安全分析报告:
安全分数
安全分数 49/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
1
用户/设备跟踪器
调研结果
高危
3
中危
17
信息
2
安全
2
关注
2
高危 基本配置不安全地配置为允许到所有域的明文流量。
Scope: *
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: c/b/c/a/a/a/a/c.java, line(s) 30,79 c/k/a/a/c0/a.java, line(s) 31 c/k/a/b/m0/k0/c.java, line(s) 43
高危 该文件是World Writable。任何应用程序都可以写入文件
该文件是World Writable。任何应用程序都可以写入文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: c/b/b/j/a.java, line(s) 93
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 Activity (com.iksvl.live.common.activity.WebViewActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.iksvl.live.base.activity.WebViewActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.iksvl.common.receiver.UpdateAppReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.alipay.sdk.app.PayResultActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.alipay.sdk.app.AlipayResultActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: c/g/a/t/a.java, line(s) 6,7,54 com/lzy/okgo/db/DBHelper.java, line(s) 4,5,32,33,34,35,46,49,52,55 com/lzy/okgo/db/DBUtils.java, line(s) 4,16,45,73
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: a/g/b/b.java, line(s) 29 a/g/g/c.java, line(s) 15,15 c/b/c/a/a/b/b.java, line(s) 98,321,322 c/b/c/a/a/c/c.java, line(s) 12,24,28 c/b0/a/g/e.java, line(s) 71 c/g/a/q.java, line(s) 11,32 c/m/c/f/c.java, line(s) 32,65 c/m/c/f/m.java, line(s) 53,54,111,112 c/m/e/c/f/c.java, line(s) 15 c/m/f/d/f.java, line(s) 10 c/r/a/a/o/d.java, line(s) 29,29,127,127,141,149 c/s/c/g/c.java, line(s) 156 com/ibase/glide/CGlideApp.java, line(s) 82,86 com/iksvl/live/base/bean/AppConfig.java, line(s) 42 com/iksvl/post/record/camera/utils/MagicParams.java, line(s) 10 com/lzy/okgo/convert/FileConvert.java, line(s) 40,48
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/iksvl/post/record/camera/camera/CameraEngine.java, line(s) 20 com/lzy/okgo/cache/CacheEntity.java, line(s) 13,85 com/lzy/okgo/exception/CacheException.java, line(s) 15,11 org/java_websocket/drafts/Draft_6455.java, line(s) 57
中危 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/iksvl/game/activity/GameWebViewActivity.java, line(s) 156,147 com/iksvl/live/base/activity/WebViewActivity.java, line(s) 198,189 com/iksvl/live/common/activity/WebViewActivity.java, line(s) 227,218
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: c/b/c/a/a/a/a/b.java, line(s) 12 c/b/c/a/a/a/a/c.java, line(s) 29,78 c/b/c/a/a/a/b.java, line(s) 85 c/z/d/a/b/g/e.java, line(s) 79 org/java_websocket/drafts/Draft_6455.java, line(s) 186
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: c/b/b/c/b.java, line(s) 19 c/b/b/j/a.java, line(s) 8 c/b/b/k/l.java, line(s) 36 c/k/a/b/p0/b0/j.java, line(s) 20 c/m/e/c/g/c0.java, line(s) 8 c/z/a/a/d/a.java, line(s) 5 com/iksvl/video/view/MusicalNoteLayout.java, line(s) 31 com/iksvl/video/view/ShortVideoPlayer.java, line(s) 29 org/java_websocket/drafts/Draft_6455.java, line(s) 20
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: a/p/b.java, line(s) 267 com/opensource/svgaplayer/SVGAVideoEntity.java, line(s) 85
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: c/b/b/k/l.java, line(s) 300 c/g/a/n.java, line(s) 57 c/l/a/h/b.java, line(s) 9 c/m/c/f/m.java, line(s) 160 c/m/e/c/f/b.java, line(s) 50 c/m/e/c/g/c0.java, line(s) 44 c/m/e/c/g/o.java, line(s) 12 c/z/d/a/b/b/c.java, line(s) 85 com/opensource/svgaplayer/SVGAParser.java, line(s) 187
中危 IP地址泄露
IP地址泄露 Files: c/g/a/g.java, line(s) 133,135,140,281 c/w/a/e/c.java, line(s) 86
中危 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "vip_session" : "VIP" "library_roundedimageview_authorWebsite" : "https://github.com/vinc3m1" e6b1bdcb890370f2f2419fe06d0fdf7628ad0083d52da1ecfe991164711bbf9297e75353de96f1740695d07610567b1240549af9cbd87d06919ac31c859ad37ab6907c311b4756e1e208775989a4f691bff4bbbc58174d2a96b1d0d970a05114d7ee57dfc33b1bafaf6e0d820e838427018b6435f903df04ba7fd34d73f843df9434b164e0220baabb10c8978c3f4c6b7da79d8220a968356d15090dea07df9606f665cbec14d218dd3d691cce2866a58840971b6a57b76af88b1a65fdffd2c080281a6ab20be5879e0330eb7ff70871ce684e7174ada5dc3159c461375a0796b17ce7beca83cf34f65976d237aee993db48d34a4e344f4d8b7e99119168bdd7 0000016742C00BDA259000000168CE0F13200000016588840DCE7118A0002FBF1C31C3275D78 edef8ba9-79d6-4ace-a3c8-27dcd51d21ed b6cbad6cbd5ed0d209afc69ad3b7a617efaae9b3c47eabe0be42d924936fa78c8001b1fd74b079e5ff9690061dacfa4768e981a526b9ca77156ca36251cf2f906d105481374998a7e6e6e18f75ca98b8ed2eaf86ff402c874cca0a263053f22237858206867d210020daa38c48b20cc9dfd82b44a51aeb5db459b22794e2d649 f3157df16883e4a70da509881390dbcf JSU1JRIQExVBQRZDEhAXE0McEBYFJRQjCiMpLjAs
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a/a/a/h.java, line(s) 44,53,68,78,94,106,117,126,140,153,164 a/a/a/k.java, line(s) 77,54 a/a/b/a/a.java, line(s) 78 a/a/e/g.java, line(s) 190,264,303 a/a/e/j/k.java, line(s) 193 a/a/e/j/l.java, line(s) 114 a/a/f/c.java, line(s) 250,256 a/a/f/d0.java, line(s) 194,199 a/a/f/f.java, line(s) 441,51,63,97,271 a/a/f/f0.java, line(s) 87 a/a/f/g0.java, line(s) 89 a/a/f/i0.java, line(s) 23,41,43,45,56 a/a/f/m.java, line(s) 316,405,419 a/a/f/p.java, line(s) 129 a/a/f/w.java, line(s) 227,412,470,130,144,189,209,266,418,421,451,454 a/e/b/a.java, line(s) 827,839,842 a/g/a/c.java, line(s) 38,47,60,69 a/g/a/d.java, line(s) 55 a/g/a/f.java, line(s) 69 a/g/b/d/b.java, line(s) 60 a/g/c/b.java, line(s) 418,423 a/g/c/e.java, line(s) 39,52 a/g/c/f.java, line(s) 52,71 a/g/c/i.java, line(s) 119 a/g/c/j/a.java, line(s) 66,75,196,206 a/g/c/j/h.java, line(s) 56,79 a/g/g/c.java, line(s) 17 a/g/i/b.java, line(s) 33,43,45,61,64,76,78 a/g/j/b.java, line(s) 18 a/g/k/b.java, line(s) 69 a/g/k/f.java, line(s) 20,29 a/g/k/h.java, line(s) 14 a/g/k/v.java, line(s) 22,33 a/g/k/x.java, line(s) 31,52,68,89,110,125,140 a/g/l/c.java, line(s) 42,51 a/g/l/h.java, line(s) 43,52 a/g/l/i.java, line(s) 144,45 a/i/a/c.java, line(s) 257 a/j/a/a.java, line(s) 179,1033,1097,437,444,844,853,1000,1014,1018 a/k/a/a.java, line(s) 486,495,510,530 a/k/a/g.java, line(s) 1355,1356,1364,1372,2027,2030,457,464,478,490,527,627,648,657,726,825,872,1157,1165,1393,1586,1596,2091,2120,2129,2180,2190,2196,2464,2510,2543,2570,2526 a/m/j.java, line(s) 221 a/n/a/b.java, line(s) 119,156,165,227,235,275,297,340,346,304 a/n/b/d.java, line(s) 73 a/o/g.java, line(s) 40,60 a/p/a.java, line(s) 88,119,395,397,71,73,82,85,332,353,360,362,371,65,114,125,135,155,236,289,356,364,368 a/p/b.java, line(s) 55,64,66,93,99,101,114,137,159,186,256,258,268,282,109,147,163,178,252,260,303 a/q/a/d.java, line(s) 26 a/s/g0.java, line(s) 36,45,47 a/s/h0.java, line(s) 21,23,36 a/s/j.java, line(s) 46,60,96 a/s/l0.java, line(s) 126 a/s/m.java, line(s) 80 a/s/m0.java, line(s) 63,76 a/s/n0.java, line(s) 67,80,93 a/s/o0.java, line(s) 36 a/t/a/a/i.java, line(s) 1019,1022 b/a/a/a/a.java, line(s) 43,32 c/a/a/c.java, line(s) 35,64 c/a/a/d.java, line(s) 94 c/a/a/e.java, line(s) 98 c/a/a/f.java, line(s) 378,440,581 c/a/a/l.java, line(s) 169 c/a/a/q/a.java, line(s) 28 c/a/a/q/b.java, line(s) 40,78,90 c/a/a/t/c.java, line(s) 109 c/a0/o/g.java, line(s) 53,80,91 c/b0/a/f/a.java, line(s) 114 c/b0/a/f/b.java, line(s) 107,147,186,75,113,125 c/b0/a/g/a.java, line(s) 108,48,79 c/b0/a/g/c.java, line(s) 70 c/b0/a/g/f.java, line(s) 123,128,140,145,159,169,181,213,229,233,238,247,250,255,277,122,127,139,144,158,168,180,212,228,232,237,246,249,254 c/c0/a/e/b.java, line(s) 13 c/e/a/g/g/a.java, line(s) 46,50 c/g/a/f.java, line(s) 14,35,49,21,28 c/k/a/a/b0/o/e.java, line(s) 744 c/k/a/a/b0/o/g.java, line(s) 37,54 c/k/a/a/b0/p/i.java, line(s) 219 c/k/a/a/b0/q/c.java, line(s) 58 c/k/a/a/b0/q/h.java, line(s) 347 c/k/a/a/b0/q/o.java, line(s) 164,212,215 c/k/a/a/b0/r/c.java, line(s) 40,63,70,81 c/k/a/a/c0/c.java, line(s) 455,459,462 c/k/a/a/f0/c.java, line(s) 122 c/k/a/a/f0/k/a.java, line(s) 72,75 c/k/a/a/f0/l/c.java, line(s) 90,101,273,282,295,495 c/k/a/a/f0/n/c.java, line(s) 100 c/k/a/a/f0/n/d.java, line(s) 151,154,226,273,322,368 c/k/a/a/g0/i.java, line(s) 69 c/k/a/a/h.java, line(s) 40 c/k/a/a/h0/x.java, line(s) 476,490 c/k/a/a/i.java, line(s) 211,216,295,297,324,326,368 c/k/a/a/z/e/e.java, line(s) 65 c/k/a/b/q0/n.java, line(s) 14,44,50,29,23,35 c/k/a/c/a/h.java, line(s) 82 c/k/a/c/m/e.java, line(s) 24,34 c/k/a/c/o/b.java, line(s) 112,135 c/l/a/a.java, line(s) 50 c/m/c/f/b.java, line(s) 21 c/m/c/f/d.java, line(s) 321 c/m/e/c/g/c0.java, line(s) 15 c/m/f/d/f.java, line(s) 33 c/n/a/a.java, line(s) 254 c/o/a/d.java, line(s) 185,62,38,79 c/o/a/f.java, line(s) 17,22,28,12 c/r/a/a/o/d.java, line(s) 110 c/z/a/a/d/b.java, line(s) 52,84,58,32 c/z/d/a/a/d.java, line(s) 11,21,27 c/z/d/a/b/b/a.java, line(s) 37,55 c/z/d/a/b/b/b.java, line(s) 19,28,22 c/z/d/a/b/e/c.java, line(s) 20 com/brioal/swipemenu/view/SwipeMenu.java, line(s) 194 com/comod/baselib/view/tag/TagFlowLayout.java, line(s) 133 com/flurry/android/FlurryAgent.java, line(s) 118 com/heyhou/social/video/HeyhouPlayerRender.java, line(s) 196,211 com/heyhou/social/video/HeyhouPlayerService.java, line(s) 94,97,100,103,106,109,112,115,118,121 com/heyhou/social/video/OpenGlUtils.java, line(s) 106,111,120,32,137 com/heyhou/social/video/VideoEncoder.java, line(s) 63,66,69,93,101,115,90 com/ibase/glide/widget/NineImageView.java, line(s) 271 com/iksvl/post/record/camera/encoder/gles/EglCore.java, line(s) 113,205,210,64,59,92 com/iksvl/post/record/camera/encoder/gles/EglSurfaceBase.java, line(s) 86,107 com/iksvl/post/record/camera/filter/base/gpuimage/GPUImageTwoInputFilter.java, line(s) 99,167 com/iksvl/post/record/camera/utils/PointParseUtil.java, line(s) 49,55,66 com/iksvl/post/widget/flowlayout/TagAdapter.java, line(s) 53,74 com/iksvl/post/widget/flowlayout/TagFlowLayout.java, line(s) 192 com/iksvl/view/BubbleImageView.java, line(s) 60,61,62,63 com/iksvl/view/VerticalViewPager.java, line(s) 800,1653,1659,1681 com/itheima/roundedimageview/RoundedImageView.java, line(s) 131,149 com/just/agentweb/AgentWebView.java, line(s) 65,94,104,196,47,185,188 com/lxj/xpermission/XPermission.java, line(s) 108 com/lzy/okgo/utils/OkLogger.java, line(s) 42,53,59,65,71 com/lzy/widget/tab/TabTitleIndicator.java, line(s) 107,212,266,268,278,286,301,314,406,481,558 com/makeramen/roundedimageview/RoundedDrawable.java, line(s) 134 com/makeramen/roundedimageview/RoundedImageView.java, line(s) 130,148 com/opensource/svgaplayer/SVGAImageView.java, line(s) 164 com/opensource/svgaplayer/SVGAParser.java, line(s) 109,110,214,317,334,431 com/tbruyelle/rxpermissions2/RxPermissionsFragment.java, line(s) 52,21 com/yalantis/ucrop/PictureMultiCuttingActivity.java, line(s) 317 com/yalantis/ucrop/UCropActivity.java, line(s) 297 com/yalantis/ucrop/view/TransformImageView.java, line(s) 213,175,126 d/a/a/a/a.java, line(s) 311,312,313,314,328 d/a/a/a/c.java, line(s) 33 g/a/a/f.java, line(s) 25,30 g/d/f/g.java, line(s) 76,77,82 h/a/a/b.java, line(s) 106,108,30 h/a/a/g/a.java, line(s) 23 h/a/a/g/c.java, line(s) 14
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: c/m/e/c/c/n.java, line(s) 4,45 com/iksvl/common/activity/ErrorActivity.java, line(s) 4,49 com/iksvl/common/activity/MyShareActivity.java, line(s) 4,70 com/iksvl/live/base/activity/WebViewActivity.java, line(s) 4,126 com/iksvl/live/common/activity/WebViewActivity.java, line(s) 4,149 com/iksvl/video/dialog/VideoShareDialog.java, line(s) 4,43
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/lzy/okgo/https/HttpsUtils.java, line(s) 122,71,88,121,109,120,120
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: c/b/b/i/b.java, line(s) 22,22,22,22,22,22
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (h5.m.taobao.com) 通信。
{'ip': '61.147.214.89', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '南通', 'latitude': '32.030296', 'longitude': '120.874779'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (mobilegw.alipaydev.com) 通信。
{'ip': '110.75.132.131', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}