vincentcox/StaCoAn: StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications*.

This tool will look for interesting lines in the code which can contain:

Hardcoded credentials
API keys
URL's of API's
Decryption keys
Major coding mistakes

This tool was created with a big focus on usability and graphical guidance in the user interface.

For the impatient ones, grab the download on the releases page.

*: note that currently only apk files are supported, but ipa files will follow very shortly.

An example report can be found here: example report

Features

The concept is that you drag and drop your mobile application file (an .apk or .ipa file) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.

The reports contain a handy tree viewer so you can easily browse trough your decompiled application.

Looting concept

The Loot Function let you 'loot' (~bookmark) the findings which are of value for you and on the loot-page you will get an overview of your 'loot' raid.

The final report can be exported to a zip file and shared with other people.

Wordlists

The application uses wordlists for finding interesting lines in the code. Wordlists are in the following format:

API_KEY|||80||| This contains an API key reference
(https|http):\/\/.*api.*|||60||| This regex matches any URL containing 'api'

Note that these wordlists also support regex entries.

Filetypes

Any source file will be processed. This contains '.java', '.js', '.html', '.xml',... files.

Database-files are also searched for keywords. The database also has a table viewer.

Responsive Design

The reports are made to fit on all screens.

Limitations

This tool will have trouble with obfuscated code. If you are a developer try to compile without obfuscation turned on before running this tool. If you are on the offensive side, good luck bro.

Getting Started

If you want to get started as soon as possible, head over to the releases page and download the executable or archive which corresponds to your operating system.

If you have downloaded the release zip file, extract this. Copy the .apk or .ipa file to the extracted folder.

Drag and drop this file onto the executable. The report will now be generated in the report folder.

From source

git clone https://github.com/vincentcox/StaCoAn/

cd StaCoAn/src

Make sure that you have pip3 installed:

sudo apt-get install python3-pip

Install the required python packages:

pip3 install -r requirements.txt

Run StaCoAn:

python3 stacoan.py yourApp.apk

Building the executable

pip3 install pyinstaller

Windows

pyinstaller main.py --onefile --icon icon.ico --name stacoan --clean

mac

pyinstaller main.py --onefile --icon icon.ico --name stacoan --clean

Linux

python3 -m PyInstaller main.py --onefile --icon icon.ico --name stacoan --clean

Running the Docker container

cd docker

docker build . -t stacoan

docker run -e JAVA_OPTS="-Xms2048m -Xmx2048m" -p 8000:8000 -v /yourappsfolder:/tmp -i -t stacoan /tmp/com.myapk.apk

Wait for it to be analysed and the open your browser in http://localhost:8000

Contributing

This entire program's value is depending on the wordlists it is using. In the end, the final result is what matters. It is easy to build a wordlist (in comparison to writing actual code), but it has the biggest impact on the end result. You can help the community the most with making wordlists.

If you want an easy way to post your idea's, head over to: http://www.tricider.com/brainstorming/2pdrT7ONVrB. From there you can add ideas for entries in the wordlist.

Improving the code is also much appreciated.

If the contribution is high enough, you will be mentioned in the authors section.

Roadmap

Make IPA files also work with this program
Make DB matches loot-able
Use server to upload files (apk's, ipa's) and process them (https://gist.github.com/touilleMan/eb02ea40b93e52604938)
Exception list for ignoring findings in certain folders. For example ignoring http in res/layout and in general http://schemas.android.com/apk/res/android
Make a cleaner file structure of this project

Authors & Contributors

Project Creator

License

The following projects were used in this project:

Materialize CSS: Materialize, a CSS Framework based on Material Design. Used for the general theme of the reports.
PRISMJS: Lightweight, robust, elegant syntax highlighting. Used for the code markup
JADX: Dex to Java decompiler. Used for decompiling .apk files*.
Fancytree: jQuery tree view / tree grid plugin. Used in the tree-view of the reports.
fontawesome: Font Awesome, the iconic font and CSS framework. Used for some icons.
JSZip: JSZip is a javascript library for creating, reading and editing .zip files, with a lovely and simple API.
FileSaver: An HTML5 saveAs() FileSaver implementation. Used in the JSZip library.

All of these projects have their corresponding licenses. Please respect these while you are modifying and redistributing this project.

*: the binary is included in this project. If the dev's from JADX are not comfortable with this, feel free to contact me about this so we can find a solution.

Acknowledgments

Kevin De Koninck: Git master and senpai of patience with my learning process in pep8.
brakke97: He learned me how to hack mobile applications. This project would never exist without him.
Aditya Gupta: Awesome dude, really. Just keep him away from your IoT fridge or coffeemachine. Check out his website if you are into IoT hacking.
Quintenvi: He learned me alot, also non-hacking things.
c4b3rw0lf: The awesome dude behind the VulnOS series.
MacJu89: infra & XSS senpai

Many more should be listed here, but this readme file would be TL;DR which is the worst what can happen to a readme file.