移动应用安全检测报告: Photo v16.5.919.87

安全基线评分


安全基线评分 60/100

综合风险等级


风险等级评定

  1. A
  2. B
  3. C
  4. F

漏洞与安全项分布(%)


隐私风险

0

检测到的第三方跟踪器数量


检测结果分布

高危安全漏洞 0
中危安全漏洞 12
安全提示信息 1
已通过安全项 2
重点安全关注 0

中危安全漏洞 应用程序已启用明文网络流量 

[android:usesCleartextTraffic=true]
应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。

中危安全漏洞 应用程序数据存在被泄露的风险 

未设置[android:allowBackup]标志
这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。

中危安全漏洞 Service (net.pkvhhwwiuid.ozmnlonmpc.Service) 未被保护。 

[android:exported=true]
发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Broadcast Receiver (net.pkvhhwwiuid.ozmnlonmpc.Receiver) 受权限保护, 但是应该检查权限的保护级别。 

Permission: android.permission.BROADCAST_SMS [android:exported=true]
发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 Activity-Alias (net.pkvhhwwiuid.ozmnlonmpc.CatInWonderland) 未被保护。 

[android:exported=true]
发现 Activity-Alias与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。 

Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。 

Permission: android.permission.DUMP [android:exported=true]
发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。 

Permission: android.permission.DUMP [android:exported=true]
发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 高优先级的Intent (1000) - {1} 个命中 

[android:priority]
通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。

中危安全漏洞 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
ff55ff5ff55fff55f55555fffffff5fff5f55ff55/k7k77kkk7k7k7777kkk7kk7777777777k7k77kkk777kk77kkk7kkkk7k77kk7kkkk77kk7k7.java, line(s) 6
ff55ff5ff55fff55f55555fffffff5fff5f55ff55/s11s1ss1ss1sss1sss1s11s1ssss111s1s111s1ssssssssss1ss1ss11111.java, line(s) 3
ff55ff5ff55fff55f55555fffffff5fff5f55ff55/sss4s4s44s4s44s4sss44.java, line(s) 3
kk999999k9kkk9k9kk9k9k9999kk9k9kkkkkkkk999999999kkkkk9kkk99kkkk/sss4s4s44s4s44s4sss44.java, line(s) 3
z333zz3zzz3333z3z3zzz3z/m111mmm111m1m1m1mm111mmmm1mm1111m1m1mm11mmm1m1mmmm1mm.java, line(s) 10

中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
ooooo8oo8oo88888ooooo8o8o88oo8o8o8oo8ooooooo88ooo888o8/k7k77kkk7k7k7777kkk7kk7777777777k7k77kkk777kk77kkk7kkkk7k77kk7kkkk77kk7k7.java, line(s) 4,35
pp3p3p3ppppp3333p3p3p33pp3pp33p33p333p33333p3333pppp3pppp/q777qqqqqq77q777q7qq7q777qqqqqqqq7q7qqq7qqq7q777q7q7q7q7qq7qqqqq777.java, line(s) 5,25,41,42,54,55

中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件 

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
zzz33z3z3z333zz3zz3333333333z3z33zz3z33zz3zz333z3z3zz333zz33333z3z33z3zzz/iiiiiiiiiii888ii888888ii8iiiiii88i8ii8ii8iii8888ii8888.java, line(s) 138

安全提示信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
a6aa66aaaaaa6a66a66aaaaaa666aaaa66a6a6a66a6a66666aa6666a6a6aa/m111mmm111m1m1m1mm111mmmm1mm1111m1m1mm11mmm1m1mmmm1mm.java, line(s) 17,16
aa11aaaaa1a111aa1a11/s11s1ss1ss1sss1sss1s11s1ssss111s1s111s1ssssssssss1ss1ss11111.java, line(s) 107,116,121,129
aa11aaaaa1a111aa1a11/z333zz3zzz3333z3z3zzz3z.java, line(s) 37
b3bbbb333bbb3bbbbb3b3b33333bb33bb3b33b3b3333bb3b3bb33b3333b3bb3bb33333333b3b33bb333bb3b3b33/s11s1ss1ss1sss1sss1s11s1ssss111s1s111s1ssssssssss1ss1ss11111.java, line(s) 36
ff33ff3ff3f3f33f3fffff3f333f3f3333f333f33f333333f/j88jjjjjjj88j888j8j88jjjjjjjjjj8j8j888jj8j888j88jj88jj888888jj888j8888j.java, line(s) 22
gg7g7777g77gg77gg7gg7g7g7g777ggggg77777ggg77g77777/n3nn33n3nnn3333nn3n3n3333n3n.java, line(s) 55,60,69,75,81,90,97
gg7g7777g77gg77gg7gg7g7g7g777ggggg77777ggg77g77777/tt33ttt3tt33tt333t3t3ttt3333t333t3333t3tt33t3t33tttt33.java, line(s) 60,62,40,42,70,72,50,52
hh8h8h888h88hh8h88888hh88888hhh888h8h8888hhhhhh8h88hhh8hhh88h8/sss4s4s44s4s44s4sss44.java, line(s) 77
j8jj888j88888j888888888j8j88j88jjjj8j8888888j88jj88j88j8j88jj888jj8j888/z333zz3zzz3333z3z3zzz3z.java, line(s) 489
m1111mmmmmmm11m1mmm11m111m1m111mmm1111mm1m1mmmm11111mm11mmm1mmmm1mm111mmmm11mmmm111mm11mm/j88jjjjjjj88j888j8j88jjjjjjjjjj8j8j888jj8j888j88jj88jj888888jj888j8888j.java, line(s) 192
m1111mmmmmmm11m1mmm11m111m1m111mmm1111mm1m1mmmm11111mm11mmm1mmmm1mm111mmmm11mmmm111mm11mm/u1u1u1u1uu1uu111uuu1uu111uu1111u1111111.java, line(s) 115,127,137,191
m111mmm111m1m1m1mm111mmmm1mm1111m1m1mm11mmm1m1mmmm1mm/j88jjjjjjj88j888j8j88jjjjjjjjjj8j8j888jj8j888j88jj88jj888888jj888j8888j.java, line(s) 366,435
m111mmm111m1m1m1mm111mmmm1mm1111m1m1mm11mmm1m1mmmm1mm/n3nn33n3nnn3333nn3n3n3333n3n.java, line(s) 51
m111mmm111m1m1m1mm111mmmm1mm1111m1m1mm11mmm1m1mmmm1mm/o22oooo222222ooo2oo2oo2o2o2o2.java, line(s) 658
m111mmm111m1m1m1mm111mmmm1mm1111m1m1mm11mmm1m1mmmm1mm/s11s1ss1ss1sss1sss1s11s1ssss111s1s111s1ssssssssss1ss1ss11111.java, line(s) 134,143
m111mmm111m1m1m1mm111mmmm1mm1111m1m1mm11mmm1m1mmmm1mm/tt33ttt3tt33tt333t3t3ttt3333t333t3333t3tt33t3t33tttt33.java, line(s) 813,1333,1743,1749,1750,1751,1760,1816,1822,1823,1824,1833,1884,376,961,1418,1425,1675
m666mm666m666mmm66mmmm6mm6m6m6m6mmm6m6m6666m66m6m6m6m66m66mmmmmmm6666m666mmm6mm6666m6/n3nn33n3nnn3333nn3n3n3333n3n.java, line(s) 443,448
m666mm666m666mmm66mmmm6mm6m6m6m6mmm6m6m6666m66m6m6m6m66m66mmmmmmm6666m666mmm6mm6666m6/q777qqqqqq77q777q7qq7q777qqqqqqqq7q7qqq7qqq7q777q7q7q7q7qq7qqqqq777.java, line(s) 45
m666mm666m666mmm66mmmm6mm6m6m6m6mmm6m6m6666m66m6m6m6m66m66mmmmmmm6666m666mmm6mm6666m6/u1u1u1u1uu1uu111uuu1uu111uu1111u1111111.java, line(s) 55,183
n33nn33nn333333nnn3nn333n3n33n3nnnn3333n3n333nnnnn3333n33nn3nnnnn33n333nn333n33/sss4s4s44s4s44s4sss44.java, line(s) 33
net/pkvhhwwiuid/ozmnlonmpc/Service.java, line(s) 666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911
oo6oo66oo666o66o6o66o66o66/z333zz3zzz3333z3z3zzz3z.java, line(s) 78,145
ppp999999pp99p999999pp99pp9p9p999pppp9ppppp9p999pppp99p99p99999pp9p99p9/k7k77kkk7k7k7777kkk7kk7777777777k7k77kkk777kk77kkk7kkkk7k77kk7kkkk77kk7k7.java, line(s) 64
q99qqqqq9q9qq99qqq9qq9q/o22oooo222222ooo2oo2oo2o2o2o2.java, line(s) 40
s4s44sss4444s444444s4s4s4s44444sss4s44s44s4ss4444s44444s4s4s44ss444ss4sss4sss444ss4sss44s44444s444s/m1111mmmmmmm11m1mmm11m111m1m111mmm1111mm1m1mmmm11111mm11mmm1mmmm1mm111mmmm11mmmm111mm11mm.java, line(s) 377
s4s44sss4444s444444s4s4s4s44444sss4s44s44s4ss4444s44444s4s4s44ss444ss4sss4sss444ss4sss44s44444s444s/o22oooo222222ooo2oo2oo2o2o2o2.java, line(s) 134,188,137
tt444tt44t4tt4t4ttt4ttt444t4tt44tt4tt4t4t4tt444t44tt4ttt44t4ttttttttttt44t4tttt/q777qqqqqq77q777q7qq7q777qqqqqqqq7q7qqq7qqq7q777q7q7q7q7qq7qqqqq777.java, line(s) 168,215
uu9u99uuuu999999u9u99u/z333zz3zzz3333z3z3zzz3z.java, line(s) 108
v22222vv2222vvvvvv2vv2vv22/a0a00a0aa00aa0a00aaaaa0aa00aa00aaa0a000000aaa00a0a0.java, line(s) 1124,3655,6028
vvv4vvv4v4v4444v4v44vvvv44vv444444444vv4v4444vvvv4v44vvvv4444v44vv4444vv4v44444v44/ooooo8oo8oo88888ooooo8o8o88oo8o8o8oo8ooooooo88ooo888o8.java, line(s) 205
vvv4vvv4v4v4444v4v44vvvv44vv444444444vv4v4444vvvv4v44vvvv4444v44vv4444vv4v44444v44/qq3q3333q33q33q33q33q33qqqqqq3q333qqqqqqqq33qqq3q3qqq333q3.java, line(s) 351
vvv4vvv4v4v4444v4v44vvvv44vv444444444vv4v4444vvvv4v44vvvv4444v44vv4444vv4v44444v44/r22rr2r2rrr2rr2r2rr22r22222rr22rrrr2r22rrrr22222222r2rr22r2r222r22222rrrrr2r2r2rrrrr22222rr222222r.java, line(s) 103,164
vvv4vvv4v4v4444v4v44vvvv44vv444444444vv4v4444vvvv4v44vvvv4444v44vv4444vv4v44444v44/zzz33z3z3z333zz3zz3333333333z3z33zz3z33zz3zz333z3z3zz333zz33333z3z33z3zzz.java, line(s) 47
w6w6ww6wwww6w6wwwww66www66w6w666w6ww66w6wwwwwww66ww6wwww66666w6w666ww6/a0a00a0aa00aa0a00aaaaa0aa00aa00aaa0a000000aaa00a0a0.java, line(s) 31,53,70,140,163,219,238
w6w6ww6wwww6w6wwwww66www66w6w666w6ww66w6wwwwwww66ww6wwww66666w6w666ww6/k7k77kkk7k7k7777kkk7kk7777777777k7k77kkk777kk77kkk7kkkk7k77kk7kkkk77kk7k7.java, line(s) 60
w6w6ww6wwww6w6wwwww66www66w6w666w6ww66w6wwwwwww66ww6wwww66666w6w666ww6/n11nnnn1n11nnnnn1nn111nn1n1n1n1n111n1nnnn1nn11n.java, line(s) 32,44,51,60
w6w6ww6wwww6w6wwwww66www66w6w666w6ww66w6wwwwwww66ww6wwww66666w6w666ww6/nn2n2nnnn222nnnnn2n2nnn2nnn22222nn.java, line(s) 182,149,181
w6w6ww6wwww6w6wwwww66www66w6w666w6ww66w6wwwwwww66ww6wwww66666w6w666ww6/pp3p3p3ppppp3333p3p3p33pp3pp33p33p333p33333p3333pppp3pppp.java, line(s) 31
w6w6ww6wwww6w6wwwww66www66w6w666w6ww66w6wwwwwww66ww6wwww66666w6w666ww6/tt444tt44t4tt4t4ttt4ttt444t4tt44tt4tt4t4t4tt444t44tt4ttt44t4ttttttttttt44t4tttt.java, line(s) 79,96,70
w6w6ww6wwww6w6wwwww66www66w6w666w6ww66w6wwwwwww66ww6wwww66666w6w666ww6/u66u6uuu6u6u6u6uu666666uu66uu666u6u666u6uuu66uuu6uuu6u6uuu6.java, line(s) 42
y44yyy44444y4yyy4y4yy44y4yy4yyyyyyy4444yyyy4y44yy4y4y4yy444y4yy444yyy4y4yy444444y4y44y4yyy4yy4yyy44/s11s1ss1ss1sss1sss1s11s1ssss111s1s111s1ssssssssss1ss1ss11111.java, line(s) 21,50
yyyyyy6y6yyy6y66yy6yyyy666yyy6666y6y66yyyyy66/sss4s4s44s4s44s4sss44.java, line(s) 7897,2060
z333zz3zzz3333z3z3zzz3z/e4ee44444eeeeee4444444e4444e4444ee4ee44eeeeeee.java, line(s) 358,366,737,739,742,510,517,520
z333zz3zzz3333z3z3zzz3z/j8jj888j88888j888888888j8j88j88jjjj8j8888888j88jj88j88j8j88jj888jj8j888.java, line(s) 197
z333zz3zzz3333z3z3zzz3z/m111mmm111m1m1m1mm111mmmm1mm1111m1m1mm11mmm1m1mmmm1mm.java, line(s) 55
z333zz3zzz3333z3z3zzz3z/qq3q3333q33q33q33q33q33qqqqqq3q333qqqqqqqq33qqq3q3qqq333q3.java, line(s) 400,80,86,92
z333zz3zzz3333z3z3zzz3z/s11s1ss1ss1sss1sss1s11s1ssss111s1s111s1ssssssssss1ss1ss11111.java, line(s) 160,109
z333zz3zzz3333z3z3zzz3z/ttt4t4t444t44444tttt4tt4t4.java, line(s) 53
zz7zzz7zz77z7z77zz77zz777zz7z77z77z7zzz77zz77z777z/n3nn33n3nnn3333nn3n3n3333n3n.java, line(s) 73
zzz33z3z3z333zz3zz3333333333z3z33zz3z33zz3zz333z3z3zz333zz33333z3z33z3zzz/iiiiiiiiiii888ii888888ii8iiiiii88i8ii8ii8iii8888ii8888.java, line(s) 100,103,108
zzz33z3z3z333zz3zz3333333333z3z33zz3z33zz3zz333z3z3zz333zz33333z3z33z3zzz/jj000jjj00jjjjjjjj00jj0000jj0j000j00j00j0j000j00jjjjj00jjjjj00jjjj0j00j0j00.java, line(s) 65
zzz33z3z3z333zz3zz3333333333z3z33zz3z33zz3zz333z3z3zz333zz33333z3z33z3zzz/m1111mmmmmmm11m1mmm11m111m1m111mmm1111mm1m1mmmm11111mm11mmm1mmmm1mm111mmmm11mmmm111mm11mm.java, line(s) 155,172
zzz33z3z3z333zz3zz3333333333z3z33zz3z33zz3zz333z3z3zz333zz33333z3z33z3zzz/t4t4t4tt4t4t44t44tt4t4tt4t4tt44tttt4ttt44tt4t4t.java, line(s) 29,41

已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
oo33o3oo3333o333oooooo3oo333/jj000jjj00jjjjjjjj00jj0000jj0j000j00j00j0j000j00jjjjj00jjjjj00jjjj0j00j0j00.java, line(s) 45,44,60,43,43
oo33o3oo3333o333oooooo3oo333/m1111mmmmmmm11m1mmm11m111m1m111mmm1111mm1m1mmmm11111mm11mmm1mmmm1mm111mmmm11mmmm111mm11mm.java, line(s) 45,44,62,55,43,43
oo33o3oo3333o333oooooo3oo333/t4t4t4tt4t4t44t44tt4t4tt4t4tt44tttt4ttt44tt4t4t.java, line(s) 37,36,35,35
oo33o3oo3333o333oooooo3oo333/z333zz3zzz3333z3z3zzz3z.java, line(s) 38,37,36

已通过安全项 此应用程序没有隐私跟踪程序 

此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。

综合安全基线评分: ( Photo 16.5.919.87)