vincentcox / stacoan Goto Github PK
View Code? Open in Web Editor NEWStaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.
License: MIT License
StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.
License: MIT License
I've just started the server and added a file for upload. Then waited 5 minutes without any result. Only after anaylzing the file directly I saw there was an issue with the input:
$> ./stacoan -p sample.ipa
[INFO] Decompiling app...
[ERROR] .ipa files not implemented yet.
$> ./stacoan -p sample.app
[INFO] Decompiling app...
[ERROR] No mobile app detected, exiting! Hgnnnhh
The web server UI should reflect any errors and notify the user there was an issue with the provided file. Instead it indefinitely shows the 'Uploading…' message.
It is recommended to add authentication module to the program to ensure that server resources are not abused.
thank you :)
When running the Mac release, the following output is shown:
[INFO] jadx return code: 0
[INFO] Decompiling done.
[INFO] Searching trough files
[INFO] Searching done.
[INFO] start generating report
[ERROR] ERROR: Unknown error: 'test-apk_apk'.
ToDo: Disable try catch wrapper on main function to find the root cause. Maybe make a --debug
option to disable this try catch wrapper.
Consider adding these regular expressions which are not part of the list,
This list can also be extended to Twitter Keys, Tumblr keys.
Thanks old issue fixed.any though below 2 error?
367 INFO: checking Analysis
367 INFO: Building Analysis because out00-Analysis.toc is non existent
367 INFO: Initializing module dependency graph...
373 INFO: Initializing module graph hooks...
377 INFO: Analyzing base_library.zip ...
Traceback (most recent call last):
File "", line 41, in
File "", line 13, in walk_packages
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\pkgutil. py", line 127, in iter_modules
for name, ispkg in iter_importer_modules(i, prefix):
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\pkgutil. py", line 146, in _iter_file_finder_modules
import inspect
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\inspect. py", line 41, in
import linecache
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\linecach e.py", line 11, in
import tokenize
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\tokenize .py", line 33, in
import re
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\re.py", line 142, in
class RegexFlag(enum.IntFlag):
AttributeError: module 'enum' has no attribute 'IntFlag'
12236 INFO: Loading module hook "hook-encodings.py"...
Traceback (most recent call last):
File "", line 41, in
File "", line 13, in walk_packages
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\pkgutil.py", line 127, in iter_modules
for name, ispkg in iter_importer_modules(i, prefix):
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\pkgutil.py", line 146, in _iter_file_finder_modules
import inspect
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\inspect.py", line 41, in
import linecache
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\linecache.py", line 11, in
import tokenize
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\tokenize.py", line 33, in
import re
File "c:\users\kandasam\appdata\local\programs\python\python36-32\lib\re.py", line 142, in
class RegexFlag(enum.IntFlag):
Hi, thank you for your efforts!
I just came across your project and wanted to look into it. However, it seems to have some unicode issues.
When I try to analyze the test-apk.apk, that comes with this repository, it fails:
python3 main.py test-apk.apk
Decompiling app...
/home/???/dev/StaCoAn/test-apk/jadx_source_code
"/home/???/dev/StaCoAn/jadx/bin/jadx" -d "/home/???/dev/StaCoAn/test-apk/jadx_source_code" test-apk.apk
/bin/sh: 1: /home/???/dev/StaCoAn/jadx/bin/jadx: Permission denied
Decompiling done.
Searching trough files
Searching done.
start generating report
[...]
progress: 97.52%
progress: 98.14%
progress: 98.76%
progress: 99.38%
Traceback (most recent call last):
File "main.py", line 124, in <module>
program()
File "main.py", line 107, in program
print(Report_html.Tree_builder.tree_js_file(Project.projects[project_path]), file=f)
UnicodeEncodeError: 'ascii' codec can't encode characters in position 149599-149600: ordinal not in range(128)
Some other apk I fed to it also failed, but at a different stage:
[...]
progress: 8.59%
progress: 8.72%
Traceback (most recent call last):
File "main.py", line 124, in <module>
program()
File "main.py", line 72, in program
print(overview_html.gethtml(), file=f)
UnicodeEncodeError: 'ascii' codec can't encode character '\u0580' in position 5519: ordinal not in range(128)
I shortly peeked into the code, but was insecure, whether it is an issue with yattag or this repo here, maybe you know?
Hi,
When i run the docker command i get this :
[ERROR] ERROR: Unknown error: [Errno 21] Is a directory: 'myapp.apk'.
didn't understand why... did anyone get this too?
StaCoAn/src/helpers/project.py
Line 82 in 4abd2e3
Any idea what am missing?
Using Windows 7
C:\Users\XXXXXX\StaCoAn-master\StaCoAn-master>pyinstaller main.py --onefile --add-data jadx:jadx -p jadx --icon icon.ico --name stacoan --clean
usage: pyinstaller [-h] [-v] [-D] [-F] [--specpath DIR] [-n NAME]
[--add-data <SRC;DEST or SRC:DEST>]
[--add-binary <SRC;DEST or SRC:DEST>] [-p DIR]
[--hidden-import MODULENAME]
[--additional-hooks-dir HOOKSPATH]
[--runtime-hook RUNTIME_HOOKS] [--exclude-module EXCLUDES]
[--key KEY] [-d] [-s] [--noupx] [-c] [-w]
[-i <FILE.ico or FILE.exe,ID or FILE.icns>]
[--version-file FILE] [-m ] [-r RESOURCE]
[--uac-admin] [--uac-uiaccess] [--win-private-assemblies]
[--win-no-prefer-redirects]
[--osx-bundle-identifier BUNDLE_IDENTIFIER]
[--runtime-tmpdir PATH] [--distpath DIR]
[--workpath WORKPATH] [-y] [--upx-dir UPX_DIR] [-a]
[--clean] [--log-level LEVEL]
scriptname [scriptname ...]
pyinstaller: error: argument --add-data: invalid add_data_or_binary value: 'jadx:jadx'
Summary:
See the attached images. The app didn't show any errors.
The generated report contains gibberish data. Tried to rebuild the report 3 times, ended with the same result.
Details:
.apk file: https://play.google.com/store/apps/details?id=com.mkdingo.goran.signlangugage
The file was downloaded via APKPure.
os: Linux mint
Additional info:
The app uses Cyrillic characters for resources(ex: R.id.в, R.id.ж).
Could this be the cause of the problem?
┌─[nils@parrot]─[~/Code/Python/StaCoAn/docker]
└──╼ $sudo docker run -e JAVA_OPTS="-Xms2048m -Xmx2048m" -p 8888:8888 -p 7777:7777 -i -t stacoan
usage: stacoan.py [-h] [-p PATH [PATH ...]] [--disable-browser]
[--disable-server]
[--log-all | --log-errors | --log-warnings]
stacoan.py: error: unrecognized arguments: --enable-server
We can try to incorporate test cases that can be used to identify issues with SSL/TLS in Android apps. Reference Doc: https://developer.android.com/training/articles/security-ssl
Loading custom certificates into the Android KeyStore.
This is usually done to accept self-signed certs or certs signed using unknown CA.
Regex Used: .keyStore.setCertificateEntry.
HostName Verifier.
Failing to check the hostname for a certificate.
Regex: *public boolean verify(.String.SSLSession.)
NOTE:
===> This check needs to be done on the entire function and not just on the line of code. The function content has to be chunked out and matched with .return true;.
Overriding SSLCheck in WebViews
This is already a part of owasp_static_android.txt
Overriding SSL Check
Android apps can override SSL checks thus suppressing any SSL validation error.
Regex: checkServerTrusted.*{}
NOTE:
====> This check needs to be done on the entire function and not just on the line of code. The function content has to be chunked out and matched with an empty string.
Caution: SSLSocket does not perform hostname verification. It is up to your app to do its own hostname verification, preferably by calling getDefaultHostnameVerifier() with the expected hostname. Further beware that HostnameVerifier.verify() doesn't throw an exception on error but instead returns a boolean result that you must explicitly check.
Regex: .*SSLSocket.createSocket(.
StaCoAn is a hard name to remember and pronounce. It could help to rebrand it to something else, for example 'Stacy'.
Hello @vincentcox ,
I am facing this error after supplying the apk
UnboundLocalError: local variable 'sorted_tosort' referenced before assignment
[WARNING] 127.0.0.1 - - [10/Oct/2018 19:35:59] code 404, message File not found
A new zero-day vulnerability has been release by Pangu Lab: https://zipperdown.org/. We can check for the following package to report this vulnerability,
https://developer.android.com/reference/java/util/zip/package-summary
Regex: .java.util.zip..
You can create a GitHub wiki to describe how to use the tool on the different platforms. This will shorten your repo's README file, which improves it imho (readability, length, ease of access, ...)
https://docs.python.org/3/library/argparse.html
argument to specify html folder, disable automatic browser opening, ...
The fancy TreeView does not display on FF and IE browsers. TV invisible not initializing properly. Also the upload process seem to sometimes fail, silently.
Console IE:
HTML1527: DOCTYPE expected. Consider adding a valid HTML5 doctype: "".
start.html (1,1)
HTML1504: Unexpected end tag. -- repeatedly
jQuery.Deferred exception: Unable to get property 'length' of undefined or null reference TypeError: Unable to get property 'length' of undefined or null reference
SCRIPT5022: Fancytree assertion failed: Need a valid store.
SCRIPT5007: Unable to get property 'length' of undefined or null reference
SCRIPT5007: Unable to get property 'getItem' of undefined or null reference
Console FF:
This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”.
Request to access cookie or storage on “start.html” was blocked because we are blocking all third-party storage access requests and content blocking is enabled.
Uncaught DOMException: The operation is insecure. => jquery.fancytree-all-deps.min.js:1
Uncaught DOMException: The operation is insecure. => jquery.fancytree.persist.js:40
Uncaught Error: Could not apply extension 'persist' (it is not registered, did you forget to include it?) => /report/tree_js_content.js:2, jquery.min.js:2:1979
Uncaught DOMException: The operation is insecure. => report.js:8
Uncaught DOMException: The operation is insecure. => start.html:16
Source map error: Error: NetworkError when attempting to fetch resource.
Resource URL: /report/html/jquery.fancytree-all-deps.min.js
Source Map URL: jquery.fancytree-all-deps.min.js.map
sad :-(
It is worth to wait for new versions ?
Can this be run from a command line?
hello,
trying to use StaCoAn on windows using bash I'm having the following error
No module named 'yattag',
any clue? thx
[INFO] Decompiling app...
[ERROR] .ipa files not implemented yet.��
im used window
On Macs, your download (V.6) is not working. Below is the error. I believe you have hard coded some paths into the app. My mac is on Python 2.7.10
[INFO] serving report server at port: 8080
[INFO] serving dragdrop server at port: 8000
0:38: execution error: File some object wasn’t found. (-43)
^CTraceback (most recent call last):
File "/Users/travis/build/vincentcox/StaCoAn/src/stacoan.py", line 264, in <module>
File "/Users/travis/build/vincentcox/StaCoAn/src/stacoan.py", line 151, in program
File "/Users/travis/build/vincentcox/StaCoAn/src/stacoan.py", line 117, in server
File "/usr/local/Cellar/python/3.6.4_3/Frameworks/Python.framework/Versions/3.6/lib/python3.6/threading.py", line 1056, in join
File "/usr/local/Cellar/python/3.6.4_3/Frameworks/Python.framework/Versions/3.6/lib/python3.6/threading.py", line 1072, in _wait_for_tstate_lock
KeyboardInterrupt
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/travis/build/vincentcox/StaCoAn/src/stacoan.py", line 264, in <module>
KeyboardInterrupt
[9549] Failed to execute script stacoan
L-75
I did a rewrite of your old Docker container (#47) to reduce the size from 1.44GB to 264MB.
At that time, I did not know Docker well enough and now I think that I can further optimize the container's image size by combining RUN commands.
Maybe some packages can be installed virtual
that are only needed during build steps (info). Don't know this for sure since I don't know the Dockerfile that well. (First look suggests pip3 is one of those packages)
I'll try this tonight, it will be good to see if there is a noticeable difference.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.rits.cloning.Cloner (file:/Users/nils/Desktop/deploy/jadx/lib/cloning-1.9.10.jar) to field java.util.TreeSet.m
WARNING: Please consider reporting this to the maintainers of com.rits.cloning.Cloner
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[WARNING] 127.0.0.1 - - [05/Nov/2019 19:19:09] code 404, message File not found
Exception in thread "pool-1-thread-5" java.lang.OutOfMemoryError: Java heap space
at java.base/java.util.Arrays.copyOf(Arrays.java:3746)
at java.base/java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:172)
at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:538)
at java.base/java.lang.StringBuilder.append(StringBuilder.java:174)
at ch.qos.logback.core.pattern.FormattingConverter.write(FormattingConverter.java:39)
at ch.qos.logback.core.pattern.PatternLayoutBase.writeLoopOnConverters(PatternLayoutBase.java:115)
at ch.qos.logback.classic.PatternLayout.doLayout(PatternLayout.java:141)
at ch.qos.logback.classic.PatternLayout.doLayout(PatternLayout.java:39)
at ch.qos.logback.core.encoder.LayoutWrappingEncoder.encode(LayoutWrappingEncoder.java:115)
at ch.qos.logback.core.OutputStreamAppender.subAppend(OutputStreamAppender.java:230)
at ch.qos.logback.core.OutputStreamAppender.append(OutputStreamAppender.java:102)
at ch.qos.logback.core.UnsynchronizedAppenderBase.doAppend(UnsynchronizedAppenderBase.java:84)Process Process-1:
Traceback (most recent call last):
File "multiprocessing/process.py", line 297, in _bootstrap
File "multiprocessing/process.py", line 99, in run
File "stacoan.py", line 184, in program
File "project.py", line 143, in app_prepper
File "logger.py", line 108, in __init__
File "logger.py", line 99, in log
File "logger.py", line 82, in cPrint
OSError: [Errno 22] Invalid argument
To make it even more awesome, you could generate a nice Github Page: https://pages.github.com (Project site > Use a theme)
Hi, thank for this app. Docker build seem's to be broken:
Step 3/12 : RUN echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list && echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886 && apt-get update ---> Running in 2b8ae552b233 deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.OIwaWMnA25 --no-auto-check-trustdb --trust-model always --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyserver keyserver.ubuntu.com --recv-keys EEA14886 gpg: requesting key EEA14886 from hkp server keyserver.ubuntu.com ?: keyserver.ubuntu.com: Connection refused gpgkeys: HTTP fetch error 7: couldn't connect: Connection refused gpg: no valid OpenPGP data found. gpg: Total number processed: 0 The command '/bin/sh -c echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list && echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886 && apt-get update' returned a non-zero code: 2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.