ohmyg0sh #

Pub Version

ohmyg0sh is an APK security scanner that decompiles packages with jadx, applies a curated library of credential and secret patterns, filters false positives, and produces text or JSON reports.

Table of Contents #

ohmyg0sh

Features #

Scan Android APKs for hardcoded credentials before release
50+ bundled regex patterns covering major cloud, social, payment, and developer platforms
Customizable detection rules and false-positive filters
Human-readable text reports and machine-friendly JSON output
Streamed CLI updates with noisy jadx error lines suppressed
Programmatic API and Docker image for automation pipelines

Installation #

Global CLI (Recommended) #

dart pub global activate ohmyg0sh
ohmyg0sh -f app-release.apk

Project Dependency #

dependencies:
  ohmyg0sh: ^1.70.0

dart pub get

Docker #

docker pull mathtechstudio/ohmyg0sh:latest
docker run -it --rm -v "$PWD":/work -w /work mathtechstudio/ohmyg0sh:latest -f /work/app-release.apk

Requirements #

Dart SDK ^3.5
Java 11 or newer (required by jadx)
jadx installed and available on PATH, or passed with --jadx

Installing jadx #

# macOS
brew install jadx

# Linux / Windows
# Download from https://github.com/skylot/jadx/releases and add the binary to PATH

Quick Start #

CLI #

# Basic scan
ohmyg0sh -f app-release.apk

# JSON results
ohmyg0sh -f app-release.apk --json -o results.json

# Custom patterns & extra jadx flags
ohmyg0sh -f app-release.apk -p custom/regexes.json -a "--deobf --log-level INFO"

Tip

If your output file name starts with -, provide the path as --output=./-results.json to avoid option parsing issues.

Programmatic API #

import 'package:ohmyg0sh/ohmyg0sh.dart';

Future<void> main() async {
  final scanner = OhMyG0sh(
    apkPath: './app-release.apk',
    outputJson: true,
    outputFile: 'results.json',
  );

  await scanner.run();
}

Configuration #

Custom Patterns (`regexes.json`) #

// your-fucking-rules.json
{
  "Google_API_Key": "AIza[0-9A-Za-z\\-_]{35}",
  "AWS_Access_Key": "AKIA[0-9A-Z]{16}",
  "Custom_Token": "myapp_[a-f0-9]{32}"
  // ...
}

Use via ohmyg0sh -f app.apk -p my-patterns.json.

False Positive Filters (`notkeyhacks.json`) #

{
  "patterns": ["example\\.com"],
  "contains": ["PLACEHOLDER"],
  "Google_API_Key": ["AIzaGRAPHIC_DESIGN"]
}

Use via ohmyg0sh -f app.apk -n my-filters.json.

Built-in Patterns #

Bundled rules detect secrets across:

Cloud: AWS, Google Cloud, Azure, DigitalOcean
Social & Comms: Facebook, Twitter, Slack, Discord
Payments: Stripe, PayPal, Square, Braintree
Developer Services: GitHub, GitLab, Mailgun, Cloudinary
Databases & Keys: MongoDB, Postgres, private key blocks

Review the full list in config/regexes.json.

Output Examples #

Text #

** Scanning against 'com.example.app'

[Google_API_Key]
- AIzaSyD...

** Results saved into 'results_1234567890.txt'.

JSON #

{
  "package": "com.example.app",
  "results": [
    {
      "name": "Google_API_Key",
      "matches": ["AIzaSyD..."]
    }
  ],
  "generated_at": "2025-10-07T14:00:00Z",
  "generated_by": "ohmyg0sh",
  "repository": "https://github.com/mathtechstudio/ohmyg0sh",
  "pub_dev": "https://pub.dev/packages/ohmyg0sh"
}

CLI Reference #

Option	Short	Description
`--file`	`-f`	APK file to scan (required)
`--output`	`-o`	Output file path (auto-generated if missing)
`--json`		Emit JSON instead of text
`--pattern`	`-p`	Custom `regexes.json` file
`--notkeys`	`-n`	Custom `notkeyhacks.json` file
`--jadx`		Explicit path to the `jadx` binary
`--args`	`-a`	Additional `jadx` arguments (quoted)
`--help`	`-h`	Show usage

How It Works #

Decompile APK with jadx
Extract package metadata
Scan Java, Kotlin, Smali, XML, JS, and TXT sources
Match regex patterns against file contents
Filter via notkeyhacks rules
Report grouped matches to disk in the requested format

Troubleshooting #

`jadx` Not Found #

brew install jadx       # macOS
which jadx && jadx --version

Or run with --jadx /custom/path/to/jadx.

`jadx` Exits with Errors #

OhMyG0sh continues when usable artifacts exist and suppresses the noisy ERROR - finished with errors line. For verbose logs use:

ohmyg0sh -f app.apk -a "--log-level DEBUG"

Custom Pattern Resolution #

Search order:

--pattern path (if provided)
/app/config/regexes.json (Docker image)
package:ohmyg0sh/config/regexes.json (pub install)
./config/regexes.json
Executable-relative fallback

Docker Usage #

alias ohmyg0sh='docker run --rm -it -v "$PWD":/work -w /work mathtechstudio/ohmyg0sh:latest'
ohmyg0sh -f app-release.apk

With custom patterns:

docker run -it --rm \
  -v "$PWD":/work \
  -v "$PWD/patterns.json":/patterns.json \
  -w /work \
  mathtechstudio/ohmyg0sh:latest \
  -f /work/app.apk -p /patterns.json

Development #

git clone https://github.com/mathtechstudio/ohmyg0sh.git
cd ohmyg0sh
dart pub get
dart run bin/ohmyg0sh.dart -f app-release.apk
dart test

Contributing #

Fork the repository
Create a feature branch
Implement and test your changes
Submit a pull request

Security Notes #

Use only on APKs you are authorized to assess
Review findings manually to confirm leaks
Rotate exposed credentials immediately
Report vulnerabilities responsibly

Acknowledments #

Since this tool includes some contributions, and I'm not an asshole, I'll publically thank the following users for their helps and resources:

Contributors

License #

Released under the MIT License - see the MIT License file for details.

Links #

GitHub

Docker

Issue Tracker

pub.dev Package

ohmyg0sh 1.70.0 ohmyg0sh: ^1.70.0 copied to clipboard

Metadata