This tool will look for interesting lines in the code which can contain:
– Hardcoded credentials
– API keys
– URL’s of API’s
– Decryption keys
– Major coding mistakes
This tool was created with a big focus on usability and graphical guidance in the user interface.
+ The concept is that you drag and drop your mobile application file (an .apk or .ipa file) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.
++ Looting concept; The Loot Function let you ‘loot’ (~bookmark) the findings which are of value for you and on the loot-page you will get an overview of your ‘loot’ raid.
++ Wordlists; The application uses wordlists for finding interesting lines in the code.
++ Filetypes; Any source file will be processed. This contains ‘.java’, ‘.js’, ‘.html’, ‘.xml’,… files.
Use and Download:
git clone https://github.com/vincentcox/StaCoAn && StaCoAn
sudo pip3 install -r requirements.txt
python3 main.py test-apk.apk
Running the Docker container:
docker build . -t stacoan
docker run -p 8000:8000 -v /yourappsfolder:/tmp -i -t stacoan /tmp/com.myapk.apk