安全分析报告： RM新时代 v5.4.0123

[android:allowBackup=true]
这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。

Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
发现一个 Service被共享给了设备上的其他应用程序，因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此，应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险，一个恶意应用程序可以请求并获得这个权限，并与该组件交互。如果它被设置为签名，只有使用相同证书签名的应用程序才能获得这个权限。

(com.umeng.message.notify.UPushMessageNotifyActivity)
如果设置了 taskAffinity，其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息，请始终使用默认设置，将 affinity 保持为包名

(com.umeng.message.UMessageNotifyActivity)
如果设置了 taskAffinity，其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息，请始终使用默认设置，将 affinity 保持为包名

[android:exported=true]
发现 Activity-Alias与设备上的其他应用程序共享，因此可被设备上的任何其他应用程序访问。

[android:exported=true]
发现 Broadcast Receiver与设备上的其他应用程序共享，因此可被设备上的任何其他应用程序访问。

文件可能包含硬编码的敏感信息，如用户名、密码、密钥等
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
com/qsf/taogin/CustomServiceDonateActivity.java, line(s) 112
com/qsf/taogin/account/MemberInfoItem.java, line(s) 130,130
com/qsf/taogin/betRanking/RankingMyRewardDetailsResponse.java, line(s) 195
com/qsf/taogin/betRanking/RankingPageResponse.java, line(s) 324
com/qsf/taogin/bigMatch/data/JavaLiveInfo.java, line(s) 58
com/qsf/taogin/bigMatch/data/MatchPublish.java, line(s) 56
com/qsf/taogin/market/gameBet/GameBetResultItem.java, line(s) 160
com/qsf/taogin/market/gameBet/GameBetV2ResultItem.java, line(s) 114
com/qsf/taogin/member/data/Data.java, line(s) 68
com/qsf/taogin/member/data/LoginAppResponse.java, line(s) 99
com/qsf/taogin/member/data/LoginResponse.java, line(s) 54
com/qsf/taogin/model/BetList.java, line(s) 157
com/qsf/taogin/model/CanRegisterResponse.java, line(s) 40
com/qsf/taogin/model/MemberLevelResponse.java, line(s) 228
com/qsf/taogin/model/MemberList.java, line(s) 77
com/qsf/taogin/model/MemberLoginAppResponse.java, line(s) 161
com/qsf/taogin/model/MemberLoginResponse.java, line(s) 61
com/qsf/taogin/model/MemberP2PFunctionResponse.java, line(s) 98
com/qsf/taogin/model/MicroBusinessNotPostedListDetailResponse.java, line(s) 94
com/qsf/taogin/model/MicroBusinessNotPostedListResponse.java, line(s) 237
com/qsf/taogin/model/MicroDepositWithdrawResponse.java, line(s) 124
com/qsf/taogin/model/MicroNetResponse/GetBetListDetailResponse.java, line(s) 206
com/qsf/taogin/model/MicroNetResponse/GetBetListDetailV2Response.java, line(s) 513
com/qsf/taogin/model/MicroNetResponse/GetContributionBetDetailResponse.java, line(s) 383,383
com/qsf/taogin/model/MicroNetResponse/GetContributionDetailResponse.java, line(s) 131
com/qsf/taogin/model/MicroNetResponse/GetLevelOneMemberRewardResponse.java, line(s) 182
com/qsf/taogin/model/MicroNetResponse/GetMemberInfoResponse.java, line(s) 166
com/qsf/taogin/model/MicroNetResponse/GetRewardDetailByUserResponse.java, line(s) 253
com/qsf/taogin/model/MicroNewRegistrationResponse.java, line(s) 163
com/qsf/taogin/model/RuleSetResponse.java, line(s) 342
com/qsf/taogin/model/TGMemberInfoResponse.java, line(s) 203,203
com/qsf/taogin/model/UsernameListResponse.java, line(s) 48
com/qsf/taogin/model/getUserReportDetail/ListData.java, line(s) 255
com/qsf/taogin/websocket/ChatWebSocketManager.java, line(s) 299
com/qsf/taogin/websocket/WebSocketManager.java, line(s) 140,193
com/tencent/msdk/dns/core/rest/share/e.java, line(s) 21
org/android/spdy/SpdyProtocol.java, line(s) 43

MD5是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/danikula/videocache/ProxyCacheUtils.java, line(s) 45
com/qsf/taogin/jclModule/RareFunction.java, line(s) 40
ezy/boost/update/UpdateUtil.java, line(s) 92

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
io/sentry/util/StringUtils.java, line(s) 27
org/java_websocket/drafts/Draft_6455.java, line(s) 183
org/repackage/a/a/a/a/c.java, line(s) 95

应用程序可以读取/写入外部存储器，任何应用程序都可以读取写入外部存储器的数据
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
com/danikula/videocache/h.java, line(s) 16,33
com/orhanobut/logger/CsvFormatStrategy.java, line(s) 41
com/qsf/taogin/account/alipay/CompanyPayFragment.java, line(s) 402
com/qsf/taogin/account/pay3Way/Pay3Way_Fragment.java, line(s) 505
com/qsf/taogin/account/view/USDTPayFragment.java, line(s) 735
com/qsf/taogin/utility/DataCleanManager.java, line(s) 10
com/qsf/taogin/utility/RealPathHelper.java, line(s) 117,125
ezy/boost/update/UpdateManager.java, line(s) 123
ezy/boost/update/b.java, line(s) 127
io/sentry/android/core/c0.java, line(s) 266,154

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
com/qsf/taogin/service/UPushNotificationHelper.java, line(s) 25
com/scwang/smartrefresh/header/FunGameBattleCityHeader.java, line(s) 12
com/scwang/smartrefresh/header/TaurusHeader.java, line(s) 23
com/scwang/smartrefresh/header/storehouse/StoreHouseBarItem.java, line(s) 8
com/tencent/msdk/dns/d/d.java, line(s) 3
org/android/spdy/SpdyBytePool.java, line(s) 3

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
com/qsf/taogin/TGCustomerServiceActivity.java, line(s) 70,74
com/theartofdev/edmodo/cropper/CropImageActivity.java, line(s) 209
com/theartofdev/edmodo/cropper/b.java, line(s) 93

不安全的Web视图实现。可能存在WebView任意代码执行漏洞
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5

Files:
com/qsf/taogin/TGCustomerServiceActivity.java, line(s) 245,234
com/qsf/taogin/thirdPartyGaming/ThirdPartyPlayFragment.java, line(s) 458,448

可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6

Files:
com/qsf/taogin/TGCustomerServiceActivity.java, line(s) 237,234

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
com/danikula/videocache/sourcestorage/a.java, line(s) 6,7,78
com/tencent/msdk/dns/core/m/b/a.java, line(s) 6,7,261,271

IP地址泄露


Files:
com/danikula/videocache/HttpProxyCacheServer.java, line(s) 110,268,272,278
com/qsf/taogin/api/TGapiCallback.java, line(s) 2689
com/tencent/msdk/dns/a.java, line(s) 55,55
org/android/spdy/SpdyRequest.java, line(s) 25,160,179,202,227,247,273,292,315,340

此应用程序可能会请求root（超级用户）权限
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
io/sentry/android/core/internal/util/RootChecker.java, line(s) 40,40,40,40,40

此应用程序有多个3隐私跟踪程序。跟踪器可以跟踪设备或用户，是终端用户的隐私问题。

从应用程序中识别出以下机密确保这些不是机密或私人信息
"dialog_auth_method_mobile" : "Mobile"
"review_pass" : "Pass"
"registered_password" : "Withdrawal
Password"
"STR_KEY" : "STR_FROM_RESOURCE_VALUE"
"dialog_auth_method_mail" : "Email"
"dialog_auth_method_mail_common" : "Email:"
"user_name" : "Username"
"guide_user_name" : "MikeMikeMike..."
E3353787A66216BAD7A3C87950C2779DCBD9AC9CEB043B3BB10A5D2DAC06032E41CB48F54FDF0B881EC1FE19607746C5
E3353787A66216BAD7A3C87950C2779D3555E6F514268CE75D1BD5CA38DA6BB341CB48F54FDF0B881EC1FE19607746C5
E3353787A66216BAD7A3C87950C2779DF8F26624C377CDF0D9D35A6E87438CCE41CB48F54FDF0B881EC1FE19607746C5
E3353787A66216BAD7A3C87950C2779D5AAB6DDE780B1F51EB3DCD461037402E41CB48F54FDF0B881EC1FE19607746C5
63994ab1a2010b2c3f0ef7ee
69ffb02bdb7e9cdac7243b6eb2bf8933
258EAFA5-E914-47DA-95CA-C5AB0DC85B11