How to run StaCoAn with Docker?

Build the Docker image from the docker folder, then run it with exposed ports. You can upload APK files via the web interface at http://127.0.0.1:7777, as detailed in the Docker setup section.

StaCoAn vs MobSF for mobile app security?

StaCoAn focuses on a simple GUI and customizable wordlists for static analysis, while MobSF is more comprehensive with dynamic features and active development. StaCoAn is easier for quick scans but lacks maintenance and advanced capabilities.

Can StaCoAn analyze iOS IPA files?

No, it currently only supports Android APK files. IPA support is listed in the roadmap but not implemented, so it's ineffective for iOS application security audits.

How to customize wordlists in StaCoAn?

Edit the wordlist files using a regex format like 'API_KEY|||80||| description' to add or modify patterns for scanning. Exclusion lists can ignore findings in specific paths, as explained in the Wordlists section.

Is StaCoAn still being updated?

No, the project is archived and no longer maintained, with a warning at the top of the README. It was in alpha status, so users should not expect any future enhancements or bug fixes.

StaCoAn

MITJavaScript

A cross-platform static code analysis tool for mobile applications (APK/IPA) to find security vulnerabilities like hardcoded credentials and API keys.

GitHub

871 stars138 forks0 contributors

What is StaCoAn?

StaCoAn is a static code analysis tool for mobile applications that scans decompiled APK and IPA files to identify security vulnerabilities. It searches for hardcoded credentials, API keys, URLs, decryption keys, and major coding mistakes, generating visual, portable reports to aid in security assessments.

Target Audience

Mobile application developers, bug bounty hunters, and ethical hackers who need to perform security audits on Android and iOS applications.

Value Proposition

It offers an intuitive drag-and-drop interface with customizable wordlists and visual reports, making static analysis more accessible compared to traditional command-line tools.

Overview

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.

Use Cases

Best For

Security auditing of Android APK files for hardcoded secrets
Bug bounty hunters analyzing mobile apps for vulnerabilities

Related Projects

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub

Ethical hackers performing static analysis on iOS IPA files

Developers checking their own apps for accidental credential exposure

Educational purposes in mobile application security courses

Generating shareable security assessment reports for clients

Not Ideal For

Projects analyzing iOS IPA files, as support is planned but not yet implemented
Applications with heavily obfuscated code, as the tool explicitly struggles with obfuscation
Organizations requiring long-term support and active maintenance, given the project is archived and no longer maintained

Pros & Cons

Pros

Intuitive Drag-and-Drop

Users can simply drag APK files onto the tool to generate visual reports, eliminating command-line complexity as shown in the Windows one-click demo.

Customizable Regex Wordlists

Supports regex-based wordlists to search for patterns like API keys and credentials, allowing tailored scans for specific security issues.

Portable HTML Reports

Generates self-contained, responsive HTML reports that can be exported as ZIP files for easy sharing, demonstrated in the example report.

Cross-Platform Accessibility

Runs on Windows, macOS, and Linux via pre-built executables or Docker, making it widely accessible without source code modifications.

Cons

Abandoned Development

The project is marked as 'alpha' and explicitly stated as not maintained, meaning no bug fixes, updates, or support for future issues.

Incomplete iOS Support

Advertised for IPA files but only APK is functional, with IPA support lingering in the roadmap and unimplemented, limiting its utility for iOS apps.

Poor Obfuscation Handling

The README admits the tool has trouble with obfuscated code, reducing effectiveness on secured applications and requiring workarounds.

Frequently Asked Questions

Home

Android Security

ClassyShark

Android and Java bytecode viewer

Stars7,566

Forks872

Last commit3 years ago

Detekt

Static code analysis for Kotlin

Stars6,955

Forks837

Last commit12 hours ago

APKLeaks

Scanning APK file for URIs, endpoints & secrets.

Stars6,085

Forks574

Last commit9 months ago

Quark-Engine

Quark Engine is a static analysis tool designed to detect and score Android malware by identifying malicious behavior patterns within APK files. It specializes in analyzing obfuscated malware, providing security researchers and analysts with a systematic way to assess threats. The tool generates detailed reports that map observed behaviors to known malware families, helping to classify and understand new variants. ## Key Features - **Obfuscation-Neglect Analysis** — Detects malicious behaviors even in heavily obfuscated Android applications. - **Rule-Based Scoring** — Uses a comprehensive database of rules to identify and score specific malware behaviors. - **Malware Family Mapping** — Correlates detected behaviors with known malware families like DroidKungFu, GoldDream, and SpyNote. - **Summary Reports** — Generates concise, actionable reports highlighting the most critical findings. - **Extensible Rule System** — Allows security teams to create and update custom detection rules. ## Philosophy Quark Engine is built on the principle that malicious intent can be uncovered through behavioral analysis, regardless of code obfuscation techniques. The project emphasizes practical, rule-driven detection that benefits the broader security community.

Stars1,679

Forks202

Last commit3 days ago

#mobile-security

#apk-analysis

#static-code-analysis

#security

#vulnerability-scanning