitHub Actions| Variable | Default | Description |
|---|---|---|
NEO4J_URI |
bolt://localhost:7687 |
Neo4j connection URI |
NEO4J_USER |
neo4j |
Neo4j username |
NEO4J_PASSWORD |
password |
Neo4j password |
CORS_ORIGINS |
http://localhost:43231 |
Comma-separated CORS origins |
CODE_GRAPH_API_URL |
http://localhost:43230/api/v1/graph |
MCP Server API base URL |
Apache License 2.0