安全分析报告:
安全分数
安全分数 47/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
0
用户/设备跟踪器
调研结果
高危
5
中危
11
信息
2
安全
3
关注
6
高危 应用程序存在Janus漏洞
应用程序使用了v1签名方案进行签名,如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞的攻击。在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
高危 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: com/alipay/android/NetworkManager.java, line(s) 53,16,17,18 com/alipay/android/phone/mrpc/core/i.java, line(s) 98,17,3 com/switfpass/pay/thread/NetHelper.java, line(s) 82,23,24
高危 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/ta/utdid2/core/persistent/TransactionXMLFile.java, line(s) 18 com/unionpay/UPPayAssistEx.java, line(s) 101
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/chinaMobile/d.java, line(s) 44 com/ta/utdid2/android/utils/AESUtils.java, line(s) 43,50
高危 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/switfpass/pay/activity/G.java, line(s) 35,34
中危 应用程序可以安装在有漏洞的已更新 Android 版本上
Android 2.3-2.3.2, [minSdk=9] 该应用程序可以安装在具有多个未修复漏洞的旧版本 Android 上。这些设备不会从 Google 接收合理的安全更新。支持 Android 版本 => 10、API 29 以接收合理的安全更新。
中危 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/alipay/android/AlixDefine.java, line(s) 7 com/chinaMobile/MobileAgent.java, line(s) 68 com/moon/pay/IAPPay.java, line(s) 8 com/switfpass/pay/bean/RequestMsg.java, line(s) 196 com/switfpass/pay/utils/Constants.java, line(s) 10,15,4 com/ta/utdid2/device/DeviceInfo.java, line(s) 10 com/ta/utdid2/device/UTUtdid.java, line(s) 20,21,19,40 mm/purchasesdk/PurchaseCode.java, line(s) 161
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/chinaMobile/MobileAgent.java, line(s) 31 com/moon/pay/AlixPay.java, line(s) 20 com/switfpass/pay/activity/PayPlugin.java, line(s) 33 com/switfpass/pay/utils/Util.java, line(s) 22 com/ta/utdid2/android/utils/PhoneInfoUtils.java, line(s) 5 com/ta/utdid2/device/UTUtdid.java, line(s) 13 com/ta/utdid2/device/UTUtdidHelper.java, line(s) 5 mm/purchasesdk/ui/d.java, line(s) 14
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: mm/purchasesdk/g/a.java, line(s) 4,5,13 mm/purchasesdk/g/b.java, line(s) 6,81 org/cocos2dx/lib/Cocos2dxLocalStorage.java, line(s) 5,6,47
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/alipay/android/Rsa.java, line(s) 17,33 com/switfpass/pay/utils/Rsa.java, line(s) 18,69 com/switfpass/pay/utils/Util.java, line(s) 301 com/ta/utdid2/android/utils/AESUtils.java, line(s) 35
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/qpgame/gameframe/Device.java, line(s) 11 com/qpgame/gameframe/HeadPortraitSelector.java, line(s) 37,58,238 com/switfpass/pay/utils/Util.java, line(s) 163 com/ta/utdid2/android/utils/SystemUtils.java, line(s) 49 com/ta/utdid2/core/persistent/PersistentConfiguration.java, line(s) 51,193,349,389 com/unionpay/mobile/android/nocard/views/l.java, line(s) 205,212 com/unionpay/mobile/android/utils/h.java, line(s) 40 com/unionpay/mobile/android/utils/m.java, line(s) 9 mm/purchasesdk/l/e.java, line(s) 20 mm/purchasesdk/l/f.java, line(s) 23,82 org/cocos2dx/lib/Cocos2dxHelper.java, line(s) 150
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/chinaMobile/g.java, line(s) 25 com/ipaynow/plugin/b/a/a.java, line(s) 12 com/moon/pay/WeiXinPay.java, line(s) 110 com/switfpass/pay/utils/MD5.java, line(s) 13,32 com/switfpass/pay/utils/Rsa.java, line(s) 47 mm/purchasesdk/l/d.java, line(s) 363
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/qpgame/gameframe/WebPageLoader.java, line(s) 55,50 com/switfpass/pay/activity/QQWapPayWebView.java, line(s) 40,64
中危 IP地址泄露
IP地址泄露 Files: com/alipay/android/phone/mrpc/core/x.java, line(s) 314 com/chinaMobile/MobileAgent.java, line(s) 590 com/switfpass/pay/activity/PayPlugin.java, line(s) 98 mm/purchasesdk/l/g.java, line(s) 121,119
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "no_token_id" : "订单号为空或位数不对,请检查输入的订单号!" 54aa526e7a37d8ba2311a1d3d2ab79b3fbeaf3ebb9e7da9e7cdd9be1ae5a53595f47 8cc1d6ed5e1b2cc00489215aec3fc2eac008e767b0215981cb5e 11300f060355040813085368616e67686169311130 15060355040a130e4368696e6120556e696f6e50617931173015060355040b130e4 3634385a3078310b300906035504061302383631 0a54b19a13b6712dc04d1b49215423d8 9d101c97133837e13dde2d32a5054abb b1ff56cef0e21c87260c63ce3ca868bf5974c14 92a864886f70d010101050003818d0030818902818100c42e6236d5054ffccaa 64c2f89fdffa16729c9779f99562bc189d2ce4722ba0faedb11aa22d0d9db228fda 0dc1c1c001c4d6c48241ce1ac41fd5a0 efedc24fecde188aaa9161 XwYp8WL8bm6S4wu6yEYmLGy4RRRdJDIhxCBdk3CiNZTwGoj1bScVZEeVp9vBiiIsgwDtqZHP8QLoFM6o6MRYjW8QqyrZBI654mqoUk5SOLDyzordzOU5QhYguEJh54q3K1KqMEXpdEQJJjs1Urqjm2s4jgPfCZ4hMuIjAMRrEQluA7FeoqWMJOwghcLcPVleQ8PLzAcaKidybmwhvNAxIyKRpbZlcDjNCcUvsJYvyzEA9VUIaHkIAJ62lpA3EE3H f6e5061793111300f06035504031308556e696f6e50617930819f300d060 08eb9b5c67474d027fa03ce35109b11604083ab6bb4df2c46240f879f 134e3265829ff82daf16e7b740a600b5 f6e50617931173015060355040b130e4368696e6120556e696 d9255940da7b6cd07483f4b4243fd1825b2705 3015060355040a130e4368696e6120556e696 861693111300f060355040713085368616e67686169311730 0f060355040713085368616e676861693117 1001a3e74c601e3beb1b7ae4f9ab2872a0aaf1dbc2cba89c7528cd 891b9b2a1d867f95eefd537a56d4d805 e94ddc285669ec06b8a405dd4341eac4ea7030203010001300d06092a864886f70d010105050003818 hjwg16Y0G83C18H9wpMLWi25KDSLyNLA2I509GQ5wydMj2qRYVHjf9fV7Xl9cfcFstlYsOtRAxdUcMOa0nkO1qhsbeEqirQRJmnW0Yub6Yar1FzfWJTlHutV43HJmd8E d6fc3a4a06adbde89223b b1fdf62b0f540fca5458b063af9354925a6c3505a18ff164b6b195f6e517eaee1fb783 6e696f6e5061793111300f06035504031308556e696f6e5061 23456789abcdef12123456786789abcd
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/alipay/android/phone/mrpc/core/i.java, line(s) 64 com/ccit/mmwlan/MMClientSDK_ForIdentity.java, line(s) 92 com/ccit/mmwlan/MMClientSDK_ForLogin.java, line(s) 30,33,46,50,54,60,68,71,82,89,93,97,101,105,109,114,118,124,129,134,145,157,162,167,172,175,178,188,196,199,205,209,214,223,227,230,238,241,244,251,256,265,267,273,277,280,285,289,300,303,316,320,323,340,345,352,355,361,365,370,379,382,388,399 com/ccit/mmwlan/MMClientSDK_ForPad.java, line(s) 305,369,48,63,101,105,109,135,159,161,165,169,184,195,209,224,228,244,248,278,282,287,306,320,334,339,358,367,374,377,380,397,399,433,448,475,501 com/ccit/mmwlan/a/d.java, line(s) 16 com/ccit/mmwlan/a/e.java, line(s) 31,32,39,53 com/ccit/mmwlan/a/g.java, line(s) 52 com/ccit/mmwlan/a/h.java, line(s) 30 com/ccit/mmwlan/b/a.java, line(s) 54,81 com/ccit/mmwlan/b/b.java, line(s) 16 com/ccit/mmwlan/b/c.java, line(s) 12,15,24,27,36 com/ccit/mmwlan/phone/MMClientSDK_ForPhone.java, line(s) 43,58,73,112,160,168,187,199,201,221,224,227,242,246,255,266,280,295,299,309,325,329,338,375,390,394,397,400,403,417,419,445,457,477 com/chinaMobile/MobileAgent.java, line(s) 505,507,512,399,417,471,675,700,737,785 com/chinaMobile/b.java, line(s) 31 com/chinaMobile/g.java, line(s) 84,87,171,116,121,146,174 com/chinaMobile/k.java, line(s) 44 com/chinaMobile/l.java, line(s) 50 com/ipaynow/plugin/b/b/a.java, line(s) 165 com/ipaynow/plugin/b/b/b.java, line(s) 36,38 com/ipaynow/plugin/utils/b.java, line(s) 41 com/ipaynow/plugin/utils/c.java, line(s) 15,9,21 com/moon/gameshell/Update.java, line(s) 81,203,235 com/moon/gameshell/XMLHandler.java, line(s) 42 com/moon/pay/AlixPay.java, line(s) 33,51,58,100,109,111 com/moon/pay/IAPListener.java, line(s) 38,47,96,91,115,121 com/moon/pay/PayManagement.java, line(s) 46,94 com/moon/pay/WeiXinPay.java, line(s) 132,22 com/qpgame/gameframe/GameFrame.java, line(s) 357,406 com/qpgame/gameframe/InterceptSmsReciever.java, line(s) 32,47 com/qpgame/gameframe/SoftKeyboardUtil.java, line(s) 49,50,51,48 com/qpgame/gameframe/WebPageLoader.java, line(s) 59,81,92,101 com/switfpass/pay/activity/AsyncTaskC0022e.java, line(s) 27,28,35 com/switfpass/pay/activity/C0033p.java, line(s) 97 com/switfpass/pay/activity/PayPlugin.java, line(s) 53,72 com/switfpass/pay/activity/PayResultActivity.java, line(s) 65 com/switfpass/pay/activity/PaySDKCaptureActivity.java, line(s) 194 com/switfpass/pay/activity/Result.java, line(s) 58,60 com/switfpass/pay/activity/View$OnClickListenerC0020c.java, line(s) 49 com/switfpass/pay/activity/zxing/camera/CameraManager.java, line(s) 91 com/switfpass/pay/activity/zxing/camera/a.java, line(s) 19 com/switfpass/pay/activity/zxing/camera/b.java, line(s) 104,107,113,120,126,66,85,141,153 com/switfpass/pay/activity/zxing/camera/c.java, line(s) 39,41,54,63,66,69,80 com/switfpass/pay/activity/zxing/camera/d.java, line(s) 31 com/switfpass/pay/activity/zxing/decoding/PayCaptureActivityHandler.java, line(s) 44,47,58 com/switfpass/pay/activity/zxing/decoding/b.java, line(s) 63 com/switfpass/pay/service/GetAccessTokenResult.java, line(s) 15 com/switfpass/pay/service/GetPrepayIdResult.java, line(s) 14 com/switfpass/pay/service/b.java, line(s) 54,29 com/switfpass/pay/service/c.java, line(s) 71,31,48 com/switfpass/pay/service/d.java, line(s) 63,48 com/switfpass/pay/service/e.java, line(s) 76,35,54 com/switfpass/pay/service/f.java, line(s) 60,35,52 com/switfpass/pay/service/g.java, line(s) 58 com/switfpass/pay/service/h.java, line(s) 64,35,52 com/switfpass/pay/service/i.java, line(s) 75,34 com/switfpass/pay/service/j.java, line(s) 76,39,42 com/switfpass/pay/thread/NetHelper.java, line(s) 156,172,226,240,144,214 com/switfpass/pay/utils/HandlerC0048j.java, line(s) 15 com/switfpass/pay/utils/L.java, line(s) 22 com/switfpass/pay/utils/PayDialogInfo.java, line(s) 108 com/switfpass/pay/utils/Rsa.java, line(s) 21,22,24 com/switfpass/pay/utils/Util.java, line(s) 71,74,251,101,123,183,188,193,203,212,217,253,256,259,270,98,104,117,245 com/ta/utdid2/android/utils/SystemUtils.java, line(s) 24,27 com/unionpay/mobile/android/pboctransaction/sdapdu/a.java, line(s) 21,26 com/unionpay/mobile/android/pboctransaction/simapdu/b.java, line(s) 143,148,181 com/unionpay/mobile/android/upviews/d.java, line(s) 142 com/unionpay/mobile/android/utils/h.java, line(s) 25,34,28,22,31 com/unionpay/mobile/android/widgets/z.java, line(s) 100,105,108,113,116 com/xqt/now/paysdk/XqtPay.java, line(s) 291 mm/purchasesdk/PurchaseCode.java, line(s) 185 mm/purchasesdk/a/c.java, line(s) 135,136 mm/purchasesdk/f/a.java, line(s) 82 mm/purchasesdk/h/h.java, line(s) 29 mm/purchasesdk/l/b.java, line(s) 18,42,26,50,30,54,22,46 mm/purchasesdk/l/d.java, line(s) 183,379 mm/purchasesdk/l/e.java, line(s) 66,90,74,98,78,102,70,94 org/cocos2dx/lib/Cocos2dxActivity.java, line(s) 215,223,239,314,316,321,160,157 org/cocos2dx/lib/Cocos2dxBitmap.java, line(s) 172 org/cocos2dx/lib/Cocos2dxEditBoxHelper.java, line(s) 131,144,187,206,356,371 org/cocos2dx/lib/Cocos2dxGLSurfaceView.java, line(s) 65,76,341 org/cocos2dx/lib/Cocos2dxHelper.java, line(s) 97,108,110,258,260,262 org/cocos2dx/lib/Cocos2dxHttpURLConnection.java, line(s) 43,60,92,106,107,125,208,225,235,245,325,79 org/cocos2dx/lib/Cocos2dxLocalStorage.java, line(s) 52,95 org/cocos2dx/lib/Cocos2dxMusic.java, line(s) 47,63,83,95,118,158,169,199 org/cocos2dx/lib/Cocos2dxReflectionHelper.java, line(s) 11,14,17,20,31,34,37,40 org/cocos2dx/lib/Cocos2dxSound.java, line(s) 201 org/cocos2dx/lib/Cocos2dxVideoView.java, line(s) 148,212,216,364,369 org/cocos2dx/lib/Cocos2dxWebView.java, line(s) 45,86,94 org/cocos2dx/lib/DataTaskHandler.java, line(s) 12 org/cocos2dx/lib/FileTaskHandler.java, line(s) 15 org/keplerproject/luajava/LuaObject.java, line(s) 94
信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: com/ta/utdid2/core/persistent/TransactionXMLFile.java, line(s) 17
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/switfpass/pay/thread/NetHelper.java, line(s) 51,82 com/switfpass/pay/utils/Util.java, line(s) 324,282 com/unionpay/mobile/android/net/b.java, line(s) 19,18,17,17 org/cocos2dx/lib/Cocos2dxHttpURLConnection.java, line(s) 89,84,85,86
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/unionpay/mobile/android/nocard/utils/UPPayEngine.java, line(s) 134
安全 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (api.ipaynow.cn) 通信。
{'ip': '103.244.232.20', 'country_short': 'CN', 'country_long': 'China', 'region': 'Beijing', 'city': 'Beijing', 'latitude': '39.907501', 'longitude': '116.397232'}
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (pay.swiftpass.cn) 通信。
{'ip': '111.230.118.187', 'country_short': 'CN', 'country_long': 'China', 'region': 'Beijing', 'city': 'Beijing', 'latitude': '39.907501', 'longitude': '116.397232'}
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (posp.ipaynow.cn) 通信。
{'ip': '211.154.166.174', 'country_short': 'CN', 'country_long': 'China', 'region': 'Beijing', 'city': 'Beijing', 'latitude': '39.907501', 'longitude': '116.397232'}
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (ospd.mmarket.com) 通信。
{'ip': '120.197.235.71', 'country_short': 'CN', 'country_long': 'China', 'region': 'Guangdong', 'city': 'Guangzhou', 'latitude': '23.127361', 'longitude': '113.264252'}
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (paya.swiftpass.cn) 通信。
{'ip': '193.112.234.72', 'country_short': 'CN', 'country_long': 'China', 'region': 'Beijing', 'city': 'Beijing', 'latitude': '39.907501', 'longitude': '116.397232'}
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (da.mmarket.com) 通信。
{'ip': '120.232.188.83', 'country_short': 'CN', 'country_long': 'China', 'region': 'Guangdong', 'city': 'Guangzhou', 'latitude': '23.127361', 'longitude': '113.264252'}