Skip to content

Instantly share code, notes, and snippets.

@marcostolosa

marcostolosa/README.md

Created November 8, 2025 22:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save marcostolosa/6ea856394b6682cd8a606f19cb7129cd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save marcostolosa/6ea856394b6682cd8a606f19cb7129cd to your computer and use it in GitHub Desktop.
Download ZIP
Android Regex Cheat Sheet II
Raw
README.md

Android Regex Cheat Sheet

A regex collection to help quickly perform static analysis on decompiled Android APKs. Designed for detection of security controls (root / tamper / hooking), secrets, Raw SQL usage, Native library, WebView configurations, and more.

Usage: Decompile the APK, and search using these regex patterns to quickly locate relevant code.

Security controls

Regex:

(?i)\b(root|rooted|isRoot|isDeviceRooted|checkRoot|check_root|RootBeer|magisk|su\b|superuser|mount\s*\(|/system/bin/su|/system/xbin/su|which\s+su|busybox|getprop|ro\.debuggable|ro\.secure|Build\.TAGS|android:debuggable|adb_enabled|frida|frida-gadget|xposed|XposedBridge|substrate|nativehook|hooking\hooked|SafetyNet|attestation|certificate pinning|pinning|CertificatePinner|isDebuggerConnected|Debug\.isDebuggerConnected|checkDebugger|isEmulator|emulator|qemu|ro\.product\.model|ro\.product\.device|ro\.build\.product|checkRootMethod|detectRoot)

Secrets

Regex:

(?i)\bLog\.(?:d|e|w|i|v)\s*\(.*?\b(?:token|access_token|password|aws_secret_access_key|aws_access_key_id|pwd|pin|ssn|card|cvv|secret|access|api[_-]?key|client[_-]?secret|apikey|privatekey)\b.*?\)

Exported / intent-filters / FileProvider misconfig

Regex:

(?i)\bandroid:exported\s*=\s*"(true)"|<provider\b|android:grantUriPermissions|fileprovider|FileProvider\b

Native library / .so loader

Regex:

(?i)\b(System.loadLibrary|System\.load|NativeLibrary|lib.*\.so)\b

Reflection / dynamic classloading / dex loading

Regex:

(?si)(?:\b(?:ClassLoader|DexClassLoader|PathClassLoader|InMemoryDexClassLoader|dalvik\.system\.DexFile|DexFile)\b|\b(?:Class\.forName|Class\.loadClass|getDeclaredMethod|getMethod|invoke|defineClass|loadClass|DexFile\.loadDex|loadDex|loadUrl|System\.loadLibrary|System\.load|Runtime(?:\.getRuntime\(\))?\.exec|Runtime\.exec|loadLibrary)\s*\()

Network config file

Regex:

(?i)\bnetwork-security-config|pin-set|<pin\b|certificatePinner|CertificatePinner|pin\sdigest|pinning|CertificatePinner\b

Keystore / password hints

Regex:

(?i)\b(keyStore|keystore|keyStorePassword|keyPassword|keystorePassword|storePassword|alias|keystoreFile)\b

Signature / installer / tamper checks

Regex:

(?i)\b(?:getPackageManager|getPackageInfo|getSignatures|getSigningInfo|signingInfo|getApkContentsSigners|PackageManager\.GET_SIGNATURES|PackageManager\.GET_SIGNING_CERTIFICATES|checkSignature|verifySignature|compareSignatures)\b(?:\s*\()?

Raw SQL usage

Regex:

(?i)\b(?:rawQuery|execSQL|String\.format\s*\(.*SELECT\b|SELECT\s+.*%s\b|\bWHERE\b.*%s)\b

WebView

Regex:

(?i)\b(WebView|setJavaScriptEnabled|addJavascriptInterface|setAllowFileAccess|setAllowContentAccess|setAllowUniversalAccessFromFileURLs|setDomStorageEnabled|loadUrl|loadDataWithBaseURL)\b

Debugger / Tracer checks

Regex:

(?i)\b(Debug\.isDebuggerConnected|isDebuggerConnected|android\.os\.Debug|ptrace|TracerPid|getCallingPid|getppid|tracerPid|Debuggable|android:debuggable)\b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment