安全分析报告:
安全分数
安全分数 48/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
3
用户/设备跟踪器
调研结果
高危
4
中危
26
信息
3
安全
2
关注
22
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/pichillilorenzo/flutter_inappwebview/InAppWebViewMethodHandler.java, line(s) 1065,5 com/pichillilorenzo/flutter_inappwebview/in_app_browser/InAppBrowserActivity.java, line(s) 377,16,17 com/pichillilorenzo/flutter_inappwebview/in_app_webview/FlutterWebView.java, line(s) 157,10,11
高危 该文件是World Writable。任何应用程序都可以写入文件
该文件是World Writable。任何应用程序都可以写入文件 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: i3/a.java, line(s) 76 t7/b.java, line(s) 89
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: cd/a.java, line(s) 76 g1/a.java, line(s) 54 m3/c.java, line(s) 30,79 v2/a.java, line(s) 53,79
高危 应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文
应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode Files: k4/a.java, line(s) 15
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Broadcast Receiver (com.huoban.ai.huobanai.FourFourAppWidget) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.huoban.ai.huobanai.TwoTwoAppWidget) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.huoban.ai.huobanai.InstallWidgetProvider) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity设置了TaskAffinity属性
(com.jarvan.fluwx.wxapi.FluwxWXEntryActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Activity设置了TaskAffinity属性
(fun.doudou.pal.wxapi.WXEntryActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Activity-Alias (fun.doudou.pal.wxapi.WXEntryActivity) 未被保护。
[android:exported=true] 发现 Activity-Alias与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity-Alias (fun.doudou.pal.wxapi.WXPayEntryActivity) 未被保护。
[android:exported=true] 发现 Activity-Alias与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.tencent.tauth.AuthActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Activity (com.alipay.sdk.app.PayResultActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.alipay.sdk.app.AlipayResultActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: c1/d.java, line(s) 50 c8/b.java, line(s) 31 com/pandora/common/applog/AppLogWrapper.java, line(s) 22,21,18,19 com/pichillilorenzo/flutter_inappwebview/credential_database/URLCredentialContract.java, line(s) 8,10 com/pichillilorenzo/flutter_inappwebview/types/URLCredential.java, line(s) 99 com/ss/bduploader/AWSV4AuthParams.java, line(s) 5,4 i6/q3.java, line(s) 539 i6/x4.java, line(s) 103 jg/a.java, line(s) 30 o6/b.java, line(s) 503 r1/f.java, line(s) 298 t4/g.java, line(s) 70 w4/d.java, line(s) 40 w4/p.java, line(s) 99 w4/x.java, line(s) 87 wg/b.java, line(s) 111 wg/e.java, line(s) 70 wg/g.java, line(s) 77 xg/a.java, line(s) 194
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: cj/c.java, line(s) 20 com/apm/insight/g.java, line(s) 12 g7/o0.java, line(s) 19 i3/a.java, line(s) 8 j3/m.java, line(s) 42 l1/e.java, line(s) 6 n9/c.java, line(s) 41 net/jpountz/xxhash/e.java, line(s) 3 o6/b.java, line(s) 27 q6/a.java, line(s) 13 q6/g.java, line(s) 4 v2/d.java, line(s) 5 vh/a.java, line(s) 3 vh/b.java, line(s) 3 w2/b.java, line(s) 13 wh/a.java, line(s) 3 xc/o0.java, line(s) 4 z2/d.java, line(s) 7
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: ag/i.java, line(s) 9,10,11,12,13,221 com/example/r_upgrade/common/a.java, line(s) 8,9,94 com/pichillilorenzo/flutter_inappwebview/credential_database/CredentialDatabaseHelper.java, line(s) 4,5,18 com/tencent/wcdb/database/SQLiteDatabase.java, line(s) 4,506 d7/b.java, line(s) 5,47 i0/o.java, line(s) 7,515 i6/a1.java, line(s) 6,7,42 i6/d1.java, line(s) 4,107 i6/n0.java, line(s) 3,4,24 n0/c.java, line(s) 6,7,8,9,10,185 q1/d.java, line(s) 6,7,190 qb/m0.java, line(s) 5,6,69 qb/t0.java, line(s) 4,5,134 x3/a.java, line(s) 4,38 x3/b.java, line(s) 5,38 x5/j.java, line(s) 4,5,17
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/ss/bduploader/util/X509Util.java, line(s) 205 f4/w.java, line(s) 127 g9/b.java, line(s) 26,41 i6/c5.java, line(s) 14 p7/p.java, line(s) 23 r1/g.java, line(s) 13 w7/a.java, line(s) 14
中危 IP地址泄露
IP地址泄露 Files: com/pandora/common/applog/AppLogWrapper.java, line(s) 86,90,92 com/ss/bduploader/util/X509Util.java, line(s) 39,38,41 tf/a.java, line(s) 58
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: a2/c.java, line(s) 133 bh/g.java, line(s) 146 fb/n.java, line(s) 61 io/sentry/util/s.java, line(s) 18 m3/b.java, line(s) 11 m3/c.java, line(s) 29,78 n3/a.java, line(s) 91 s1/s.java, line(s) 96,114 v6/k.java, line(s) 141,159 z2/d.java, line(s) 52
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/example/r_upgrade/common/UpgradeService.java, line(s) 207,209 d2/c.java, line(s) 10,24,26 eb/a.java, line(s) 66,67 f4/x.java, line(s) 33,79,90 g4/b.java, line(s) 788 h4/n.java, line(s) 147 io/sentry/android/core/u0.java, line(s) 287,256 r1/f.java, line(s) 66,74 u9/a.java, line(s) 79 y3/d.java, line(s) 21 z9/b.java, line(s) 23
中危 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: io/sentry/android/core/internal/util/n.java, line(s) 32,32,32,32,32
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: ff/c.java, line(s) 219 i0/y.java, line(s) 65 ki/b.java, line(s) 57
中危 应用程序包含隐私跟踪程序
此应用程序有多个3隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "google_crash_reporting_api_key" : "AIzaSyAKrOzk4Up-r-47VhWIqDULkPHmFH5Wtso" "google_api_key" : "AIzaSyAKrOzk4Up-r-47VhWIqDULkPHmFH5Wtso" L0FuZHJvaWQvZGF0YS9jb20uc25zc2RrLmFwaS9jYWNoZQ== 258EAFA5-E914-47DA-95CA-C5AB0DC85B11 9b115f5ab9a044e985557db5f42191de e6b1bdcb890370f2f2419fe06d0fdf7628ad0083d52da1ecfe991164711bbf9297e75353de96f1740695d07610567b1240549af9cbd87d06919ac31c859ad37ab6907c311b4756e1e208775989a4f691bff4bbbc58174d2a96b1d0d970a05114d7ee57dfc33b1bafaf6e0d820e838427018b6435f903df04ba7fd34d73f843df9434b164e0220baabb10c8978c3f4c6b7da79d8220a968356d15090dea07df9606f665cbec14d218dd3d691cce2866a58840971b6a57b76af88b1a65fdffd2c080281a6ab20be5879e0330eb7ff70871ce684e7174ada5dc3159c461375a0796b17ce7beca83cf34f65976d237aee993db48d34a4e344f4d8b7e99119168bdd7 f81630b5764841ffbc0320ee2361b090 9a04f079-9840-4286-ab92-e65be0885f95 16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a b6cbad6cbd5ed0d209afc69ad3b7a617efaae9b3c47eabe0be42d924936fa78c8001b1fd74b079e5ff9690061dacfa4768e981a526b9ca77156ca36251cf2f906d105481374998a7e6e6e18f75ca98b8ed2eaf86ff402c874cca0a263053f22237858206867d210020daa38c48b20cc9dfd82b44a51aeb5db459b22794e2d649 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 edef8ba9-79d6-4ace-a3c8-27dcd51d21ed 44817d17adcfd1bc735c022b368acfe0465c4bdbc5c77ca8efd6b578dad1177a65f83813d3f3da839778719efbb83d982737c55597b1a074f105d828a8163b42 QrMgt8GGYI6T52ZY5AnhtxkLzb8egpFn3j5JELI8H6wtACbUnZ5cc3aYTsTRbmkAkRJeYbtx92LPBWm7nBO9UIl7y5i5MQNmUZNf5QENurR5tGyo7yJ2G0MBjWvy6iAtlAbacKP0SwOUeUWx5dsBdyhxa7Id1APtybSdDgicBDuNjI0mlZFUzZSS9dmN8lBD0WTVOMz0pRZbR3cysomRXOO1ghqjJdTcyDIxzpNAEszN8RMGjrzyU7Hjbmwi6YNK
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a5/c.java, line(s) 16,15 a5/d.java, line(s) 45,44 a5/f.java, line(s) 154,153 a5/s.java, line(s) 26,27 a5/t.java, line(s) 36,35 a7/b.java, line(s) 88,50,106,140,176,199 a8/b.java, line(s) 276,291,294,120,327,454,543 a8/c.java, line(s) 60,93,132,153 a9/b0.java, line(s) 170,174,176,374,434,438,440 a9/d.java, line(s) 82 a9/w.java, line(s) 11 ae/a.java, line(s) 18 ae/a1.java, line(s) 53,66 ae/b0.java, line(s) 30 ae/c.java, line(s) 213,248,418,422,426,432 ae/e1.java, line(s) 52 ae/n0.java, line(s) 33 ae/q0.java, line(s) 119 ae/r0.java, line(s) 33 ae/s0.java, line(s) 20 ae/u0.java, line(s) 45,63 ae/y.java, line(s) 121,124,127,130,133,136,147,150,153,156,195,205 ag/b0.java, line(s) 87,105,177,195,254,260,276,296,301,368,377,440,91,372 ag/d0.java, line(s) 39 ag/i.java, line(s) 163,227,235,280,364,445,485,560,704,250,468 ai/onnxruntime/OrtEnvironment.java, line(s) 31 b/b.java, line(s) 57,69,114,124,233 b4/a.java, line(s) 56 b6/b.java, line(s) 65 b8/e.java, line(s) 30 c/a.java, line(s) 162,305,499,501,511,338,339,549 c3/a.java, line(s) 33 c3/b.java, line(s) 191,59,172,183 c3/c.java, line(s) 27 c5/h.java, line(s) 81,82 c7/b.java, line(s) 23,29,75 c7/c.java, line(s) 16,26,32,40,46,52,57 c7/d.java, line(s) 150,166,184,196,254,44,62,71,91,103,135,223,229,237,260,266,279 c8/a.java, line(s) 828,831,701,817,836,1005,1032,1043,1055,934 c8/b.java, line(s) 48,70,95 c8/c.java, line(s) 50,51,86,92 c8/d.java, line(s) 34,43,57 c8/e.java, line(s) 431,450,454,569,606,616,696,698,728,731,337,746 c8/f.java, line(s) 13 c8/g.java, line(s) 26,37,67 c8/h.java, line(s) 256,41,81,104,144,291,364 c8/i.java, line(s) 31,36,59,63,66,75,114,133,161,196,204,228 com/apm/insight/MonitorCrash.java, line(s) 442,454,510,514 com/bytedance/im/live/BIMLiveExpandService.java, line(s) 1195,1205,1292,1493,1557,1563,1569,1579,1701 com/bytedance/im/log/ALogService.java, line(s) 32,35,49,58,76,85,95,99,109,117,122,131,133,135 com/bytedance/im/search/SearchLog.java, line(s) 92,99,71,78,22,26,85 com/bytedance/im/search/SearchSpUtil.java, line(s) 41 com/bytedance/im/search/api/BIMSearchExpandService.java, line(s) 35,65,71 com/bytedance/im/search/db/MessageMetaTable.java, line(s) 95 com/bytedance/im/search/db/SearchDbHelper.java, line(s) 99,114,177,187,192,197,224,92 com/bytedance/im/search/db/dao/ContactMetaDao.java, line(s) 57 com/bytedance/im/search/db/dao/MessageMetaDao.java, line(s) 55 com/bytedance/im/search/im/IMSearchDataHelper.java, line(s) 162,168,171 com/bytedance/im/search/im/SearchConversationObserver.java, line(s) 31,43,55,72 com/bytedance/im/search/im/SearchMsgObserver.java, line(s) 20,32,44,59 com/bytedance/im/user/BIMContactExpandService.java, line(s) 840,123,129,140,145,155,182,192,253,262,276,282,324,333,404,414,431,442,456,465,479,494,828,850,979,984,989,994,999,1005,1010,1014,1020,1026,1031,1036,1042,1063,1072,1076,1078,1086,1090,1175,1210,1222,1235,1246,1252 com/huoban/ai/huobanai/FourFourAppWidget.java, line(s) 38 com/huoban/ai/huobanai/InstallWidgetProvider.java, line(s) 50 com/huoban/ai/huobanai/UpdateWidgetHelper.java, line(s) 101 com/pichillilorenzo/flutter_inappwebview/JavaScriptBridgeInterface.java, line(s) 84 com/pichillilorenzo/flutter_inappwebview/ServiceWorkerManager.java, line(s) 73 com/pichillilorenzo/flutter_inappwebview/Util.java, line(s) 319,267,292,301 com/pichillilorenzo/flutter_inappwebview/chrome_custom_tabs/CustomTabsHelper.java, line(s) 83 com/pichillilorenzo/flutter_inappwebview/content_blocker/ContentBlockerHandler.java, line(s) 203,283 com/pichillilorenzo/flutter_inappwebview/in_app_browser/InAppBrowserActivity.java, line(s) 282,373 com/pichillilorenzo/flutter_inappwebview/in_app_browser/InAppBrowserManager.java, line(s) 162 com/pichillilorenzo/flutter_inappwebview/in_app_webview/DisplayListenerProxy.java, line(s) 40 com/pichillilorenzo/flutter_inappwebview/in_app_webview/FlutterWebView.java, line(s) 152 com/pichillilorenzo/flutter_inappwebview/in_app_webview/InAppWebView.java, line(s) 1065 com/pichillilorenzo/flutter_inappwebview/in_app_webview/InAppWebViewChromeClient.java, line(s) 1123,1132,1192,1202,213,595,643,697,758,824,891,964,1026 com/pichillilorenzo/flutter_inappwebview/in_app_webview/InAppWebViewClient.java, line(s) 117,205,250,327,391,481,532,619,658,717 com/pichillilorenzo/flutter_inappwebview/in_app_webview/InAppWebViewRenderProcessClient.java, line(s) 34,65 com/pichillilorenzo/flutter_inappwebview/in_app_webview/InputAwareWebView.java, line(s) 42,50,58,83,133 com/ss/bduploader/AWSV4Auth.java, line(s) 224,265,273,287,288,290,292,297 com/ss/bduploader/BDAbstractUpload.java, line(s) 57 com/ss/bduploader/BDExternalFileReaderBridge.java, line(s) 9,11,14,19,21,25,30,32,36,41,44,47,52,55,58 com/ss/bduploader/BDImageUploader.java, line(s) 287,853,857 com/ss/bduploader/BDImageXUploader.java, line(s) 13 com/ss/bduploader/BDImageXUploaderBase.java, line(s) 282,708,712 com/ss/bduploader/BDMediaDataReaderBridge.java, line(s) 10,16,24,34 com/ss/bduploader/BDNetworkRouter.java, line(s) 228,301,308 com/ss/bduploader/BDNetworkSpeedTest.java, line(s) 256,284 com/ss/bduploader/BDObjectUploader.java, line(s) 298,788,792 com/ss/bduploader/BDUploadLog.java, line(s) 19,25,31,37,43,53 com/ss/bduploader/BDUploadResolver.java, line(s) 106,109,124,129,131,139,143,220,277 com/ss/bduploader/BDUploadUtil.java, line(s) 53,83,93,242,246,56,80,90,155,158,249,252,255,262,272,284,45 com/ss/bduploader/BDVideoUploader.java, line(s) 28 com/ss/bduploader/BDVideoUploaderBase.java, line(s) 197,336 com/ss/bduploader/UploadEventManager.java, line(s) 54 com/ss/bduploader/logupload/AppLogEngineUploader.java, line(s) 58,81,38,44,50,67 com/ss/bduploader/net/BDUploadDNSParser.java, line(s) 56,65,75,79,82,88,93,97,117,121,125,128,135,139,146,152,156,160,166,169,176,181,186,189,192,199,204,208,210,214,218,227 com/ss/bduploader/net/BDUploadDNSParserBridge.java, line(s) 23,40,48,66,68,80,82,91 com/ss/bduploader/net/BDUploadHostProcessor.java, line(s) 46,49,54,59,67,71,76,86,92,98,102,109,112,116,119,124,131,148,154,157 com/ss/bduploader/net/HTTPDNS.java, line(s) 42,54,94 com/ss/bduploader/net/LocalDNS.java, line(s) 27,30,33,79,85,103,107,115,122 com/ss/bduploader/util/CustomVerify.java, line(s) 20,22,23,27,34,36,38,42,46 com/ss/bduploader/util/X509Util.java, line(s) 67,69,71,146,150,235,314,294 com/ss/mediakit/vcnlib/CustomVerify.java, line(s) 30,35,36,51,53,54,59,66,68 com/tencent/wcdb/AbstractCursor.java, line(s) 127 com/tencent/wcdb/BulkCursorToCursorAdaptor.java, line(s) 117,137,35,51,149 com/tencent/wcdb/DatabaseUtils.java, line(s) 143,182,623,710,718 com/tencent/wcdb/DefaultDatabaseErrorHandler.java, line(s) 25,31,68 com/tencent/wcdb/database/SQLiteAsyncQuery.java, line(s) 37,48 com/tencent/wcdb/database/SQLiteConnection.java, line(s) 199,783 com/tencent/wcdb/database/SQLiteConnectionPool.java, line(s) 132,179,328,340,356,161,386,276,779 com/tencent/wcdb/database/SQLiteCursor.java, line(s) 93,167 com/tencent/wcdb/database/SQLiteDatabase.java, line(s) 252,626,713,851,444,448 com/tencent/wcdb/database/SQLiteDebug.java, line(s) 77,136 com/tencent/wcdb/database/SQLiteDirectCursor.java, line(s) 66,133,177 com/tencent/wcdb/database/SQLiteDirectQuery.java, line(s) 82 com/tencent/wcdb/database/SQLiteOpenHelper.java, line(s) 69,117 com/tencent/wcdb/database/SQLiteQuery.java, line(s) 27 com/tencent/wcdb/database/SQLiteQueryBuilder.java, line(s) 228 com/tencent/wcdb/repair/DBDumpUtil.java, line(s) 112,211,262,77,88,265,277,281,36 d5/c.java, line(s) 75,74,84,98,99 d5/c0.java, line(s) 149,148 d5/e.java, line(s) 16,17 d5/k.java, line(s) 178,185,293,303,316,327,348,352,357,366,369,374,385,393,177,184,292,302,315,326,347,351,356,365,368,373,384,392 d5/m.java, line(s) 95,196,352,94,185,195,294,317,351,186,295,432 d5/n.java, line(s) 35,41,36,42 d5/q.java, line(s) 58,59 d8/a.java, line(s) 109,112,117,136,142,145 de/b.java, line(s) 55,64 e4/o.java, line(s) 103 e7/b.java, line(s) 47,58 eb/f.java, line(s) 16 f4/r.java, line(s) 44,26,32,38,8,20,14,50 f8/b.java, line(s) 126,222,238,89,92,135,165,168,203,208,212,243,261,263,270,286,305,315,320,327,341 ff/a.java, line(s) 81 ff/h.java, line(s) 59 g1/b.java, line(s) 165 g2/a.java, line(s) 56 g3/a.java, line(s) 52,58 g7/a2.java, line(s) 37 g7/b.java, line(s) 35,41,73,80,103,116,121,130 g7/b1.java, line(s) 26,44 g7/d.java, line(s) 99,109,131 g7/d1.java, line(s) 37 g7/f.java, line(s) 60 g7/f1.java, line(s) 37 g7/g1.java, line(s) 37 g7/h.java, line(s) 31 g7/i.java, line(s) 81 g7/i0.java, line(s) 458,120,183,382,439,447,97,230,247,257,315,342,345,370,414,484 g7/j0.java, line(s) 463,83,90,172,179,421,116,210,294,335,436,469,496 g7/j1.java, line(s) 141 g7/l1.java, line(s) 179,439,544,634,65,75,84,88,90,118,129,162,166,168,183,185,200,231,233,241,244,274,285,394,420,455,456,522,525,529,530,546,578,615,623 g7/m.java, line(s) 95,97,111,122,128,134,139,141,153,159,165,177,190,193 g7/m1.java, line(s) 55,117,140,149,40,138,147,160,169 g7/n.java, line(s) 711,716,591,766,783,824,832,870,923,928,937,940,942,1020,1068,1104,1108,1146,392,418,432,442,595,605,685,690,696,701,706,721,726,790,876,888,892,904,907,913 g7/n1.java, line(s) 32,38 g7/o1.java, line(s) 58,77 g7/p.java, line(s) 81,87 g7/p0.java, line(s) 159,353,365,373,375 g7/q.java, line(s) 70,135,187,59,112,148,194 g7/q0.java, line(s) 404,519,111,186,341,486,597,623,625,629,678 g7/r.java, line(s) 165,56,143,172 g7/s0.java, line(s) 55,195,73,94,127,166 g7/s1.java, line(s) 182,521,83,120,154,232,244,300,472,488,493,495,525,529,568 g7/u0.java, line(s) 133,44,69 g7/v.java, line(s) 36,42,119,135,61,91,152,176 g7/w0.java, line(s) 106,138,144,150,164,170,176,69,93,125,160 g7/x.java, line(s) 172,225,129,133,136,256,284,299 g7/x0.java, line(s) 118 g7/y0.java, line(s) 65 g7/z.java, line(s) 89,103 g7/z0.java, line(s) 46 g8/a.java, line(s) 34 g8/b.java, line(s) 34 g8/c.java, line(s) 40,48,105,111,122 g8/d.java, line(s) 95 g9/f.java, line(s) 67,82,85,199,215,127 gf/a.java, line(s) 50 gf/b.java, line(s) 47 h5/a.java, line(s) 84,89,94,109,85,90,95,110 h5/d.java, line(s) 21,22 h5/j.java, line(s) 40,41 h7/a.java, line(s) 56 hf/a.java, line(s) 273 i0/o.java, line(s) 407,412,571,601,734,736 i0/r.java, line(s) 70,166 i0/u.java, line(s) 343 i0/y.java, line(s) 138,141,146 i6/v.java, line(s) 744,748,752 i6/y0.java, line(s) 19,22,29,26 i7/a.java, line(s) 29,38,68 io/sentry/android/core/u.java, line(s) 70,77,83,73,80 io/sentry/flutter/SentryFlutterPlugin.java, line(s) 307,339 io/sentry/p5.java, line(s) 18,27,33 j5/e.java, line(s) 36,35,58,81,59,82 j5/f.java, line(s) 23,17 j5/k.java, line(s) 148,149 j5/l.java, line(s) 204,205,219 j5/n.java, line(s) 92,93 j5/o.java, line(s) 152,159,153,160 j6/a.java, line(s) 32 j7/a.java, line(s) 129,94,359,480,489,556,648,663,173,177,204,209,287,299,308,311,314,396,445,591,692 j7/c.java, line(s) 75,50,55,86 j7/m.java, line(s) 546 j7/n.java, line(s) 24,60,43 j7/o.java, line(s) 12,16,21 j8/o.java, line(s) 34,64 jb/k.java, line(s) 36,65,70,75,88,91,94,97,100 jj/g.java, line(s) 5,9,10 k0/a.java, line(s) 82 k5/d.java, line(s) 62,69,80,85,61,68,73,79,84,74 k8/b.java, line(s) 79,101,124,136,164,170,184,223,246,250,262,280,296,307,309,319,340,355 l4/b.java, line(s) 47 l7/b.java, line(s) 94,151 l8/a.java, line(s) 47,155,168,172 le/a.java, line(s) 75,79 lj/b.java, line(s) 68 lj/d.java, line(s) 53,171 lj/e.java, line(s) 44,65 lj/i.java, line(s) 82 lj/m.java, line(s) 76,86,214 m0/j.java, line(s) 89,73,77 m5/h.java, line(s) 277,15,200,235 m8/b.java, line(s) 52,70,111,121,136,140 mb/a.java, line(s) 9,16,23,8,15,22,33,34,40,41 n0/d.java, line(s) 210 n7/b.java, line(s) 26 n7/d.java, line(s) 45,57,89,105,197 n7/f.java, line(s) 210 n7/j.java, line(s) 79,129,137,144,149,168,77,83,86,96,100,105,109,118,121,127,133,153,163,181,190 n7/l.java, line(s) 176,196,212,216 n7/o.java, line(s) 40 n7/p.java, line(s) 725,733,863,871 n7/q.java, line(s) 468,447,463,450,458,461,466 n7/r.java, line(s) 21,24 n7/s.java, line(s) 176,189,219,284,30,199,222,233,235,250,252,263,299,301,306,317,319,333,352,379,387,391,404,408,425,448,462 n7/t.java, line(s) 33,35,68,77,98,109,115 n7/v.java, line(s) 40 net/jpountz/lz4/LZ4Factory.java, line(s) 93,94 ni/e.java, line(s) 497 o0/a.java, line(s) 86 o4/a.java, line(s) 19 o4/p.java, line(s) 66,101,105,181,184,211,277,283,288,359 o4/r.java, line(s) 311,315,320 o4/t.java, line(s) 63 o6/a.java, line(s) 63,86,108,119,124,132,145,178,186 o6/d.java, line(s) 41 o8/a.java, line(s) 46,55 p2/b.java, line(s) 21 p2/f.java, line(s) 86 p3/d.java, line(s) 110,343 p7/h.java, line(s) 19,22,45,75,82,85 p7/i.java, line(s) 45,62,64,68,75,78,95,106,116,129,140,148,154,161 p7/l.java, line(s) 100,105,131,158,176,309,347,370,392,411,445,482,521,562,580,610,627,1420,1427,1440,1465,1501,1553,1570,127,161,167,173,314,490,529,565,568,571,572,613,616,619,859,905,924,958,1003,1008,1017,1023,1045,1049,1072,1086,1091,1104,1114,1123,1145,1153,1164,1174,1189,1196,1202,1239,1268,1319,1323,1339,1352,1445,1579,333,344,428,975,978,983,989,991,1054,1060,1080,1187,1289,1309,1326,1477 p8/a.java, line(s) 37,80,91,112 p8/b.java, line(s) 82,97,118,132,134,144,148,153,164 p8/c.java, line(s) 14,31 q4/a.java, line(s) 321 q7/a.java, line(s) 79,88,142,147,152,164,56,64,70,180 q7/b.java, line(s) 36,39,46 q8/a.java, line(s) 121,127,130,135,143,160,169,182,192,195,211,221,224,236,244,247,255,269,273,280,284,291,296,298,306,314,317,334,345 r0/b.java, line(s) 81 r1/r.java, line(s) 25 r2/a.java, line(s) 31,45 r3/a.java, line(s) 51 r4/d.java, line(s) 87,115,86,114 r4/e.java, line(s) 564,589,607,563,588,606 r5/a.java, line(s) 63,64 rf/d.java, line(s) 19,33,24 s3/j.java, line(s) 55 s4/a.java, line(s) 86,85 s5/a.java, line(s) 24,29 s8/a.java, line(s) 162,174,177,193,210,218,244,264,277,281,307,316,327,330 s8/b.java, line(s) 218,275,302,340,129,140,143,238,287,329,363 s8/c.java, line(s) 84,183,189,206,222,240,257,265,294,301,311,314,330,350,363,367,394,399,410,413,428,437,440 s8/d.java, line(s) 153,176,189,195,222,233,236 sd/q.java, line(s) 33,40,66,84 t7/a.java, line(s) 27 t7/c.java, line(s) 93,97 t8/b.java, line(s) 35,49,57,64,69,74,79 u4/b.java, line(s) 50,49 u4/j.java, line(s) 52,158,51,157,161,167,174,171,175 u4/l.java, line(s) 51,50 u7/a.java, line(s) 423,58,73,84,169,174,179,183,198,200,204,210,285,287,291,306,309,312,318,348,368 u8/a.java, line(s) 69 u8/d.java, line(s) 29 u8/f.java, line(s) 43,69,84,88,92,115 u8/g.java, line(s) 43,71,80,84,87,109 u8/h.java, line(s) 21,54,57 u8/i.java, line(s) 54,63,69,91 u8/j.java, line(s) 61,65 u8/k.java, line(s) 53,56 u8/l.java, line(s) 47,67,81 u8/o.java, line(s) 29 u9/a.java, line(s) 261 v4/c.java, line(s) 116,115 v4/e.java, line(s) 50,112,49,111 v8/a.java, line(s) 62,72,114,123,176,203,217,222,227,238,247,249 v8/b.java, line(s) 31,33,42,46,52,70,76,80,89 v8/c.java, line(s) 30,32,41,45,51,75,81,85,94 v8/d.java, line(s) 39,44,50,56,71,78,99,104 v8/e.java, line(s) 30,32,42,46,52,67 v8/f.java, line(s) 19,31,43,55,72 vf/a.java, line(s) 30,37,53,87 vi/e.java, line(s) 57,59,85 w4/h.java, line(s) 631,349,364,630,467 w4/i.java, line(s) 51,52 w4/k.java, line(s) 15,203 w4/q.java, line(s) 102 w4/z.java, line(s) 61,62 w8/a.java, line(s) 41,53,59,65,74,80 wf/b.java, line(s) 12,24,30 x0/m.java, line(s) 25,32,39,46,53,60,67,74,81 x4/i.java, line(s) 119,156,120,157 x4/j.java, line(s) 104,145,156,171,66,103,113,134,144,155,170,187,194,72,114,188,195,135 x6/b.java, line(s) 54,108,123,140,144,165,168,42,63,87,114,128,150,183,190,200,216,229,236,99 x7/b.java, line(s) 287,293,306,185 x8/b.java, line(s) 115 x8/c.java, line(s) 35,39,59,77,98 x9/c.java, line(s) 20 xd/d.java, line(s) 118,164,171 xd/g.java, line(s) 49,78,87,92,96,107,115,127 xd/h.java, line(s) 35 xd/k.java, line(s) 35 xd/r.java, line(s) 51 xd/v.java, line(s) 29 y/d.java, line(s) 77 y4/e.java, line(s) 41,51,65,71,42,66,54,72 y4/i.java, line(s) 129,108 y7/a.java, line(s) 44,89,96,103,110,172,228,238 yg/c.java, line(s) 60,62,73,250 z4/a.java, line(s) 245,244 z6/a.java, line(s) 38,49,150,167,172,70,105,131,139,176,184,191,210,217 z6/b.java, line(s) 26,51,75,86,101,123,142,146,174,196,212,224,245,66,82,207,222 z7/b.java, line(s) 59,76 z7/d.java, line(s) 91,110,121 z8/b.java, line(s) 29,155 zd/y.java, line(s) 48 zf/b.java, line(s) 23,39,42,61
信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: com/bytedance/im/search/SearchSpUtil.java, line(s) 64,64 g1/b.java, line(s) 47,47
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: i6/o3.java, line(s) 4,58,36
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/ss/bduploader/util/X509Util.java, line(s) 141,117,139,139 ui/c.java, line(s) 111,110,109 ui/d.java, line(s) 141,131,151,139,139 ui/i.java, line(s) 114,113,112,112 ui/j.java, line(s) 247,235,245,245
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: g4/b.java, line(s) 602,602,602,602,602 h3/b.java, line(s) 20,20,20,20,20,20 io/sentry/android/core/internal/util/n.java, line(s) 73,106,32,32,32,32,32,32
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (mobilegw.dl.alipaydev.com) 通信。
{'ip': '61.153.154.38', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (gator.volces.com) 通信。
{'ip': '110.75.132.131', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '徐州', 'latitude': '34.266666', 'longitude': '117.166664'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (toblog.volceapplog.com) 通信。
{'ip': '61.153.154.38', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '苏州', 'latitude': '31.311365', 'longitude': '120.617691'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app.mi.com) 通信。
{'ip': '61.153.154.38', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (api.magicneko.com) 通信。
{'ip': '61.153.154.38', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (imapi.volcvideo.com) 通信。
{'ip': '185.199.108.153', 'country_short': 'CN', 'country_long': '中国', 'region': '>\x19\x00÷>\x19\x00÷>\x19\x00d?\x19\x00d?\x19\x00¼?\x19\x00½?\x19\x00¿?\x19\x00À?\x19\x00Ã?\x19\x00Ä?\x19\x00Æ?\x19\x00Ç?\x19\x00Ð?\x19\x00Ñ?\x19\x00â?\x19\x00ã?\x19\x00ç?\x19\x00è?\x19\x00ñ?\x19\x00ñ?\x19\x00ú?\x19\x00û?\x19\x00\r@\x19\x00\r@\x19\x00 @\x19\x00!@\x19\x002@\x19\x003@\x19\x00=@\x19\x00>@\x19\x00?@\x19\x00@@\x19\x00z@\x19\x00{@\x19\x00\x92@\x19\x00\x93@\x19\x00\x93@\x19\x00\x93@\x19\x00\x93@\x19\x00\x93@\x19\x00\x93@\x19\x00\x94@\x19\x00\x98@\x19\x00\x99@\x19\x00¢@\x19\x00¢@\x19\x00¢@\x19\x00¢@\x19\x00£@\x19\x00£@\x19\x00£@\x19\x00¤@\x19\x00ª@\x19\x00«@\x19\x00¸@\x19\x00¹@\x19\x00À', 'city': '苏州', 'latitude': '31.311365', 'longitude': '120.617691'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (h5.m.taobao.com) 通信。
{'ip': '61.153.154.38', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '南通', 'latitude': '32.030296', 'longitude': '120.874779'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (tobapplog.volceapplog.com) 通信。
{'ip': '185.199.108.153', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '苏州', 'latitude': '31.311365', 'longitude': '120.617691'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (klink.volceapplog.com) 通信。
{'ip': '185.199.108.153', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '台州', 'latitude': '32.492168', 'longitude': '119.910767'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (apmplus.volces.com) 通信。
{'ip': '185.199.108.153', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '宁波', 'latitude': '29.878410', 'longitude': '121.549767'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (ichannel.snssdk.com) 通信。
{'ip': '61.153.154.38', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '南通', 'latitude': '32.030296', 'longitude': '120.874779'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (toblog.ctobsnssdk.com) 通信。
{'ip': '185.199.108.153', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '镇江', 'latitude': '32.209366', 'longitude': '119.434372'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (rtapplog.snssdk.com) 通信。
{'ip': '185.199.108.153', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '台州', 'latitude': '32.492168', 'longitude': '119.910767'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (mobilegw.alipaydev.com) 通信。
{'ip': '110.75.132.131', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (abtest.volceapplog.com) 通信。
{'ip': '58.222.46.202', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '台州', 'latitude': '32.492168', 'longitude': '119.910767'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (log.snssdk.com) 通信。
{'ip': '180.97.251.226', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '苏州', 'latitude': '31.311365', 'longitude': '120.617691'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (alink.volceapplog.com) 通信。
{'ip': '180.97.251.219', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '苏州', 'latitude': '31.311365', 'longitude': '120.617691'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (rtlog.snssdk.com) 通信。
{'ip': '180.97.251.219', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '苏州', 'latitude': '31.311365', 'longitude': '120.617691'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (toblog-alink.ctobsnssdk.com) 通信。
{'ip': '121.228.130.191', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '苏州', 'latitude': '31.311365', 'longitude': '120.617691'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (applog.snssdk.com) 通信。
{'ip': '121.228.130.194', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '苏州', 'latitude': '31.311365', 'longitude': '120.617691'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (neptune-platform.zijieapi.com) 通信。
{'ip': '61.147.168.160', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '镇江', 'latitude': '32.209366', 'longitude': '119.434372'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (tobapplog.ctobsnssdk.com) 通信。
{'ip': '49.79.240.229', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '南通', 'latitude': '32.030296', 'longitude': '120.874779'}