{"id":13387450,"url":"https://github.com/vincentcox/stacoan","last_synced_at":"2025-04-04T10:04:51.656Z","repository":{"id":52508022,"uuid":"119727944","full_name":"vincentcox/StaCoAn","owner":"vincentcox","description":"StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.","archived":false,"fork":false,"pushed_at":"2021-04-27T07:05:51.000Z","size":40683,"stargazers_count":841,"open_issues_count":11,"forks_count":131,"subscribers_count":50,"default_branch":"master","last_synced_at":"2025-04-04T09:31:19.019Z","etag":null,"topics":["bugbounty","mobile-security","security","security-tools","static-code-analysis"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vincentcox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":"vincentcox","ko_fi":"vincentcox"}},"created_at":"2018-01-31T18:42:25.000Z","updated_at":"2025-03-30T15:17:35.000Z","dependencies_parsed_at":"2022-09-06T13:12:11.682Z","dependency_job_id":null,"html_url":"https://github.com/vincentcox/StaCoAn","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vincentcox%2FStaCoAn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vincentcox%2FStaCoAn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vincentcox%2FStaCoAn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vincentcox%2FStaCoAn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vincentcox","download_url":"https://codeload.github.com/vincentcox/StaCoAn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247157280,"owners_count":20893220,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","mobile-security","security","security-tools","static-code-analysis"],"created_at":"2024-07-30T12:01:20.154Z","updated_at":"2025-04-04T10:04:51.625Z","avatar_url":"https://github.com/vincentcox.png","language":"JavaScript","readme":"![StaCoAn header](resources/header_stacoan-01.png)\r\n# StaCoAn ![Issues badge](https://img.shields.io/github/issues/vincentcox/StaCoAn.svg) ![License badge](https://img.shields.io/github/license/vincentcox/StaCoAn.svg) ![status](https://img.shields.io/badge/status-alpha-red.svg) ![Travis](https://api.travis-ci.org/vincentcox/StaCoAn.svg?branch=master)\r\n\r\n\u003ch1\u003e\u003cb\u003eNot maintained anymore!\u003c/b\u003e\u003c/h2\u003e\r\nWill be archived soon.\r\n\r\nStaCoAn is a __crossplatform__ tool which aids developers, bugbounty hunters and ethical hackers performing [static code analysis](https://en.wikipedia.org/wiki/Static_program_analysis) on mobile applications\\*.\r\n\r\nThis tool will look for interesting lines in the code which can contain:\r\n* Hardcoded credentials\r\n* API keys\r\n* URL's of API's\r\n* Decryption keys\r\n* Major coding mistakes\r\n\r\nThis tool was created with a big focus on usability and graphical guidance in the user interface.\r\n\r\nFor the impatient ones, grab the download on the [releases page](https://github.com/vincentcox/StaCoAn/releases).\r\n\r\n\u003cp style=\"font-size: 0.6em\"\u003e\r\n\u0026ast;: note that currently only apk files are supported, but ipa files will follow very shortly.\r\n\u003c/p\u003e\r\n\r\nAn example report can be found [here](https://github.com/vincentcox/StaCoAn/raw/master/resources/example-report.zip).\r\n\r\n\r\n## Table of Contents\r\n\u003c!-- TOC depthFrom:2 depthTo:6 withLinks:1 updateOnSave:1 orderedList:0 --\u003e\r\n\r\n- [Table of Contents](#table-of-contents)\r\n- [Features](#features)\r\n\t- [Looting concept](#looting-concept)\r\n\t- [Wordlists](#wordlists)\r\n\t- [Filetypes](#filetypes)\r\n\t- [Responsive Design](#responsive-design)\r\n- [Limitations](#limitations)\r\n- [Getting Started](#getting-started)\r\n\t- [From the releases](#from-the-releases)\r\n\t- [Docker](#docker)\r\n\t- [From source](#from-source)\r\n\t- [Building the executable](#building-the-executable)\r\n\t\t- [Windows](#windows)\r\n\t\t- [mac](#mac)\r\n\t\t- [Linux](#linux)\r\n- [Contributing](#contributing)\r\n\t- [Roadmap](#roadmap)\r\n- [Authors \u0026 Contributors](#authors-contributors)\r\n\t- [Top contributors](#top-contributors)\r\n- [License](#license)\r\n- [Acknowledgments](#acknowledgments)\r\n\r\n\u003c!-- /TOC --\u003e\r\n\r\n## Features\r\nThe concept is that you drag and drop your mobile application file (an .apk or .ipa file) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.\r\n\r\nThe reports contain a handy tree viewer so you can easily browse trough your decompiled application.\r\n\r\n![Mockup  application ](resources/mockup_screenshot.png)\r\n\r\n### Looting concept\r\nThe _Loot Function_ let you 'loot' (~bookmark) the findings which are of value for you and on the loot-page you will get an overview of your 'loot' raid.\r\n\r\nThe final report can be exported to a zip file and shared with other people.\r\n\r\n### Wordlists\r\nThe application uses wordlists for finding interesting lines in the code.\r\nWordlists are in the following format:\r\n```\r\nAPI_KEY|||80||| This contains an API key reference\r\n(https|http):\\/\\/.*api.*|||60||| This regex matches any URL containing 'api'\r\n```\r\n__Note that these wordlists support [regex](https://www.regular-expressions.info/examples.html) entries.__\r\n\r\nIn the `exclusion_list.txt` you can define exclusions (if you have for some reason to much findings):\r\n```\r\n(https|http):\\/\\/.*api.*|||\"res\",\"layout\"||| Like previously, note that \"res\",\"layout\" resembles the path\r\n(https|http):\\/\\/.*api.*|||||| To exclude everywhere\r\n```\r\n\r\n### Filetypes\r\nAny source file will be processed. This contains `'.java', '.js', '.html', '.xml',...` files.\r\n\r\nDatabase-files are also searched for keywords. The database also has a table viewer.\r\n\r\n![database](resources/screenshot_database.png)\r\n\r\n### Responsive Design\r\nThe reports are made to fit on all screens.\r\n\r\n![](resources/responsive.gif)\r\n\r\n## How does the tool works?\r\n\r\n![Pipeline tool](resources/pipeline.png)\r\n\r\n## Limitations\r\nThis tool will have trouble with [obfuscated](https://en.wikibooks.org/wiki/Introduction_to_Software_Engineering/Tools/Obfuscation) code. If you are a developer try to compile without obfuscation turned on before running this tool. If you are on the offensive side, good luck bro.\r\n\r\n## Getting Started\r\n### From the releases\r\nIf you want to get started as soon as possible, head over to the [releases page](https://github.com/vincentcox/StaCoAn/releases) and download the executable or archive which corresponds to your operating system.\r\n\r\nIf you have downloaded the release zip file, extract this.\r\n\r\nOn Windows you can just double click the executable. It will open in server mode and you can just drag and drop your mobile applications in the webinterface.\r\n\r\n![Windows 1 click](resources/windows-1-click.gif)\r\n\r\nOn Mac and Linux you can just run it from the terminal without arguments for the server-mode.\r\n```\r\n./stacoan\r\n```\r\nDrag and drop this file onto the executable.\r\n\r\nOr you can specify an apk-file to run it without the server-mode:\r\n```\r\n./stacoan -p test-apk.apk\r\n```\r\nThe report will be put inside a folder with a name corresponding to the apk.\r\n\r\n### Docker\r\n\r\n```\r\ncd docker\r\n```\r\n```\r\ndocker build . -t stacoan\r\n```\r\n_Make sure that your application is at the location `/yourappsfolder`._\r\n\r\n```\r\ndocker run -e JAVA_OPTS=\"-Xms2048m -Xmx2048m\" -p 8888:8888 -p 7777:7777 -i -t stacoan\r\n```\r\n\r\nDrag and drop your application via: http://127.0.0.1:7777.\r\n\r\n\r\n### From source\r\n```\r\ngit clone https://github.com/vincentcox/StaCoAn/\r\n```\r\n\r\n```\r\ncd StaCoAn/src\r\n```\r\n\r\nMake sure that you have pip3 installed:\r\n\r\n```\r\nsudo apt-get install python3-pip\r\n```\r\n\r\nInstall the required python packages:\r\n\r\n```\r\npip3 install -r requirements.txt\r\n```\r\n\r\nRun StaCoAn via commandline:\r\n\r\n```\r\npython3 stacoan.py -p yourApp.apk\r\n```\r\n__Or__ if you rather use the drag and drop interface:\r\n```\r\npython3 stacoan.py\r\n```\r\n### Building the executable\r\nMake sure that you are in the `src` folder.\r\n```\r\ncd src\r\n```\r\nInstall [PyInstaller](http://www.pyinstaller.org/):\r\n```\r\npip3 install pyinstaller\r\n```\r\n\r\n#### Windows\r\n\r\nPyInstaller can't handle subfolders with code, therefore we need to put the code in one folder.\r\n```\r\nsed -i 's/from helpers./from /g' helpers/*\r\nsed -i 's/from helpers./from /g' stacoan.py\r\nsed -i 's/os.path.join(parentdir, \"config.ini\")/\"config.ini\"/g' helpers/logger.py\r\ncp helpers/* ./ || :;\r\n```\r\nBuild stacoan:\r\n```\r\npython3 -m PyInstaller stacoan.py --onefile --icon icon.ico --name stacoan --clean\r\n```\r\n\r\n#### mac\r\n\r\nPyInstaller can't handle subfolders with code, therefore we need to put the code in one folder.\r\n```\r\n# Note the ''-\u003e this is because sed syntax is different on mac.\r\nsed -i '' 's/from helpers./from /g' helpers/*\r\nsed -i '' 's/from helpers./from /g' stacoan.py\r\nsed -i '' 's/os.path.join(parentdir, \"config.ini\")/\"config.ini\"/g' helpers/logger.py\r\ncp helpers/* ./ || :;\r\n```\r\nBuild stacoan:\r\n```\r\npython3 -m PyInstaller stacoan.py --onefile --icon icon.ico --name stacoan --clean\r\n```\r\n\r\n#### Linux\r\n\r\nPyInstaller can't handle subfolders with code, therefore we need to put the code in one folder.\r\n```\r\nsed -i 's/from helpers./from /g' helpers/*\r\nsed -i 's/from helpers./from /g' stacoan.py\r\nsed -i 's/os.path.join(parentdir, \"config.ini\")/\"config.ini\"/g' helpers/logger.py\r\ncp helpers/* ./ || :;\r\n```\r\nBuild stacoan:\r\n```\r\npython3 -m PyInstaller stacoan.py --onefile --icon icon.ico --name stacoan --clean\r\n```\r\n\r\n## Contributing\r\nThis entire program's value is depending on the wordlists it is using. In the end, the final result is what matters. It is easy to build a wordlist (in comparison to writing actual code), but it has the biggest impact on the end result. You can help the community the most with making wordlists.\r\n\r\nIf you want an easy way to post your idea's, head over to: http://www.tricider.com/brainstorming/2pdrT7ONVrB. From there you can add ideas for entries in the wordlist.\r\n\r\nImproving the code is also much appreciated.\r\n\r\nIf the contribution is high enough, you will be mentioned in the `authors` section.\r\n\r\n### Roadmap\r\n- [ ] Make IPA files also work with this program\r\n- [ ] Make DB matches loot-able\r\n- [x] Better logging (cross platform)\r\n- [x] Docker optimalisation\r\n- [x] Use server to upload files (apk's, ipa's) and process them\r\n- [x] Exception list for ignoring findings in certain folders. For example ignoring `http` in `res/layout` and in general `http://schemas.android.com/apk/res/android`\r\n- [x] Make a cleaner file structure of this project\r\n\r\n## Authors \u0026 Contributors\r\n\r\n\u003ctable\u003e\r\n  \u003ctr\u003e\r\n    \u003cth\u003e\u003ccenter\u003eProject Creator\u003c/center\u003e\u003c/th\u003e\r\n  \u003c/tr\u003e\r\n  \u003ctr\u003e\r\n    \u003ctd\u003e\r\n    \u003cp align=\"center\"\u003e\u003cimg src=\"resources/authors/vincentcox.jpg\" alt=\"Vincent Cox\" width=\"200px\"/\u003e\u003c/p\u003e\r\n    \u003c/td\u003e\r\n  \u003c/tr\u003e\r\n  \u003ctr\u003e\r\n    \u003ctd\u003e\r\n      \u003cdiv align=\"center\"\u003e\r\n        \u003ca href=\"https://www.linkedin.com/in/ivincentcox/\"\u003e\r\n          \u003cimg src=\"https://cdnjs.cloudflare.com/ajax/libs/foundicons/3.0.0/svgs/fi-social-linkedin.svg\" alt=\"Linkedin\" width=\"40px\"/\u003e\r\n        \u003c/a\u003e\r\n        \u003ca href=\"https://twitter.com/vincentcox_be\"\u003e\r\n          \u003cimg src=\"https://cdnjs.cloudflare.com/ajax/libs/foundicons/3.0.0/svgs/fi-social-twitter.svg\" alt=\"Twitter\" width=\"40px\"/\u003e\r\n        \u003c/a\u003e\r\n        \u003ca href=\"https://vincentcox.com\"\u003e\r\n          \u003cimg src=\"https://cdnjs.cloudflare.com/ajax/libs/foundicons/3.0.0/svgs/fi-web.svg\" alt=\"Website\" width=\"40px\"/\u003e\r\n        \u003c/a\u003e\r\n      \u003c/div\u003e\r\n    \u003c/td\u003e\r\n  \u003c/tr\u003e\r\n\u003c/table\u003e\r\n\r\n\r\n### Top contributors\r\n\r\n\u003ca href=\"https://github.com/Kevin-De-Koninck\"\u003e\u003cimg src=\"resources/authors/Kevin-De-Koninck.png\" width=\"100px\"\u003e\u003c/a\u003e\r\n\u003ca href=\"https://github.com/BBerastegui\"\u003e\u003cimg src=\"resources/authors/BBerastegui.png\" width=\"100px\"\u003e\u003c/a\u003e\r\n\u003ca href=\"https://github.com/adi0x90\"\u003e\u003cimg src=\"resources/authors/adi0x90.png\" width=\"100px\"\u003e\u003c/a\u003e\r\n\u003ca href=\"https://github.com/Ayowel\"\u003e\u003cimg src=\"resources/authors/Ayowel.png\" width=\"100px\"\u003e\u003c/a\u003e\r\n\r\n## License\r\nThe following projects were used in this project:\r\n* [Materialize CSS](http://materializecss.com/): Materialize, a CSS Framework based on Material Design. Used for the general theme of the reports.\r\n* [PRISMJS](http://prismjs.com/): Lightweight, robust, elegant syntax highlighting. Used for the code markup\r\n* [JADX](https://github.com/skylot/jadx): Dex to Java decompiler. Used for decompiling .apk files\\*.\r\n* [Fancytree](https://github.com/mar10/fancytree): jQuery tree view / tree grid plugin. Used in the tree-view of the reports.\r\n* [fontawesome](http://fontawesome.io/): Font Awesome, the iconic font and CSS framework. Used for some icons.\r\n* [JSZip](https://stuk.github.io/jszip/): JSZip is a javascript library for creating, reading and editing .zip files, with a lovely and simple API.\r\n* [FileSaver](https://github.com/eligrey/FileSaver.js/): An HTML5 saveAs() FileSaver implementation.  Used in the JSZip library.\r\n\r\nAll of these projects have their corresponding licenses. Please respect these while you are modifying and redistributing this project.\r\n\r\n\u003cp style =\"font-size: 0.6em\"\u003e\r\n\u0026ast;: the binary is included in this project. If the dev's from JADX are not comfortable with this, feel free to contact me about this so we can find a solution.\r\n\u003c/p\u003e\r\n\r\n## Acknowledgments\r\n* [Kevin De Koninck](https://github.com/Kevin-De-Koninck): Git master and senpai of patience with my learning process in [pep8](https://www.python.org/dev/peps/pep-0008/).\r\n* [brakke97](https://twitter.com/skeltavik): He taught me how to hack mobile applications. This project would never exist without him.\r\n* [Aditya Gupta](https://twitter.com/adi1391): Awesome dude, really. Just keep him away from your IoT fridge or coffeemachine. Check out his [website](https://www.attify-store.com/) if you are into IoT hacking.\r\nAlso have a look at his course [\"Advanced Android and iOS Hands-on Exploitation\"](https://courses.securityschool.io/advanced-android-and-ios-hands-on-exploitation). I'm sure many future improvements in this tool will be based on ideas and techniques used during his course.\r\n* [Quintenvi](https://twitter.com/quintenvi): He taught me alot, also non-hacking things.\r\n* [c4b3rw0lf](https://twitter.com/c4b3rw0lf): The awesome dude behind the [VulnOS series](https://www.vulnhub.com/series/vulnos,36/).\r\n* [MacJu89](https://twitter.com/MacJu89): infra \u0026 XSS senpai\r\n\r\nMany more should be listed here, but I can't list them all.\r\n","funding_links":["https://github.com/sponsors/vincentcox","https://ko-fi.com/vincentcox"],"categories":["\u003ca id=\"2110ded2aa5637fa933cc674bc33bf21\"\u003e\u003c/a\u003e工具","\u003ca id=\"df8a5514775570707cce56bb36ca32c8\"\u003e\u003c/a\u003e审计\u0026\u0026安全审计\u0026\u0026代码审计"],"sub_categories":["\u003ca id=\"63fd2c592145914e99f837cecdc5a67c\"\u003e\u003c/a\u003e新添加的1","\u003ca id=\"6a5e7dd060e57d9fdb3fed8635d61bc7\"\u003e\u003c/a\u003e未分类-Audit"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvincentcox%2Fstacoan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvincentcox%2Fstacoan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvincentcox%2Fstacoan/lists"}