Jadx

jadx takes Android APKs and spits out readable Java source code instead of smali bytecode, which makes reverse engineering apps actually manageable. You'd reach for this when hunting for hardcoded API keys, analyzing how an app's authentication works, or looking for security vulnerabilities in third-party apps. The skill covers both CLI for automation and the GUI for interactive browsing, plus practical grep patterns for finding common issues like insecure crypto or SQL injection points. The deobfuscation flag is your friend when dealing with minified production apps. It's the standard tool for this job because the output is clean enough that you can actually follow the logic without wanting to give up.