安全分析报告:
安全分数
安全分数 41/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
0
用户/设备跟踪器
调研结果
高危
6
中危
10
信息
2
安全
2
关注
0
高危 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/iapp/app/Webview.java, line(s) 328,327
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/iapp/app/c.java, line(s) 84,89,10
高危 默认情况下,调用Cipher.getInstance("AES")将返回AES ECB模式。众所周知,ECB模式很弱,因为它导致相同明文块的密文相同
默认情况下,调用Cipher.getInstance("AES")将返回AES ECB模式。众所周知,ECB模式很弱,因为它导致相同明文块的密文相同
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode
Files:
com/b/a/a/a.java, line(s) 34
com/mycompany/myapp/C0021.java, line(s) 157,164
高危 使用弱加密算法
使用弱加密算法 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/mycompany/myapp/C0021.java, line(s) 68,83
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/mycompany/myapp/C0021.java, line(s) 68,83
高危 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/dwood/paintdemo/BuildConfig.java, line(s) 3,4
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 Activity-Alias (aa.Test) 未被保护。
存在一个intent-filter。 发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/b/a/a/a.java, line(s) 26,26 com/love/C0469rl.java, line(s) 215 com/love/C0491rl.java, line(s) 217 com/mycompany/myapp/C0021.java, line(s) 149
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/love/tx.java, line(s) 77
中危 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/b/a/a/u.java, line(s) 2337,2321,6820 com/iapp/app/Aid_YuCodeX.java, line(s) 911,962,895,946,3001 com/iapp/app/Aid_javaCode.java, line(s) 1063,1047,1752,1878 com/iapp/app/Aid_jsCode.java, line(s) 1056,1040,1797,1923 com/iapp/app/Aid_luaCode.java, line(s) 1228,1212,1946,2079 com/iapp/app/Webview.java, line(s) 268,251 com/iapp/app/c.java, line(s) 17,48,18,49 com/iapp/app/run/main.java, line(s) 535,519 com/iapp/app/run/main2.java, line(s) 362,346 com/iapp/app/run/main3.java, line(s) 526,510 com/iapp/app/run/mian.java, line(s) 497,548,481,532
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/b/a/a/i.java, line(s) 26 com/love/C0240iz.java, line(s) 30 com/love/C0262iz.java, line(s) 30 com/love/pU.java, line(s) 14
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/b/a/a/f.java, line(s) 23 com/iapp/app/n.java, line(s) 28 com/love/C0107e.java, line(s) 69 com/love/C0129e.java, line(s) 70 com/love/C0157fw.java, line(s) 320 com/love/C0179fw.java, line(s) 320
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/b/a/a/u.java, line(s) 1007,6843,2321,6820 com/iapp/app/Aid_YuCodeX.java, line(s) 3024,4376,895,946,3001 com/iapp/app/Aid_javaCode.java, line(s) 1775,1901,2671,1047,1752,1878 com/iapp/app/Aid_jsCode.java, line(s) 1820,1946,2871,3713,1040,1797,1923 com/iapp/app/Aid_luaCode.java, line(s) 1969,2102,2967,1212,1946,2079 com/iapp/app/c.java, line(s) 41,72,18,49
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/b/a/a/q.java, line(s) 116 com/mycompany/myapp/C0021.java, line(s) 22
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/b/a/a/o.java, line(s) 6,71,118,120 com/b/a/a/u.java, line(s) 14,1432 com/iapp/app/Aid_YuCodeX.java, line(s) 13,5784 com/iapp/app/Aid_javaCode.java, line(s) 14,3533 com/iapp/app/Aid_jsCode.java, line(s) 13,3603 com/iapp/app/Aid_luaCode.java, line(s) 14,3929
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: bsh/BshClassManager.java, line(s) 313 bsh/CommandLineReader.java, line(s) 20 bsh/Console.java, line(s) 12,9 bsh/NameSpace.java, line(s) 291 bsh/Parser.java, line(s) 2305 bsh/Remote.java, line(s) 44,103,107,148 bsh/SimpleNode.java, line(s) 32 bsh/classpath/BshClassPath.java, line(s) 465,473,674 bsh/classpath/ClassManagerImpl.java, line(s) 241 bsh/util/ClassBrowser.java, line(s) 468 bsh/util/Httpd.java, line(s) 23 bsh/util/JDemoApplet.java, line(s) 27,30 bsh/util/Sessiond.java, line(s) 22 bsh/util/SessiondConnection.java, line(s) 29 cn/hugo/android/scanner/CaptureActivity.java, line(s) 275,94,104,107 cn/hugo/android/scanner/a/a.java, line(s) 50,60,70 cn/hugo/android/scanner/a/b.java, line(s) 48,56,65,70,83,107,118,142,151,161,32,158,163,181 cn/hugo/android/scanner/a/c.java, line(s) 59,173,193,194,195,100,99,108 cn/hugo/android/scanner/a/e.java, line(s) 29,32,16 cn/hugo/android/scanner/a/f.java, line(s) 29 cn/hugo/android/scanner/b.java, line(s) 40 cn/hugo/android/scanner/c/c.java, line(s) 73,85,93,108,112,104 cn/hugo/android/scanner/c/f.java, line(s) 46 cn/hugo/android/scanner/d.java, line(s) 27,77,83 com/b/a/a/h.java, line(s) 124 com/c/a/k.java, line(s) 86,90,157,192,260,280,284,321,325 com/dwood/paintdemo/ColorPickerDialog.java, line(s) 160,164,202 com/love/AbstractC0023aw.java, line(s) 29 com/love/AbstractC0045aw.java, line(s) 30 com/love/C0048bu.java, line(s) 35,175 com/love/C0070bu.java, line(s) 39,179 com/love/C0127et.java, line(s) 18 com/love/C0149et.java, line(s) 18 com/love/C0191hc.java, line(s) 9 com/love/C0213hc.java, line(s) 9 com/love/C0221ig.java, line(s) 36 com/love/C0243ig.java, line(s) 37 com/love/C0262ju.java, line(s) 15 com/love/C0279kk.java, line(s) 25 com/love/C0284ju.java, line(s) 15 com/love/C0301kk.java, line(s) 26 com/love/C0363nn.java, line(s) 81 com/love/C0385nn.java, line(s) 82 com/love/C0427px.java, line(s) 21 com/love/C0449px.java, line(s) 21 com/love/C0467rj.java, line(s) 432 com/love/C0489rj.java, line(s) 433 com/love/Cif.java, line(s) 19 com/love/ComponentCallbacks2C0257jp.java, line(s) 196,201,203,209,212,227,234,383 com/love/ComponentCallbacks2C0279jp.java, line(s) 198,203,205,211,214,229,236,385 com/love/ComponentCallbacks2C0418po.java, line(s) 59,189 com/love/ComponentCallbacks2C0440po.java, line(s) 60,190 com/love/P.java, line(s) 41,55,124,147,161,167,172 com/love/RunnableC0350na.java, line(s) 63,141,351 com/love/RunnableC0372na.java, line(s) 64,142,352 com/love/X.java, line(s) 21 com/love/aT.java, line(s) 21 com/love/bB.java, line(s) 30,40,51,83 com/love/bH.java, line(s) 23 com/love/bN.java, line(s) 50,64,69,74 com/love/cB.java, line(s) 143,159,174 com/love/cC.java, line(s) 27 com/love/cH.java, line(s) 38 com/love/cL.java, line(s) 47,57 com/love/cQ.java, line(s) 46 com/love/dI.java, line(s) 108 com/love/eS.java, line(s) 36 com/love/fC.java, line(s) 33 com/love/fF.java, line(s) 67 com/love/fK.java, line(s) 37,43 com/love/hW.java, line(s) 51 com/love/iP.java, line(s) 40 com/love/kS.java, line(s) 55 com/love/kT.java, line(s) 17 com/love/lE.java, line(s) 31 com/love/lK.java, line(s) 50,53,59,66,71 com/love/nQ.java, line(s) 129 com/love/oC.java, line(s) 107,148 com/love/pA.java, line(s) 53,70,82,95,137,144,158,160,171,182 com/love/rT.java, line(s) 21 com/love/rU.java, line(s) 31,58 com/love/tw.java, line(s) 39,43,45,51,115 com/wawi/ruler/bundle/SimpleBundle.java, line(s) 8,12 fr/castorflex/android/verticalviewpager/VerticalViewPager.java, line(s) 959,1836,1842,1859 org/keplerproject/luajava/Console.java, line(s) 39,40,24 org/keplerproject/luajava/LuaObject.java, line(s) 354
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/iapp/app/ays.java, line(s) 8,147
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/b/a/a/i.java, line(s) 502,504 com/love/eA.java, line(s) 93,92,100,91,91
安全 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。