StaCoAn v0.90 release: static code analysis on mobile applications for developers, bugbounty hunters and ethical hackers

StaCoAn is a cross-platform tool which aids developers, bug-bounty hunters and ethical hackers performing static code analysis on mobile applications*.

This tool will look for interesting lines in the code which can contain:

  • Hardcoded credentials
  • API keys
  • URL’s of API’s
  • Decryption keys
  • Major coding mistakes

This tool was created with a big focus on usability and graphical guidance in the user interface.

For the impatient ones, grab the download on the releases page.

*: note that currently only apk files are supported, but IPA files will follow very shortly.

An example report can be found here: example report


The concept is that you drag and drop your mobile application file (a .apk or .ipa file) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.

The reports contain a handy tree viewer so you can easily browse through your decompiled application.

Mockup application

Looting concept

The Loot Function let you ‘loot’ (~bookmark) the findings which are of value for you and on the loot-page, you will get an overview of your ‘loot’ raid.

The final report can be exported to a zip file and shared with other people.


The application uses wordlists for finding interesting lines in the code. Wordlists are in the following format:

API_KEY|||80||| This contains an API key reference
(https|http):\/\/.*api.*|||60||| This regex matches any URL containing 'api'

Note that these wordlists also support regex entries.


Any source file will be processed. This contains ‘.java’, ‘.js’, ‘.html’, ‘.xml’,… files.

Database-files are also searched for keywords. The database also has a table viewer.


Responsive Design

The reports are made to fit on all screens.

Changelog v0.90

Bug fixes and minor changes/updates

  • fixed the bug when StaCoAn crashes if filepath is too long
  • fixed the loading screen so it refreshes when it’s done (this was an issue if it took more than 100s)
  • Updated JADX to version 8
  • Logging removed when an exclusion is found (this had no value for the end-user)
  • Fixed Travis CI build for windows (thanks to travis-ci/travis-ci#10195 (comment))

Getting Started

If you want to get started as soon as possible, head over to the releases page and download the executable or archive which corresponds to your operating system.

If you have downloaded the release zip file, extract this. Copy the .apk or .ipa file to the extracted folder.

Drag and drop this file onto the executable. The report will now be generated in the report folder.

From source

git clone

cd StaCoAn/src

Make sure that you have pip3 installed:

sudo apt-get install python3-pip

Install the required python packages:

pip3 install -r requirements.txt

Run StaCoAn:

python3 yourApp.apk

Building the executable

pip3 install pyinstaller


pyinstaller –onefile –icon icon.ico –name stacoan –clean


pyinstaller –onefile –icon icon.ico –name stacoan –clean


python3 -m PyInstaller –onefile –icon icon.ico –name stacoan –clean

Running the Docker container

cd docker

docker build . -t stacoan

docker run -e JAVA_OPTS=”-Xms2048m -Xmx2048m” -p 8000:8000 -v /yourappsfolder:/tmp -i -t stacoan /tmp/com.myapk.apk

Wait for it to be analyzed and the open your browser in http://localhost:8000

Copyright (c) 2018 Vincent Cox