安全分析报告:
安全分数
安全分数 49/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
0
用户/设备跟踪器
调研结果
高危
3
中危
11
信息
1
安全
2
关注
3
高危 Activity (com.ichano.athome.avs.ui.activity.Working) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
高危 Activity (com.ichano.athome.avs.ui.activity.FrontFlashActivity) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
高危 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: com/c/a/a/f.java, line(s) 66,6,7,8
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 Broadcast Receiver (com.ichano.athome.avs.service.DeviceReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_DEVICE_ADMIN [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Activity (com.huawei.openalliance.ad.activity.PPSLauncherActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 高优先级的Intent (1000)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/ichano/athome/avs/ui/face/MySQLiteHelper.java, line(s) 4,5,29
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/ichano/athome/avs/common/a.java, line(s) 16,17 com/ichano/athome/avs/common/d.java, line(s) 50,51 com/ichano/athome/avs/ui/activity/RecordedVideoActivity.java, line(s) 88 com/ichano/athome/avs/ui/activity/Working.java, line(s) 1109,1135,3449 com/ichano/athome/avs/utils/a.java, line(s) 25,26 com/ichano/athome/avs/utils/e.java, line(s) 51 com/ichano/athome/avs/utils/h.java, line(s) 21,22,20 com/ichano/rvs/streamer/ui/AvsInitHelper.java, line(s) 127 com/ichano/rvs/streamer/util/AvsPersistTool.java, line(s) 30
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/ichano/athome/avs/ui/activity/Working.java, line(s) 1855 com/ichano/rvs/streamer/RvsFileManager.java, line(s) 27,19,20,21,22,23 com/ichano/rvs/streamer/Streamer.java, line(s) 154 com/ichano/rvs/streamer/ui/AvsInitHelper.java, line(s) 166
中危 IP地址泄露
IP地址泄露 Files: com/ichano/athome/avs/ui/activity/Working.java, line(s) 1582 com/ichano/rvs/streamer/Streamer.java, line(s) 500 com/ichano/rvs/streamer/util/NetUtil.java, line(s) 17,38,41
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/b/a/p.java, line(s) 14 com/ichano/athome/avs/ui/activity/BaseActivity.java, line(s) 28 com/ichano/rvs/streamer/ui/MediaService.java, line(s) 51 com/ichano/rvs/streamer/ui/MediaSurfaceView.java, line(s) 53 com/ichano/rvs/streamer/ui/MediaSurfaceViewDY.java, line(s) 53 com/ichano/rvs/streamer/ui/MediaSurfaceViewHYW.java, line(s) 53 d/a/a/b/a.java, line(s) 4 d/a/a/b/c.java, line(s) 3
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/ichano/athome/avs/utils/i.java, line(s) 13
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "ca-app-pub-3787833877814133~5586633943" "userName" : "Username" 3517262215d8d3008cbf888750b6418edc4d562ac33ed6874e0d73aba667bc3c e49d5c2c0e11b3b1b96ca56c6de2a14ec7dab5ccc3b5f300d03e5b4dba44f539 11a86f136e154c62b5e6e9c15f34f80e
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: b/b.java, line(s) 51,61,56 c/a/a/a/a/a.java, line(s) 48,51,75,78,57,60,39,42,66,69,86,88 com/c/a/a/b.java, line(s) 82,86,90,132,301,200,270 com/c/a/a/c.java, line(s) 66 com/c/a/a/d.java, line(s) 127,131,175,184,200,204,212,123,85 com/huawei/openplatform/abl/log/b.java, line(s) 125,142,147,29,51,77,83,143,148,152 com/huawei/openplatform/abl/log/d.java, line(s) 18,26,30,23 com/huaweicloud/ei/dtse/persondetection/PersonDetection.java, line(s) 116,83 com/ichano/athome/avs/a/a.java, line(s) 95,158 com/ichano/athome/avs/a/a/a.java, line(s) 179,178 com/ichano/athome/avs/common/VersionUpgradeReceiver.java, line(s) 14 com/ichano/athome/avs/service/DeviceReceiver.java, line(s) 15,25 com/ichano/athome/avs/service/ExSplashAdDismissReceiver.java, line(s) 12 com/ichano/athome/avs/service/a.java, line(s) 43 com/ichano/athome/avs/service/b.java, line(s) 37,42,59,65,67,77 com/ichano/athome/avs/service/c.java, line(s) 24,56,76,82,89 com/ichano/athome/avs/ui/activity/BaseActivity.java, line(s) 59,84,106,52,77,210 com/ichano/athome/avs/ui/activity/MoreActivity.java, line(s) 381 com/ichano/athome/avs/ui/activity/Working.java, line(s) 882,893,915,1770,2028,2092,2126,2168,2258,2265,2282,2329,2354,2375,2419,352,353,354,375,388,556,675,754,758,762,793,803,804,886,1448,1649,1677,1681,1812,1877,2160,2172,2180,2198,2293,2400,2405,2839,2852,2983,368,406,413,649,746,768,771,774,777,782,896,1199,1229,1630,1658,1664,1668,1725,1742,1747,1752,1755,1819,1834,1839,1896,1981,2000,2005,2018,2035,2043,2053,2062,2079,2311,2322,2673,2685,2691,3044,3051,3093,3102,3110,3114,3125,3130,3438,3457,3622 com/ichano/athome/avs/ui/b/a.java, line(s) 145,165,229,243,260,271,380,49,57,63,70,77,84,123,138,158,193,204,275,284,292,334,345 com/ichano/athome/avs/ui/b/b.java, line(s) 70,139,157,251,258,261,213,216,226,230 com/ichano/athome/avs/ui/b/d.java, line(s) 58,45 com/ichano/athome/avs/ui/b/e.java, line(s) 130,133,76,101,109,179,187,219,308,195 com/ichano/athome/avs/ui/command/b.java, line(s) 340,79,89,99,109,119,129,139,149,159,169,179,189,199,209,219,229,454,486 com/ichano/athome/avs/ui/face/DrawUtil.java, line(s) 47 com/ichano/athome/avs/ui/face/MySQLiteHelper.java, line(s) 34 com/ichano/athome/avs/utils/DeviceManage.java, line(s) 18,27 com/ichano/athome/avs/utils/b.java, line(s) 10 com/ichano/athome/common/audio/AudioDevice.java, line(s) 271,288,293,310,315,334,339,358,152,158,181,186,200,225,232,247,326,330,351,355,373,380,397,414,417,92,170,428,437 com/ichano/cbp/CbpSys.java, line(s) 116,208,209,76,77,86 com/ichano/rvs/audio/AudioIOHandler.java, line(s) 123,228,253,95,106,117,131,143,176,288,292,312,315 com/ichano/rvs/internal/RvsLog.java, line(s) 30,37,72,79,44,51,16,23,58,65 com/ichano/rvs/jni/InternalCommand.java, line(s) 83,115,134,31,80,113,131 com/ichano/rvs/jni/NativeDetect.java, line(s) 120,121 com/ichano/rvs/streamer/Command.java, line(s) 380,399,415,430,41,75,84,132,137,207,230,468,485,492,526 com/ichano/rvs/streamer/Media.java, line(s) 321,322,566,84,88,161,175,180,184,636,641,298,357,405,417 com/ichano/rvs/streamer/RvsFileManager.java, line(s) 55,82,245,248,254,260 com/ichano/rvs/streamer/Streamer.java, line(s) 134,283,288,60,72,112,121,147,154,159,162,165,171,176,178,180,194,201,204,209,216,255,327,333,336,339,343,351,355,360,364,366,370,374,378,380,322,382,422,493 com/ichano/rvs/streamer/ui/AvsInitHelper.java, line(s) 114,139,159,166,171,80,136,176 com/ichano/rvs/streamer/ui/HardwareEncoder.java, line(s) 153,221,81,208,212,224 com/ichano/rvs/streamer/ui/MediaService.java, line(s) 167,406,430,487,610,614,627,340,342,381,384,678,681,691,724,749,761,766,775,781,791,795,799,805,814,820,828,833,843,854,900,960,964,983,987,996,1009,1017 com/ichano/rvs/streamer/ui/MediaSurfaceView.java, line(s) 226,328,430,532,795,824,894,1041,1045,1069,718,720,770,773,1102,1113,1163,1166,1176,1209,1234,1246,1251,1260,1266,1276,1280,1284,1290,1299,1305,1313,1318,1328,1341,1387,1424,1428,1439,1443,1452,1465,1473 com/ichano/rvs/streamer/ui/MediaSurfaceViewDY.java, line(s) 228,331,434,537,812,841,911,1063,1067,1091,787,790,1124,1135,1185,1188,1198,1231,1256,1268,1273,1282,1288,1298,1302,1306,1312,1321,1327,1335,1340,1350,1363,1409,1476,1480,1491,1495,1504,1517,1525 com/ichano/rvs/streamer/ui/MediaSurfaceViewHYW.java, line(s) 235,337,439,541,804,833,913,1060,1064,1088,727,729,779,782,1121,1132,1182,1185,1195,1228,1253,1265,1270,1279,1285,1295,1299,1303,1309,1326,1336,1345,1350,1360,1373,1423,1460,1464,1476,1480,1489,1502,1510 com/ichano/rvs/streamer/util/AppUtil.java, line(s) 42 com/ichano/rvs/streamer/util/NetUtil.java, line(s) 40 dou/helper/CameraPreview.java, line(s) 103,117 org/tensorflow/lite/NativeInterpreterWrapper.java, line(s) 196
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/c/a/a/f.java, line(s) 18,66
安全 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (dnkeeper.hicloud.com) 通信。
{'ip': '49.4.47.156', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (wap.ichano.cn) 通信。
{'ip': '49.4.1.231', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (update.ichano.cn) 通信。
{'ip': '49.4.47.156', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}