StaCoAn is a crossplatform static code analysis tool designed to help developers, bug bounty hunters, and ethical hackers identify sensitive information and vulnerabilities in mobile applications.
StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.
StaCoAn is primarily used to analyze mobile application packages (currently APK files) to detect hardcoded credentials, API keys, URLs, decryption keys, and coding mistakes. It is ideal for security researchers, bug bounty hunters, and developers seeking to uncover security flaws and sensitive data leaks in mobile apps through an easy-to-use graphical interface.
StaCoAn is currently in alpha status and is no longer maintained; it supports only APK files at present, with IPA support planned but not yet available. The tool may struggle with heavily obfuscated code, so results should be interpreted accordingly. Users should consider these limitations when integrating StaCoAn into their security workflows.
Download the pre-built executable from the releases page on GitHub
Alternatively, run the tool using the provided Docker image
Clone the repository from GitHub using git clone https://github.com/vincentcox/StaCoAn.git
Build the executable from source for your platform (Windows, macOS, Linux) following the build instructionsDrag and drop an APK file onto the StaCoAn application
Starts the static analysis and generates a visual report of findings
Customize wordlists by editing the wordlist files with regex patterns
Tailors the scanning process to find specific keywords or patterns
Use the Loot Function to bookmark interesting findings
Allows users to collect and review valuable results in a dedicated loot page
Export the final report as a ZIP file
Enables sharing of analysis results with others