安全分析报告:
安全分数
安全分数 34/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
2
用户/设备跟踪器
调研结果
高危
7
中危
15
信息
1
安全
0
关注
2
高危 应用程序存在Janus漏洞
应用程序使用了v1签名方案进行签名,如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞的攻击。在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
高危 WebView域控制不严格漏洞
WebView域控制不严格漏洞 Files: com/dianle/DianleOfferActivity.java, line(s) 240,238 net/youmi/android/bh.java, line(s) 46,44
高危 该文件是World Writable。任何应用程序都可以写入文件
该文件是World Writable。任何应用程序都可以写入文件 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/feedback/b/c.java, line(s) 103
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/admogo/adapters/FractalAdapter.java, line(s) 180,8 com/admogo/adapters/SuizongAPIAdapter.java, line(s) 406,7 com/madhouse/android/ads/r.java, line(s) 168,18 net/youmi/android/ee.java, line(s) 278,12
高危 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/panda/offerwall/AutoStartGameReceiver.java, line(s) 24
高危 使用弱加密算法
使用弱加密算法 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/admogo/CryptUtils.java, line(s) 20,49 com/admogo/encryption/CryptUtils.java, line(s) 20,49 com/vpon/adon/android/c/f.java, line(s) 29,66,86 net/youmi/android/k.java, line(s) 15,32
高危 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/madhouse/android/ads/d.java, line(s) 49,48
中危 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Service (com.admogo.UpdateService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.admogo.CountService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.google.zxing.client.android.CaptureActivity) 未被保护。
存在一个intent-filter。 发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/admogo/AdMogoLayout.java, line(s) 40 com/admogo/adapters/SuizongAPIAdapter.java, line(s) 45 com/feedback/c/b.java, line(s) 51 com/newhua/util/t.java, line(s) 36
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/a/a/u.java, line(s) 82 com/admogo/AdsMOGOAction.java, line(s) 45 com/admogo/encryption/MD5.java, line(s) 14 com/admogo/util/AdMogoUtil.java, line(s) 219 com/dianle/ax.java, line(s) 83 com/tencent/lbsapi/core/QLBSJNI.java, line(s) 13 com/tencent/mobwin/utils/b.java, line(s) 101 net/youmi/android/k.java, line(s) 15,24,32 net/youmi/android/l.java, line(s) 41,158
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/admogo/ac.java, line(s) 4,5,14 com/madhouse/android/ads/bn.java, line(s) 5,6,15
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/a/a/k.java, line(s) 57,66,154 com/adchina/android/ads/Utils.java, line(s) 192,192 com/admogo/UpdateService.java, line(s) 129,130 com/dianle/au.java, line(s) 42 com/dianle/av.java, line(s) 12,13 com/tencent/mobwin/core/h.java, line(s) 133,134 com/tencent/mobwin/core/x.java, line(s) 917 com/tencent/mobwin/core/y.java, line(s) 14,14,21 com/vpon/adon/android/webClientHandler/ShootActivity.java, line(s) 130 net/youmi/android/al.java, line(s) 54 net/youmi/android/ba.java, line(s) 9 net/youmi/android/cg.java, line(s) 23 net/youmi/android/dq.java, line(s) 43
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: a/a/a/a/a/h.java, line(s) 6 com/admogo/AdMogoManager.java, line(s) 35 com/admogo/adapters/BaiduJsonAdapter.java, line(s) 17 com/dianle/ah.java, line(s) 4 com/dianle/ax.java, line(s) 9 com/dianle/v.java, line(s) 13 com/tencent/mobwin/core/n.java, line(s) 10 net/youmi/android/ab.java, line(s) 8 net/youmi/android/az.java, line(s) 3
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/adchina/android/ads/views/AdWebView.java, line(s) 154,148 com/admogo/AdMogoWebView.java, line(s) 109,108
中危 IP地址泄露
IP地址泄露 Files: com/a/a/v.java, line(s) 25 com/dianle/ax.java, line(s) 67 com/tencent/mobwin/core/b/b.java, line(s) 93 net/youmi/android/aq.java, line(s) 67 net/youmi/android/cb.java, line(s) 43
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/admogo/encryption/SHA1.java, line(s) 8
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/vpon/adon/android/webClientHandler/ShootActivity.java, line(s) 134
中危 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 友盟统计的=> "UMENG_APPKEY" : "50c1b288527015472d00021b" 友盟统计的=> "UMENG_CHANNEL" : "other" DB9C288EF60A40d4897665843327626E 276ad56eb38d4c9cc884fa54ef7e9bda ba61266b0d7c4b7580426fc8297c04ce 0b451641094b1f565b421857454f4f5d4c585a485a54461d5b451f410b1f50595a CDDA55C678C34d07957074BF6956862F 5c4715125b171c53094b165443184a0d105c5f1a5f5246195a174a4f561b400441 172C94EDC717477aBF600D7898A64A8E 0c1612110a1749075a121f01114b1d5c110e5e4a5f01461c5a4a1a10054b46155643 A33E523A1CEF496dB37ABD886CBCB005 EB80F3291A8E469c962CA133BDC549D7 5d151649581a19005e121c024f4d1c5d100c081b0f53161d07104e13554a170d47 103cc347e7ce1dbfff3d9c2bc031c372 C97CE45F9A5A447c98BBB83D88790503 5cc71df611973c978124396dd7a00185 E2FDAA28C7344D2F9FAA4A0FEC1296AA CBB27B6EF764459EAEEE877D9DA42B6D 46C02DF8DF4C4C18A578C63449C7F64D 36d9e5f710fa3357f16ac39eef87ab57 E91A62B2CF0744bd9CA37BA14615050F DD5E8CD46CF94B22BAAD68AB06710752 5c4d1216091749555f174f50464c4f59105d591c08074318564a4d15024d590d CD1D37A4A08F465A97D040CCD0FF7D1F 5b4341425c4d4d505f121e57464d4f5c46095d4b595c471a52171f440b4b5f570e56 FD7C4B12A60F415dBE8C580A137F5F1C DCDAE4873D1F4c64BB121FDE4131DDFF 67590f398bf0447931eb20fa2b63bb34 1BD3ACC63FA94E5B99B5479664B9CE69 D080F8A1E1134cabA1910B7129A75B44 F1B19978F3D74302BA126760F96262CD d1d79abd2ed727373b9277318d611227 C8F62501155F41fbBBAA47A53C7F1A9B 0b1045405e1917570a401c5540171f5d460f58165703421b514419150b4b0e43 FEDC335110C04414AF100EA25C26A70D CC39825145FD4445ADD9860797CA5744 D780FBF4215247bcBB1AC0AD33C474FE 2d800967deb503e4113efc3726c1eda6 A821718FB7F248b590F3721F6576D289 f75a3a45f171138a5df50d16c5590fcb 504c45480a1b1c111758451e57121b400a10595e480d51431f131656504256 4028cba631d63df10131e1d3818b00cc CBD2998A3D5A4744BF128B91E1410DEA 1861b676e8889ee3dfbb1e53d4305b11 CE94557724F842149D690D0E8CBB1CBD 501740450e4a1d161502454802471e4c5f105c5f175c504118005a f785026ae812ebed145aef7f7cc53135 02ECC682A05F4E72AD0DA4C4C2FFC6D9 D50EF1926ADD471892E72BCE6D7E032C 1bbb2bda09c00000ab12276463721bd7
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/a/a/a.java, line(s) 135,143,153,166,179,183,192,201,205,210,214,351,356,360,402,435,544,549,553,576,665,685,699,705,752,758,797,801,74,94,107,114,241,259,270,275,304,440,443,453,463,471,477,523,532,590,635,647,821,407,622 com/a/a/f.java, line(s) 147 com/a/a/i.java, line(s) 27 com/a/a/k.java, line(s) 84,117,123,131,136,147,162,235,257,191,155,159,205 com/a/a/l.java, line(s) 34 com/a/a/m.java, line(s) 48 com/a/a/p.java, line(s) 42,26,31,38 com/a/a/s.java, line(s) 56,64,88 com/a/a/t.java, line(s) 38 com/a/a/u.java, line(s) 68,73,140,147,180,190,268,319,48,96,204,281,290,361,369,432,396,401,411,418 com/a/a/v.java, line(s) 18 com/adchina/android/ads/AdEngine.java, line(s) 100,137 com/adchina/android/ads/LogUtil.java, line(s) 16 com/adchina/android/ads/Utils.java, line(s) 132,217 com/adchina/android/ads/controllers/BaseController.java, line(s) 388 com/adchina/android/ads/controllers/a.java, line(s) 143,214,769,912,937,957,980,1055,1086,1108 com/adchina/android/ads/controllers/b.java, line(s) 30 com/adchina/android/ads/controllers/e.java, line(s) 128,142,462,599,622,640,813,882,898,918,936 com/adchina/android/ads/controllers/l.java, line(s) 30 com/adchina/android/ads/controllers/p.java, line(s) 476,494,514,697,754,774,791,811 com/adchina/android/ads/controllers/s.java, line(s) 98 com/adchina/android/ads/t.java, line(s) 54 com/adchina/android/ads/views/AdBrowserView.java, line(s) 194 com/adchina/android/ads/views/AdVideoPlayerActivity.java, line(s) 263,265,267 com/adchina/android/ads/views/j.java, line(s) 24 com/admogo/AdMogoLayout.java, line(s) 213,226,244,272,356,376,391,476,571,595,181,187,192,201,255,262,300,481,309,589,249 com/admogo/AdMogoManager.java, line(s) 196,197,202,234,263,626,642,643,654,809,221,302,314,317,386,404,422,425,536,589,595,600,609,780,815,817,107,172,198,651,671,695,546,550,747,751,191,478,623,668,715 com/admogo/AdMogoTargeting.java, line(s) 170 com/admogo/AdWebViewProgressBar.java, line(s) 73,109,122 com/admogo/AdsMOGOAction.java, line(s) 99,82,87 com/admogo/AsyncImageBitmapLoader.java, line(s) 52 com/admogo/CountService.java, line(s) 20,49,22 com/admogo/GetUserInfo.java, line(s) 65,92,56,81 com/admogo/ShowInfoDialog.java, line(s) 526 com/admogo/a.java, line(s) 50 com/admogo/adapters/AdChinaAdapter.java, line(s) 44,124,130,143,155,172,178,192,216 com/admogo/adapters/AdMogoAdapter.java, line(s) 309,317,280,329 com/admogo/adapters/AdTouchAdapter.java, line(s) 28,38,67 com/admogo/adapters/AdwoAdapter.java, line(s) 38,72,82,92,102,114 com/admogo/adapters/AirAdAdapter.java, line(s) 26,55,88,101 com/admogo/adapters/AppMediaAdapter.java, line(s) 28,58,68 com/admogo/adapters/BaiduJsonAdapter.java, line(s) 43,93,105,110,76,79,118,50,55 com/admogo/adapters/CaseeSourceAdapter.java, line(s) 40,48,132,83,86,119,72,94 com/admogo/adapters/DomobAdapter.java, line(s) 36,75,83,87,92 com/admogo/adapters/FractalAdapter.java, line(s) 177,233,80,88,95,130,139,166 com/admogo/adapters/GoogleAdMobAdsAdapter.java, line(s) 60,94,102,118,85 com/admogo/adapters/GreystripeAdapter.java, line(s) 28,48,51,63,73 com/admogo/adapters/IZPAdAdapter.java, line(s) 31,51,52,53,66,30,42,46,54,55,56,99,104,109 com/admogo/adapters/InMobiSourceAdapter.java, line(s) 170,203,219,87,78,69,103,107,111 com/admogo/adapters/LSenseAdapter.java, line(s) 26,38,53 com/admogo/adapters/LmMobAdapter.java, line(s) 26,56,36 com/admogo/adapters/MdotMAdapter.java, line(s) 22,35,50 com/admogo/adapters/MillennialAdapter.java, line(s) 26,30,35,44,48,52,72,84 com/admogo/adapters/MobWINAdapter.java, line(s) 38,61,68,103 com/admogo/adapters/MobiSageAdapter.java, line(s) 71,58 com/admogo/adapters/PublicCustomAdapter.java, line(s) 145,161,207,233,248,268,75,229,235,250,275 com/admogo/adapters/SmaatoAdapter.java, line(s) 81,100,56,90 com/admogo/adapters/SmartMADAdapter.java, line(s) 38,74,85,89,102 com/admogo/adapters/SuizongAPIAdapter.java, line(s) 403,413,83,147,330,334,126 com/admogo/adapters/VponCNAdapter.java, line(s) 25,55,69 com/admogo/adapters/WeiQianAdapter.java, line(s) 31,37,47,59 com/admogo/adapters/WinAdAdapter.java, line(s) 30,62,72 com/admogo/adapters/WinsAPIAdapter.java, line(s) 169,181,66,81,46,102,129,137 com/admogo/adapters/WiyunAdapter.java, line(s) 28,66,76,93 com/admogo/adapters/WoobooAdapter.java, line(s) 29,55,68 com/admogo/adapters/YoumiAdapter.java, line(s) 36,64,77 com/admogo/adapters/ZestAdzAdapter.java, line(s) 20,30,47 com/admogo/adapters/ZhidianAdapter.java, line(s) 29,58,68 com/admogo/adapters/aa.java, line(s) 50 com/admogo/adapters/ag.java, line(s) 58 com/admogo/adapters/aj.java, line(s) 51 com/admogo/adapters/d.java, line(s) 34 com/admogo/adapters/h.java, line(s) 61 com/admogo/adapters/l.java, line(s) 33 com/admogo/adapters/m.java, line(s) 21 com/admogo/adapters/o.java, line(s) 21 com/admogo/adapters/u.java, line(s) 39 com/admogo/adapters/v.java, line(s) 33,47 com/admogo/adapters/w.java, line(s) 25,28 com/admogo/adapters/z.java, line(s) 38,51,73 com/admogo/e.java, line(s) 60,74 com/admogo/f.java, line(s) 109,112,104 com/admogo/g.java, line(s) 50,54,60,66,70,65,69 com/admogo/i.java, line(s) 43,34,60 com/admogo/j.java, line(s) 34,51,55 com/admogo/m.java, line(s) 43 com/admogo/n.java, line(s) 57 com/admogo/network/AdMogoNetWorkHelper.java, line(s) 16,29 com/admogo/util/AdMogoUtil.java, line(s) 285 com/admogo/v.java, line(s) 50 com/b/a/a/d.java, line(s) 65 com/b/b/a.java, line(s) 63 com/feedback/b/d.java, line(s) 29,36 com/feedback/c/b.java, line(s) 55,67 com/feedback/ui/FeedbackConversation.java, line(s) 48 com/feedback/ui/a.java, line(s) 47 com/madhouse/android/ads/AdView.java, line(s) 964,980 com/madhouse/android/ads/am.java, line(s) 48 com/madhouse/android/ads/cg.java, line(s) 109 com/madhouse/android/ads/cm.java, line(s) 16 com/madhouse/android/ads/f.java, line(s) 16,37,23,30 com/newhua/diaosixiaoshuo/p.java, line(s) 43 com/newhua/util/e.java, line(s) 23,25,33,35 com/newhua/util/h.java, line(s) 19,26 com/newhua/util/k.java, line(s) 35,51,59,81 com/newhua/util/l.java, line(s) 15,21 com/newhua/util/m.java, line(s) 18,31 com/newhua/util/p.java, line(s) 31 com/panda/offerwall/a/a.java, line(s) 19 com/panda/offerwall/k.java, line(s) 56 com/panda/offerwall/m.java, line(s) 62,80 com/panda/offerwall/n.java, line(s) 15,18,21,24,27,30,39 com/panda/offerwall/v.java, line(s) 67,157,161,215,223,63,82,83,123,130 com/panda/offerwall/y.java, line(s) 57 com/tencent/lbsapi/core/QLBSEngine.java, line(s) 556 com/tencent/mobwin/core/p.java, line(s) 21,12 com/vpon/adon/android/AdView.java, line(s) 152,150 com/vpon/adon/android/WebInApp.java, line(s) 70 com/vpon/adon/android/b.java, line(s) 25 com/vpon/adon/android/c/a.java, line(s) 33,36,37 com/vpon/adon/android/c/b.java, line(s) 22,23,43,44,56,57,69,70,82,83,116,117,129,130 com/vpon/adon/android/c/e.java, line(s) 30,42,43 com/vpon/adon/android/c/g.java, line(s) 67 com/vpon/adon/android/d.java, line(s) 210,219,222,225,228,231,234,237,240,243,246,249,252,635,636,52 com/vpon/adon/android/p.java, line(s) 34,45,50,61 com/vpon/adon/android/q.java, line(s) 90 com/vpon/adon/android/r.java, line(s) 25,35 com/vpon/adon/android/webClientHandler/QRActivity.java, line(s) 19,24 com/vpon/adon/android/webClientHandler/QRHandler.java, line(s) 27,28 com/vpon/adon/android/webClientHandler/ShootActivity.java, line(s) 45,139,126,108,93 com/vpon/adon/android/webClientHandler/b.java, line(s) 35,70,29 com/vpon/adon/android/webClientHandler/h.java, line(s) 41,26,39 net/youmi/android/am.java, line(s) 18,8,9,17
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (soma.smaato.net) 通信。
{'ip': '221.123.139.1', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (api.suizong.com) 通信。
{'ip': '101.227.3.41', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}