安全分析报告:
安全分数
安全分数 47/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
8
用户/设备跟踪器
调研结果
高危
3
中危
30
信息
2
安全
1
关注
6
高危 域配置不安全地配置为允许明文流量到达范围内的这些域。
Scope: he-telenordigital.com
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/bongo/ottandroidbuildvariant/splash/view/SplashActivity.java, line(s) 69,6
高危 应用程序包含隐私跟踪程序
此应用程序有多个8隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Activity (com.bongo.ottandroidbuildvariant.deeplink.uris.LinkDispatcherActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.bongo.ottandroidbuildvariant.home.view.HomeActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.facebook.CustomTabActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Content Provider (com.the.x.patch.inject) 未被保护。
[android:exported=true] 发现 Content Provider与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.bongo.ottandroidbuildvariant.login.MySMSBroadcastReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.google.android.exoplayer2.scheduler.PlatformScheduler$PlatformSchedulerService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Activity (com.bongo.ottandroidbuildvariant.home.view.LandingActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.bongo.ottandroidbuildvariant.livevideo.view.ExtLiveVodActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.bongo.ottandroidbuildvariant.deeplink.notifications.FMService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.bongo.ottandroidbuildvariant.mvvm.activities.NavHostBaseActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.adjust.sdk.AdjustReferrerReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.INSTALL_PACKAGES [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (com.bongo.ottandroidbuildvariant.utils.notification.BootAlarmReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Service (com.google.android.play.core.assetpacks.AssetPackExtractionService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/bongo/bongobd/view/model/CommentLoginResponse.java, line(s) 98 com/bongo/bongobd/view/model/CommentSignupResponse.java, line(s) 98 com/bongo/bongobd/view/model/InfoFields.java, line(s) 80 com/bongo/bongobd/view/model/RabbitHoleLoginRes.java, line(s) 98 com/bongo/bongobd/view/model/U.java, line(s) 99 com/bongo/bongobd/view/model/User.java, line(s) 216 com/bongo/bongobd/view/model/UserD.java, line(s) 103 com/bongo/bongobd/view/model/admin/AdminLoginRqb.java, line(s) 134 com/bongo/bongobd/view/model/admin/AdminModelsKt.java, line(s) 20 com/bongo/bongobd/view/model/user/ProfileInfo.java, line(s) 459 com/bongo/ottandroidbuildvariant/network/global_config/model/Firebase.java, line(s) 56 com/tA.java, line(s) 84 com/telenor/connect/id/IdToken.java, line(s) 11,89 io/grpc/internal/TransportFrameUtil.java, line(s) 83 io/jsonwebtoken/JwsHeader.java, line(s) 8
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/koushikdutta/async/http/spdy/ByteString.java, line(s) 169 com/koushikdutta/async/util/FileCache.java, line(s) 90 com/microsoft/clarity/e/i.java, line(s) 228,305 com/microsoft/clarity/n/c.java, line(s) 24 f/a.java, line(s) 11
中危 IP地址泄露
IP地址泄露 Files: com/koushikdutta/async/AsyncSSLSocketWrapper.java, line(s) 77 com/nimbusds/jose/jwk/Curve.java, line(s) 10,12,14,16,18 com/samsung/multiscreen/MSFDSearchProvider.java, line(s) 409,410 com/samsung/multiscreen/Service.java, line(s) 202 io/grpc/okhttp/OkHttpServerTransport.java, line(s) 413,421,430,426
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/C0255fz.java, line(s) 322 com/C0283h.java, line(s) 74 com/akd/studio/C0013.java, line(s) 229 com/bongobd/bongoplayerlib/helper/PlayerHelper.java, line(s) 103 com/microsoft/clarity/g/o.java, line(s) 312
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/bongo/ottandroidbuildvariant/livevideo/view/ExtLiveVodActivity.java, line(s) 274,273
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/bongo/ottandroidbuildvariant/utils/CommonUtilsOld.java, line(s) 32 com/iC.java, line(s) 31 com/koushikdutta/async/util/FileCache.java, line(s) 16 com/pX.java, line(s) 15 io/grpc/internal/DnsNameResolver.java, line(s) 33 io/grpc/internal/ExponentialBackoffPolicy.java, line(s) 5 io/grpc/internal/RetriableStream.java, line(s) 23 io/grpc/okhttp/OkHttpClientTransport.java, line(s) 67 io/grpc/util/OutlierDetectionLoadBalancer.java, line(s) 25 io/grpc/util/RoundRobinLoadBalancer.java, line(s) 22 j$/util/concurrent/ThreadLocalRandom.java, line(s) 11
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/journeyapps/barcodescanner/CaptureManager.java, line(s) 243 com/the/x/patch/Utils.java, line(s) 4375 org/junit/rules/TemporaryFolder.java, line(s) 26
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/npaw/youbora/lib6/persistence/helper/EventDbHelper.java, line(s) 4,5,14
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/C0567ro.java, line(s) 220 com/koushikdutta/async/http/WebSocketImpl.java, line(s) 55
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "@string/admob_app_id" "library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/" "facebook_client_token" : "0cc2e3cc896e0a6458e6522066be58c4" "google_crash_reporting_api_key" : "AIzaSyDVLGo6GPF1zfo1k-a5REhuQHhvirp-Byw" "firebase_database_url" : "https://bongobdapp.firebaseio.com" "com.google.firebase.crashlytics.mapping_file_id" : "a35b0151c0b648068f5180f796233e31" "library_roundedimageview_authorWebsite" : "https://github.com/vinc3m1" "google_api_key" : "AIzaSyDVLGo6GPF1zfo1k-a5REhuQHhvirp-Byw" "BOLINA_SECRET_ID" : "tlh-l/hu-mcpkoya" "library_zxingandroidembedded_author" : "JourneyApps" nzHYAd4WORoWsA241sxkhgw8jJi6SHgPuC+lQifwMvAu8ZGavhnYmptVM+CLc4RUzgEm42eiehP2E abfea462-f64d-491e-9cd9-75ee001f45b0 3757180025770020463545507224491183603594455134769762486694567779615544477440556316691234405012945539562144444537289428522585666729196580810124344277578376784 vH1Yka76gK0o85pZVfG4Xu5P3Nu n2olwU2SXZdN1AtzmEfwtI+49oSQRspqj1yT9EUqAMoahx3rYvpW8MLONwFzglxT7WyQ97eOMmX0M n4EPbNtXMNgNzgO0pJjfLc54Q9QnnUoOaUIYAPh3VtjxGkQhzM+wXdSDCxzgR/iipbLkIXQNuy2sY 56341a7bbcf8497ba56c7802b408d79e12eb1946caf8402f817133d74b990279 21959e7bf74cdacea70a359553b51ca5 2d347b97-57b2-4853-877b-3c1d7f1c445f 115792089210356248762697446949407573530086143415290314195533631308867097853951 n+ZGkpzrId6ak3RlpLm1xz5kePn0QOrZ5A3H9GIMf80wHeZ+l7OZo6Qh7HwFWh45t3iCsKEiATkXo 99Vvd3h60oE0RC9ttzgpxqfXm9GJTvhtSS78 1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984 nYfAXeebVnyGCJC3JuHeGh1/vFx2nMjvh++m8iTvax9jMPgHOBv5OMXlE0tICyhR86SYXchted46h da4b920d-b616-46b9-bfe8-d9bc74a14a28 41058363725152142129326129780047268409114441015993725554835256314039467401291 nbz2PpFXK5obQPvYskh5WPqaG9rXnkDRR0q6cAjxZdP59oQNQA84ADshpO6vozBsB4DAP2/2KzrwR 115792089237316195423570985008687907852837564279074904382605163141518161494337 27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575 a0ef2523-9db1-46ec-a628-452feb90c159 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449 AQQwN9PrVIUObiNxabToCQprBfx1mIT6S n6ILXhSq+P2Ae7qsIh4HV0REDDQ314F/QQmVQhaYmuwAAAABJRU5ErkJggg== 79632164b047c8a6c1b353f2d68629de c56fb7d591ba6704df047fd98f535372fea00211 f900b6452d69ae4ae475a4ff685f0f57 26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087 nAP7xsB0qOvNGAL+5kIrOvBGghKD60AgQmEYAONDD9oSiM98ndOlrwNdAPL4fjn7G/UKyedoX+C60 5vTL2FgfHWQYTgOq1VG9RkY00a7c 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112316 o03mUdp79iGhcCPVMGHxeWYuIb39JB13CbrrjSHRvhGvBieABRUyD28MzmGPpU9n8u9lZQWfnmb 2661740802050217063228768716723360960729859168756973147706671368418802944996427808491545080627771902352094241225065558662157113545570916814161637315895999846 8d9228385ed99b0533dc2bf9a3a7c1dc fb8a97b7-7234-44c3-8021-1ea2b88e7269 n78C8qoIPewXwOcK9V1kHzIi2qlRGLEB3LDSVx3KgP3rEWSlxHzAZt8OgljPjEvkcWGJmr4dyoA/A e34a4840-cb25-46e4-97dd-3cb636a887d6 cc2751449a350f668590264ed76692694a80308a 115792089237316195423570985008687907853269984665640564039457584007908834671663 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057148 115792089210356248762697446949407573529996955224135760342422259061068512044369 21658d70-59ec-4084-a6a3-7a68f8c40730 Vhl35xRy1xh3Ix8tWd8XsinRMyHVJfnKkpeK36xDZbah9WIa66yHFDoqUbvV3yIQ 115792089210356248762697446949407573530086143415290314195533631308867097853948 b33e8cf4-19c7-4064-8e5f-d7a73bad4d18 686e60dc38654804b36f1a181b98d8aa 48439561293906451759052585252797914202762949526041747995844080717082404635286 nZWtL6D4gxleEjTgRsiZreZ8nNC9qRwx6BC0WIWuyNpCzY/YJalfUgLEw4LPgFs0T+snumNuJ4BOD dded87720b4a4a39a3152e8619d3578b308d615a287c4c0588ecbc05d44312b0 9b8f518b086098de3d77736f9458a3d2f6f95a37 nEWYD347Bz/VmtmYM96cSWoCWRCLMJVsE38naNXQ+k30gdExyI+kVj3Z1fpu0Jssdnp1GWxEkHSTp 3SkIa7zMWvrKqVcmuMUC21e07T df6b721c8b4d3b6eb44c861d4415007e5a35fc95 4fb61ed7-cb15-459b-b3fa-5ae6e2423990 eyJ1c2VyX3V1aWQiOiJlNGNkOTRmZS00MDE2LTQyY2QtYmExMy0yYzJlOWVmNmZmMGMiLCJ1c2VybmFtZSI6bnVsbCwicGVybWlzc2lvbnMiOlsiVklFV19DT1VQT05fVVNBR0UiLCJNQU5BR0VfQ09VUE9OIiwiRVhQT1JUX0NPVVBPTl9SRVBPUlQiLCJNQU5BR0VfVVNFUiIsIk1BTkFHRV9ST0xFIiwiTUFOQUdFX1BBQ0tBR0UiLCJWSUVXX0NVU1RPTUVSIiwiVklFV19WSURFT19TRUNUSU9OIiwiTUFOQUdFX0NBTVBBSUdOIiwiQUNDRVNTX1VTRVJfQURNSU5fUEFORUwiLCJBQ0NFU1NfUEFDS0FHRSIsIk1BTkFHRV9ERVBBUlRNRU5UIiwiQURNSU4iLCJDUkVBVEVfQ09VUE9OIiwiQ1JFQVRFX1BBQ0tBR0UiLCJBQ0NFU1NfQ09VUE9OX01BTkFHRU1FTlQiXSwicGxhdGZvcm1faWQiOiJhYmZlYTQ2Mi1mNjRkLTQ5MWUtOWNkOS03NWVlMDAxZjQ1YjAiLCJwbGF0Zm9ybXMiOlsiYWJmZWE0NjItZjY0ZC00OTFlLTljZDktNzVlZTAwMWY0NWIwIiwiN2EwYjQ1ZDYtNjFlOC00MjdlLWE5OWItMjNhMDI1OWY2NGQ0Il0sInJvbGVzIjpbImNvdXBvbiIsIk1hbmFnZSBDYW1wYWlnbnMiLCJWaWV3IEN1c3RvbWVyIiwiYWRtaW5fc3RhZ2UxIiwiQWRtaW5pc3RyYXRvciIsImRlZmF1bHQiXSwiZW1haWwiOiJhZG1pbi5zdGFnZUBtYWlsaW5hdG9yLmNvbSIsImRlcGFydG1lbnQiOiJkZXBhcnRtZW50X3N0YWdlIiwiZmlyc3RfbmFtZSI6ImFkbWluIiwibGFzdF9uYW1lIjoic3RhZ2UiLCJmcmVzaCI6dHJ1ZSwiaWF0IjoxNjYyOTY5OTM5LCJleHAiOjE2NjI5NzM1NDkuMH0 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151 55066263022277343669578718895168534326250603453777594175500187360389116729240 nJ2k5MBi65DXhQ6iwE5b0BHBP6FLXhB3AUWa2u5ImSNKdNMFPcp2Z7YYKaoCkmcDa0CWuCVuBu8zs 0394e985-07c4-4539-b180-3ca4a8dcb40e njY7OJr0mLOpwiHpt4BgUi6Q3PCZi8h1SSjpR0vaM9LxEkHSMh69dMRHz7agGfUSIhqhzKG50dHiJ nsw0NDQ0NDQ0FUesnYpIOBE4BTsKt2ewLTEyYDCfK0MfeUYzYO8ROjmQsca3o2lrYFJm2AXuAL81s 32670510020758816978083085130507043184471273380659243275938904335757337482424 988f74a6d9c7065b532aa776657db7ca H4LTnkzg7emBG5P3MMtrP3v5RL389SwnqrUmOtBnLT nCXBIWXMAAC4jAAAuIwF4pT92AAAHk0lEQVR42u2dW6wdUxjHf98pirqURElc6tIihKZOL0rqLiEl nnEP6ewBXAAflTa7oYJUhwJEetmtGlXCvCL+m3LNYblk7NznmCXnpivcDfARoGWQz+wH3PlZaTRjs 36134250956749795798585127919587881956611106672985015071877198253568414405109 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 b68e34a5-c98c-4514-ba3e-5a1861dac425 nbmhoaGhoaMig8M5S0hTgENxxYMk8kg9v+nAPg34ys79CB6GnkDt8Q5KGon97Er8nPxu1LWU8UsbB 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 nlwr5ETjezBRsKULS6ZJWAU8xvoIPcBxwGQRaC5I0iNvycX7oSARkPgQQQNKjwHJgQugIBGYiVLwY noCasBeYxdhEKpQwBfJ50pb7yY2abgNmki7C4F0QoQ4DC2slIhFm4VchWLJb0nGeaa3F9QicidEUf nxtAB6Dkkzc+55W9DaF97Fkkv5BBgPHxbUjgkvZgS+F2SbgztX10o9cGJpAXA1cB03BOr94DlZvZT c248efcf0d3127c4af650efbb6f1e93a80ff1211 n+AxcP7sT90e4wsx2lRLoVkh6KOeOs1Z8IekeSce3yWOWpL9T0tglaWGb+w/x8OmdyoJXQPCPkDTc a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc nJBUhcameExFCkEhow4NEJCIST32oW4TEg3ogbg+NklAaSl1KFG2lNGlJimqU0/P3sGZ0nLNn9qx9 258EAFA5-E914-47DA-95CA-C5AB0DC85B11 39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643 919f93a7400e4149a70d204beb589074 nd7qkHRn2vssMU5VdE3xYVka86jITBsDMNuBGM2mjDa9lhqhj7ifnqmsbvLfG5CH0PGDUkNXMvqV4 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319 8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871 n5cgy1k4ASf3A5cAFuJXKKaF9KpBPgDvM7KP4g1oIIGkCMADcBJwb2p8KOMvMPoUaCCBpALgfmBba 586b834f21f198251c45a157108ffe54
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/AbstractC0123az.java, line(s) 32 com/C0098aa.java, line(s) 24 com/C0147bx.java, line(s) 42,182 com/C0225ew.java, line(s) 18 com/C0289hf.java, line(s) 9 com/C0319ij.java, line(s) 40 com/C0360jx.java, line(s) 15 com/C0377kn.java, line(s) 26 com/C0461nq.java, line(s) 87 com/C0565rm.java, line(s) 439 com/ComponentCallbacks2C0355js.java, line(s) 204,209,211,217,220,235,242,395 com/ComponentCallbacks2C0516pr.java, line(s) 67,200 com/RunnableC0448nd.java, line(s) 73,151,362 com/S.java, line(s) 91,114,128,134,139 com/ViewTreeObserverOnPreDrawListenerC0318ii.java, line(s) 20 com/aW.java, line(s) 21 com/akd/studio/Absolute/C0010.java, line(s) 210 com/akd/studio/C0013.java, line(s) 181,370 com/akd/studio/apk/C0011.java, line(s) 450 com/bE.java, line(s) 35,45,56,88 com/bK.java, line(s) 25 com/bN.java, line(s) 235,336,351,374,396,468,486,503,544 com/bQ.java, line(s) 57,69,76,81 com/bongo/bongobd/view/mvp_api/call/NetworkCallRandomFree.java, line(s) 150 com/bongo/ottandroidbuildvariant/base/presenter/BasePresenterImpl.java, line(s) 171 com/bongo/ottandroidbuildvariant/deeplink/notifications/NotDispatcherActivity.java, line(s) 60 com/bongo/ottandroidbuildvariant/deeplink/uris/LinkDispatcherActivity.java, line(s) 39 com/bongo/ottandroidbuildvariant/home/view/LandingActivity.java, line(s) 406 com/bongo/ottandroidbuildvariant/home/view/PageAdapter.java, line(s) 219 com/bongo/ottandroidbuildvariant/livevideo/view/ProgramGuideAdapter.java, line(s) 130 com/bongo/ottandroidbuildvariant/media/MediaSessionPlaybackActivity.java, line(s) 159 com/bongo/ottandroidbuildvariant/mvvm/fragments/PlayerFragment.java, line(s) 1285 com/bongo/ottandroidbuildvariant/samsungcast/SamsungCastTVSearch.java, line(s) 59,118 com/bongo/ottandroidbuildvariant/splash/BaseSplashActivity.java, line(s) 192 com/bongo/ottandroidbuildvariant/ui/subscription2/package_list_new/ui/PackageListFragment2.java, line(s) 2289 com/bongo/ottandroidbuildvariant/ui/subscription2/payment_method/PaymentPresenter$payWithGooglePlay$1.java, line(s) 74 com/bongobd/bongoplayerlib/BongoPlayer.java, line(s) 1182 com/bongobd/bongoplayerlib/cast/d.java, line(s) 19 com/bongobd/bongoplayerlib/cast/f.java, line(s) 58,72 com/bongobd/bongoplayerlib/media_analytics/BplayerMediaAnalyticsImpl.java, line(s) 66,100 com/cE.java, line(s) 155,171,186 com/cF.java, line(s) 30 com/cK.java, line(s) 39 com/cO.java, line(s) 48,58 com/cT.java, line(s) 53 com/dL.java, line(s) 115 com/daimajia/slider/library/Tricks/ViewPagerEx.java, line(s) 982,1928,1934,1945 com/denzcoskun/imageslider/ImageSlider.java, line(s) 103 com/eV.java, line(s) 42,101,141 com/elvishew/xlog/internal/Platform.java, line(s) 29,52 com/fF.java, line(s) 37 com/fI.java, line(s) 122 com/fN.java, line(s) 37,43 com/hZ.java, line(s) 56 com/iS.java, line(s) 43 com/journeyapps/barcodescanner/CameraPreview.java, line(s) 121,351,413 com/journeyapps/barcodescanner/CaptureManager.java, line(s) 249 com/journeyapps/barcodescanner/camera/AutoFocusManager.java, line(s) 105,123 com/journeyapps/barcodescanner/camera/CameraInstance.java, line(s) 40,55,68,80 com/journeyapps/barcodescanner/camera/CameraManager.java, line(s) 83,315,219,227,271,279 com/kV.java, line(s) 62 com/kW.java, line(s) 18 com/koushikdutta/async/AsyncNetworkSocket.java, line(s) 313 com/koushikdutta/async/AsyncServer.java, line(s) 93,120,229,744 com/koushikdutta/async/PushParser.java, line(s) 176 com/koushikdutta/async/Util.java, line(s) 25,36,37 com/koushikdutta/async/http/AsyncHttpRequest.java, line(s) 130,131 com/koushikdutta/async/http/HybiParser.java, line(s) 244 com/koushikdutta/async/http/cache/RawHeaders.java, line(s) 63 com/koushikdutta/async/http/server/AsyncHttpServerRequestImpl.java, line(s) 96 com/lH.java, line(s) 34 com/lN.java, line(s) 54,57,63,70,75 com/makeramen/roundedimageview/RoundedDrawable.java, line(s) 155 com/makeramen/roundedimageview/RoundedImageView.java, line(s) 108,126 com/microsoft/clarity/n/j.java, line(s) 25,37,49 com/nT.java, line(s) 136 com/nX.java, line(s) 57,72 com/nineoldandroids/animation/PropertyValuesHolder.java, line(s) 81,145,269,298,342,360 com/npaw/ima/ImaAdapter.java, line(s) 372,397 com/npaw/ima/ImaAdapterHandler.java, line(s) 39,55,71,160,243 com/npaw/youbora/lib6/Timer.java, line(s) 95 com/npaw/youbora/lib6/YouboraLog.java, line(s) 129,52,53,55,68,73,76,95,109,120,126,129,133,135,147,133 com/npaw/youbora/lib6/YouboraUtil.java, line(s) 286,303 com/npaw/youbora/lib6/adapter/AdAdapter.java, line(s) 93,108,119,136,148,160,178,256 com/npaw/youbora/lib6/adapter/BaseAdapter.java, line(s) 68,185,228,247,255,291,310,324,347,366,391,429,565 com/npaw/youbora/lib6/adapter/PlayerAdapter.java, line(s) 61,168 com/npaw/youbora/lib6/comm/Request.java, line(s) 245,264,294,312 com/npaw/youbora/lib6/comm/transform/OfflineTransform.java, line(s) 70 com/npaw/youbora/lib6/comm/transform/ViewTransform.java, line(s) 195,231,253,300,302,310 com/npaw/youbora/lib6/comm/transform/resourceparse/CdnParser.java, line(s) 254 com/npaw/youbora/lib6/comm/transform/resourceparse/CdnSwitch.java, line(s) 142 com/npaw/youbora/lib6/comm/transform/resourceparse/HlsParser.java, line(s) 171 com/npaw/youbora/lib6/comm/transform/resourceparse/LocationHeaderParser.java, line(s) 36 com/npaw/youbora/lib6/exoplayer2/Exoplayer2AdAdapter.java, line(s) 115,316,340,381,390,526 com/npaw/youbora/lib6/exoplayer2/Exoplayer2Adapter.java, line(s) 383,491,612,636,679,689,831 com/npaw/youbora/lib6/exoplayer2/PlayerAnalyticsListener.java, line(s) 232 com/npaw/youbora/lib6/monitoring/RemoteMonitoring.java, line(s) 75,80,213,265,311 com/npaw/youbora/lib6/persistence/dao/EventDAO.java, line(s) 127,137,149 com/npaw/youbora/lib6/plugin/Options.java, line(s) 315,1086 com/npaw/youbora/lib6/plugin/Plugin.java, line(s) 164,624,947,997,1008,1035,1215,1358,1459,1830,2480,205,711,1086,1104,1840,1892,2161,2593 com/oF.java, line(s) 113,154 com/pA.java, line(s) 22 com/pD.java, line(s) 63,80,92,106,146,155,169,171,182,193 com/rW.java, line(s) 22 com/rX.java, line(s) 36,63 com/sam43/country_code_picker_library/CCPCountry.java, line(s) 4582 com/sam43/country_code_picker_library/CountryCodePicker.java, line(s) 1099,1108,1379,1589 com/samsung/multiscreen/AudioPlayer.java, line(s) 28,39,163,179,297,351,373,385,404,71,170 com/samsung/multiscreen/BLESearchProvider.java, line(s) 149,162 com/samsung/multiscreen/Channel.java, line(s) 84,438,756,186 com/samsung/multiscreen/MDNSSearchProvider.java, line(s) 127 com/samsung/multiscreen/MSFDSearchProvider.java, line(s) 113,117,123,183,282,288,293,347,353,381,391 com/samsung/multiscreen/PhotoPlayer.java, line(s) 28,39,120,136,228,248,260,279,60,127 com/samsung/multiscreen/Player.java, line(s) 54,164,174,192,206,244,257,279,295,376,390,476,514 com/samsung/multiscreen/Search.java, line(s) 209 com/samsung/multiscreen/Service.java, line(s) 298 com/samsung/multiscreen/StandbyDeviceList.java, line(s) 56,168,182,213,243,263 com/samsung/multiscreen/VideoPlayer.java, line(s) 29,40,144,160,276,333,355,367,386,432,452,66,151 com/telenor/connect/ConnectSdk.java, line(s) 169,178,638,645,651,383 com/telenor/connect/headerenrichment/GetHeaderEnrichmentGifTask.java, line(s) 33 com/telenor/connect/headerenrichment/MobileDataFetcher.java, line(s) 75 com/telenor/connect/id/ConnectIdService.java, line(s) 38,48,92,100,208,214,237,242 com/telenor/connect/id/ParseTokenCallback.java, line(s) 19 com/telenor/connect/utils/CustomTabsHelper.java, line(s) 79 com/telenor/connect/utils/HeadersDateUtil.java, line(s) 31 com/the/x/patch/AKDSTUDIO_Config.java, line(s) 196,321,352,361,486,920,991,1118,479,697,878,954,1186,117,1047 com/the/x/patch/Utils.java, line(s) 2895,2939,3060,3130,6143,6226,355,849,1552,1923,2150,2190,2269,2678,3452,4127,4428,4590,4659,4875,5716,6390,6675,6746,270,552,3016,5720 com/the/x/patch/akd/appData_initialization.java, line(s) 110,113,83,225,263,316,406,479,587 com/the/x/patch/extreme/modding/inCallback.java, line(s) 43,443 com/the/x/patch/extreme/modding/rootDir.java, line(s) 501,923,1006,1034,1040,262,389,1057,1195,192,296,708 com/the/x/patch/inject.java, line(s) 930,1051,1054,1059,1067,1084,1193,1233,1270,1302,1331,1361,1594,1627,1707,1784,1795,1826,1859,1884,1994,2044,2067,2114,2140,2162,2194,2224,2304,2328,2377,2401,2461,2685,2868,3072,3094,3308,3318,3468,3644,432,944,1064,1079,1256,1288,1317,1347,1580,1613,1800,1812,1845,1870,1980,2053,2100,2148,2180,2210,2290,2314,2363,2387,2447,2531,3045,3058,3190,3371,283,2816 com/the/x/patch/injections.java, line(s) 24 com/the/x/patch/util/ErrorsHandler.java, line(s) 51 com/the/x/patch/util/dataWrapper.java, line(s) 29,249,282,356,478 com/tz.java, line(s) 46,50,52,58,122 h/b.java, line(s) 30 h/c.java, line(s) 62 h/d.java, line(s) 183,201,149 logcat/LogcatLogger.java, line(s) 13 org/greenrobot/eventbus/Logger.java, line(s) 32,38
信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: com/lyft/kronos/AndroidClockFactory.java, line(s) 29,29 com/microsoft/clarity/models/DynamicConfig.java, line(s) 89,89
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/bongo/bongobd/view/di/DataModule.java, line(s) 77,77,83,89 com/bongo/bongobd/view/mvp_api/legacy_client/ApiClient.java, line(s) 44,44,60,77 com/bongo/ottandroidbuildvariant/api/ApiClient.java, line(s) 79,79,106,128 com/eD.java, line(s) 106,105,104,104 com/koushikdutta/async/AsyncSSLSocketWrapper.java, line(s) 386,68,384,384 com/samsung/multiscreen/Channel.java, line(s) 402,407,413,421,323,328,328,336,336,344,344,352,352,358,358,378,378 com/telenor/connect/utils/RestHelper.java, line(s) 36,36 io/grpc/util/AdvancedTlsX509TrustManager.java, line(s) 86,85,84,84,102
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (firebase-settings.crashlytics.com) 通信。
{'ip': '121.36.119.11', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (appgallery.huawei.com) 通信。
{'ip': '121.36.119.11', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app-measurement.com) 通信。
{'ip': '121.36.119.11', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (pagead2.googlesyndication.com) 通信。
{'ip': '180.163.150.166', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (dashif.org) 通信。
{'ip': '61.160.148.90', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '台州', 'latitude': '32.492168', 'longitude': '119.910767'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (aomedia.org) 通信。
{'ip': '61.160.148.90', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '台州', 'latitude': '32.492168', 'longitude': '119.910767'}