安全分析报告: 一拍即传 v7.4.0

安全分数


安全分数 49/100

风险评级


等级

  1. A
  2. B
  3. C
  4. F

严重性分布 (%)


隐私风险

1

用户/设备跟踪器


调研结果

高危 3
中危 17
信息 2
安全 2
关注 15

高危 已启用远程WebView调试 

已启用远程WebView调试
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing

Files:
com/smallbuer/jsbridge/core/BridgeWebView.java, line(s) 34,7,8

高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 

应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
a4/c.java, line(s) 30,79
k3/a.java, line(s) 54,80
p6/a.java, line(s) 28,68

高危 该文件是World Writable。任何应用程序都可以写入文件 

该文件是World Writable。任何应用程序都可以写入文件
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2

Files:
x3/a.java, line(s) 76

中危 应用程序已启用明文网络流量 

[android:usesCleartextTraffic=true]
应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。

中危 应用程序数据可以被备份 

[android:allowBackup=true]
这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。

中危 Activity (us.pinguo.pat360.cameraman.wxapi.WXPayEntryActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (us.pinguo.mix.modules.beauty.BeautyActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (us.pinguo.pat360.cameraman.usercenter.CMDemoActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.alipay.sdk.app.PayResultActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.alipay.sdk.app.AlipayResultActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
aa/d.java, line(s) 55
aa/f.java, line(s) 26,62
b9/a.java, line(s) 165,286
cc/a.java, line(s) 22
m6/e.java, line(s) 15,32
o6/d.java, line(s) 29
od/d.java, line(s) 149,158
pa/k.java, line(s) 10,27,31,33,35,37
pa/p.java, line(s) 120,133,181
pc/a.java, line(s) 144,154
pd/n.java, line(s) 23,35,42
q2/c.java, line(s) 492,493,797,798
s2/c.java, line(s) 10,24,26
t7/a.java, line(s) 13,14,16,31,49
us/pinguo/aisdk/tools/AIToolDemo.java, line(s) 56,116
us/pinguo/cameraman/util/io/b.java, line(s) 20
us/pinguo/pat360/basemodule/app/Config.java, line(s) 28
us/pinguo/pat360/cameraman/ai/settings/v3/CMAIJSBridge.java, line(s) 193
us/pinguo/pat360/cameraman/redux/action/CMActionCopy.java, line(s) 85
v1/a.java, line(s) 47,57,69
w9/a.java, line(s) 251

中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
ae/a.java, line(s) 41
bd/CMOrderBo.java, line(s) 240
l9/a.java, line(s) 121
qb/MakePhotoReq.java, line(s) 193
us/pinguo/mix/effects/model/EffectConstants.java, line(s) 16,17
us/pinguo/mix/effects/model/EffectModel.java, line(s) 414,319,433
us/pinguo/mix/effects/model/EffectResourceManager.java, line(s) 133
us/pinguo/mix/effects/model/entity/CompositeEffect.java, line(s) 54,40
us/pinguo/mix/effects/model/entity/EffectType.java, line(s) 14
us/pinguo/mix/modules/install/EffectV1DatabaseHelper.java, line(s) 25,26,18,19,20
us/pinguo/mix/modules/saveshare/SaveShareLogic.java, line(s) 54,58
us/pinguo/pat360/basemodule/bean/CMAIToning.java, line(s) 181
us/pinguo/pat360/basemodule/bean/CMHistory.java, line(s) 136
us/pinguo/pat360/basemodule/bean/CMPhoto.java, line(s) 726
us/pinguo/pat360/basemodule/bean/CMPhotoAiToning.java, line(s) 94
us/pinguo/pat360/cameraman/lib/api/bean/AiExpiredTipBean.java, line(s) 84
us/pinguo/pat360/cameraman/lib/api/entity/FSOrderBean.java, line(s) 121
us/pinguo/pat360/cameraman/redux/boscope/CMEffectScope.java, line(s) 449
va/e.java, line(s) 66,68
yc/CMShoppingCartResultVo.java, line(s) 48

中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
c1/a.java, line(s) 5,6,7,8,118
com/founder/foundersdk/DownCenter/BDHelper.java, line(s) 4,5,15
ia/e.java, line(s) 4,39
ia/f.java, line(s) 5,6,33
ua/a.java, line(s) 7,121
us/pinguo/mix/effects/model/EffectDatabaseHelper.java, line(s) 4,5,91
us/pinguo/mix/effects/model/EffectResourceManager.java, line(s) 7,82
us/pinguo/mix/modules/install/EffectV1DatabaseHelper.java, line(s) 4,5,18

中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件 

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
hb/q.java, line(s) 176
o6/g.java, line(s) 45
pa/d.java, line(s) 21
s8/d.java, line(s) 20
t7/a.java, line(s) 24
us/pinguo/pat360/cameraman/helper/PhotoUpload.java, line(s) 92
us/pinguo/pat360/cameraman/redux/action/debug/CMActionUploadLog.java, line(s) 138
us/pinguo/pat360/cameraman/redux/action/effect/CMActionEffectBackUp.java, line(s) 143

中危 SHA-1是已知存在哈希冲突的弱哈希 

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
a4/b.java, line(s) 12
a4/c.java, line(s) 29,78
b4/a.java, line(s) 92
e4/i.java, line(s) 26
p2/d.java, line(s) 132
pd/c.java, line(s) 15

中危 MD5是已知存在哈希冲突的弱哈希 

MD5是已知存在哈希冲突的弱哈希
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
c6/c.java, line(s) 15
pa/e.java, line(s) 10
pd/o.java, line(s) 213
q4/b.java, line(s) 83
us/pinguo/pat360/basemodule/utils/FileUtil.java, line(s) 415
y4/c.java, line(s) 12

中危 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
k3/d.java, line(s) 5
l3/b.java, line(s) 12
la/h.java, line(s) 18
v7/a.java, line(s) 4
v7/c.java, line(s) 3
x3/a.java, line(s) 6
y3/k.java, line(s) 42

中危 确保用户控制的 URL 永远不会到达 Web 视图。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 

确保用户控制的 URL 永远不会到达 Web 视图。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6

Files:
us/pinguo/pat360/cameraman/albumpreview/CMAlbumPreviewFragment.java, line(s) 407,415
us/pinguo/pat360/cameraman/widget/X5WebView.java, line(s) 64,62
us/pinguo/pat360/cameraman/widget/X5WebViewV2.java, line(s) 197,195

中危 应用程序包含隐私跟踪程序 

此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。

中危 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
"composite_sdk_key" : "4F521E8A6AAB77CF386A10579F976115FAB1EBC3BB3A0E513D29F9BF65D87100225F7C8E717A1EF27ADF4EAC85E0544EBDCBE9A54B16C33D8858A204E76A6301E3393354FB58B9BB8CE028FABDAB13B9DF95179B463F5CC3C6EDB3BFC4D9E3504F44CA375B0A84D732A1D2A1453F9B8C559048CD79B18DD04146CE93A24DB8C2D89FB34407BE4125B460CCC79B84548F531E9311A16FD5B17B5AAA3979EC518F9A461B7DB3063B0D34DB61788AB2CFD3DF391DF49C6AE5542DEE736F654285F220F100A5CBA97FFB0A468ED6A81B60FEB7001E262862371A709FE7058F6BDA2D0097BB0D8A62FDDDE8616151F3D60532E9360EB499226F70424A1DFA98A4854A8B5F87BC43BA4516C9EF5E55F0979F2B7463186E74B9B3D8DA12CD78FEA943CE272CDEA66DBDD433087A3D2C980EA1A913A30C48653153F75D50ADC1DFC16E3D93E63FA8820959AE8882C8EFA889492C7AB7F8E9141DCE96314CF0D8EA56612F88C480D2D63785981B12BE8C1AB47CB8DE060597383519279D60B647568BDE21EC00401B31670BB2E60EC61C8D48CF220232A887C4707581357606F81B1726DFBF148FF0F0A8D2161442EE522C3B4DE984B26BB3581315047119397041990FDB5D9B650197B51CB91EC8B3140C5C10B34B059D5362F8856664EA0A58DC7E548D724A690351C7A2031D2D4225040CB17B20F100A5CBA97FFBC46CE703372B7A148743DBDE52D62687994C7A8CAA8BBD0F765629048A244F2D33417B502BD3F25E7CFA97F5641CFA819A56D82B918EC9AEF1E17A951C046EBFD81DB61FEBE8EF6B6FC078574E540E1438BA65E0561F797B27A5DA830A1041FF7CFA97F5641CFA8129FFB1D444AB9F09F93ECC9A5EE5B2103251A4D455AEA56C7CFA97F5641CFA8129FFB1D444AB9F0939A77067762F263C68A8CC2C675BD6D8535D16535C90A82FD2238390F11D5735583F032A1208E7E1994C7A8CAA8BBD0F63436BF059FD28E51EC8B3140C5C10B31D6122035DD30B391C4267A4161903C4DEEE180C6AB022DD27D45B4DD616BCF5F0D152669800C70627BC63FB1E54FE88D8A97CAB12FAA32605C1C71A066E7312B8C2424F4609120B70CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF173B3037F0543C48128387CC94F63F6A65C73C0CAC359C7BC559A24D8E09B46979E1D4344B630F999F87859DFD71A23F4EFE1AA54631C6EF0F53585743061D205F0D152669800C70627BC63FB1E54FE88D8A97CAB12FAA32605C1C71A066E7312593A0A76019C89B2E3EE6A540659EC36A47D26F2030A719A8D52B473CF94E4A739EAA2BC1612BA928309505F08EDB9685A7431A42C05459B735089CCF741AD577CFA97F5641CFA81025E76F571E4977245062A3A69DD0FBBF98205E4F23E6403E3EE6A540659EC36A47D26F2030A719A8D52B473CF94E4A7EC65E005628B6C707F85740EA68C86E7C0B1374E93184933DAD0B9BA2A5EE65D7287F1AFF184EC9CECA6A2F66693E2C75A74ED6D745324CFE889A2DAC321DBB82F4761935B39DA8D559A24D8E09B46979E1D4344B630F999F87859DFD71A23F44A25F3F5137DE66F3606A0EA2FFDAF4FF612143D117DB0B8559A24D8E09B46979E1D4344B630F999F87859DFD71A23F4477A793F6E2437EFB3DEDD68ACF310F17CFA97F5641CFA81025E76F571E4977239D3302E3250CB9880EFE05EBC2968B270CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1BE12B88DEF739A90C7B32BF723230C2F7287F1AFF184EC9CECA6A2F66693E2C719CFC3EFC7A8D86D9C052F25412364F41AEEC209743E432EF0D152669800C70627BC63FB1E54FE88FF349A84FD6C5C25DFD6BB1B1C39D5844DAEE8DC08F725697CFA97F5641CFA81025E76F571E497728EA445B7ACB39101F15C4D836A91597C6520AFB56BE383771EC8B3140C5C10B31D6122035DD30B39F8BBB60D6072AFF985C4380D630BB13070CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1796FFDF5530642151018BFCC33E3B7D070CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1796FFDF553064215C4E9B26E1419EFA7EB4AF97CE01B3C617CFA97F5641CFA81025E76F571E497720D40467365780E8F7EB79F1C82D5525D47017E1CCB45910B93E63FA8820959AE568352A9E960A8D2604CF715FFFD7A475C9EA9A391D1170E559A24D8E09B46979E1D4344B630F999F87859DFD71A23F49A040FA38044EA2F852BB2B9C2A89983F0D152669800C70627BC63FB1E54FE88752FD5EA8FAD900AB7BFFEC4A085824361BBD20DCED48F207287F1AFF184EC9CECA6A2F66693E2C7C6590DBC6D9CB1E6C48B0DDD3684718470CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1F1338F6FE0928799DAB6296C9DA90D007287F1AFF184EC9CECA6A2F66693E2C7C6590DBC6D9CB1E64573A0A64445FBE470CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1C7D60CC598FB63D5967BC7079E77A1E57287F1AFF184EC9CECA6A2F66693E2C731AEB6EBDAC6FB4036EC7774BFFD2C04A3CABD31CEACDDEEF0D152669800C70627BC63FB1E54FE889E1F7AFC7B2F89EC75B61C48BBC8DA486520AFB56BE383771EC8B3140C5C10B31D6122035DD30B391984388149364DDFDF6D73BA51089F75AC0D25F082359884A47D26F2030A719A8D52B473CF94E4A74B53B64E5567954DDE890440492686A2440AB07D24D951DC70CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1BF68A17F52D094E1B3C66A1E85FC3F4947017E1CCB45910B93E63FA8820959AE568352A9E960A8D2D73091457CBACBF45983BC95AF66737570CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1BF68A17F52D094E11FBEA7EEE885F4306520AFB56BE383771EC8B3140C5C10B31D6122035DD30B3983CFFCD7671A58BC94EA9734B6F91AE270CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1BF68A17F52D094E1389F7E7DB4E81478EB4AF97CE01B3C617CFA97F5641CFA81025E76F571E49772FD88F93E9B9DD146EE7E34F6F9CB9C63D1E05EB691D338C37287F1AFF184EC9CECA6A2F66693E2C7702F76120FF6ADE0889059CE3B8A14CC0EB2861D4C25511547017E1CCB45910B93E63FA8820959AE568352A9E960A8D25A2CF0FD173521F630AA7BD7FDB7FD5FA3CABD31CEACDDEEF0D152669800C70627BC63FB1E54FE88D61423336407E2459DD200BF1AAFE6F670CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1FDAE350EF44B143C963B389AF32A86A4A47D26F2030A719A8D52B473CF94E4A724719D0F8B44E0497B70C9EB6C3EDBB64F7AC23830786D947CFA97F5641CFA81025E76F571E4977243F757B36992A71C5032F93835D3A0FA90F3A806B9272B607287F1AFF184EC9CECA6A2F66693E2C75788AA99DEBD6807325B394E1DE72E28FF53580A1F18538C6520AFB56BE383771EC8B3140C5C10B31D6122035DD30B398EB62D4197DF608CF8EF5FAB33217549B6D00DAEDA4DD041F0D152669800C70627BC63FB1E54FE8843720D22FA47720D55534C1FBCCC4097E90AB35305789DC670CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1B9B5E50A3757BDBA5B120755E701CF931AEE475A3148EEDF7287F1AFF184EC9CECA6A2F66693E2C79A47BD8A1AAFFCCC7C3A9C2FFFF8267B70CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1A39DD698EE2B621204D747701049EB787287F1AFF184EC9CECA6A2F66693E2C78EC721CE81F65B4FFE6D9141414AAB23439FEE431D2A109AA47D26F2030A719A8D52B473CF94E4A74B53B64E5567954D3FD92C8076749C8049D63B49544EAE22559A24D8E09B46979E1D4344B630F999F87859DFD71A23F4C6887BAE6EF35D9AE727DF88C8E12626AC0D25F082359884A47D26F2030A719A8D52B473CF94E4A791BDF2810CC4B7EDBE9EA338F18127DB7897DAD57F865C1770CEE92160E5322A55219D8F755AC97FA603C591EF7B9D60A3A5EBA2ACBFA368A47D26F2030A719A8D52B473CF94E4A7C6A8FE5516AEA935F1C85535C9BC69E67CFA97F5641CFA819BD204B00C300067AF16610481DE8A49B3D819A29076F47C9A9B1CA5864DDE79ABD7A436C7820A5E76378FCE9991964850EADA7590E8C30EF3FBD73B16C4C0A889548EE23834F3CB"
"composite_sdk_param_Secret" : "Secret"
413872524d9a10bb1537009834992
gYBXs4GuUnLN7McYO37akhyLyKLeW99I02gaxgdU1U8=
6b66ef08-204f-40a6-864f-83fe3a3f5b66
e3aef39b-2eca-4529-8ca7-4d58207b7060
b6cbad6cbd5ed0d209afc69ad3b7a617efaae9b3c47eabe0be42d924936fa78c8001b1fd74b079e5ff9690061dacfa4768e981a526b9ca77156ca36251cf2f906d105481374998a7e6e6e18f75ca98b8ed2eaf86ff402c874cca0a263053f22237858206867d210020daa38c48b20cc9dfd82b44a51aeb5db459b22794e2d649
7bfa4735-89a4-4d0d-9299-c02c1ce38cdd
4948e889-3f9c-4a4c-b7a5-6b1d01f34998
958fe3d4-3f56-4de9-819c-6b39c477638f
0ae64230-6c9d-4f5a-a0d1-ea95d6b5cd2a
40411e87-71cc-4135-a335-9fd05c8c6a7b
e6b1bdcb890370f2f2419fe06d0fdf7628ad0083d52da1ecfe991164711bbf9297e75353de96f1740695d07610567b1240549af9cbd87d06919ac31c859ad37ab6907c311b4756e1e208775989a4f691bff4bbbc58174d2a96b1d0d970a05114d7ee57dfc33b1bafaf6e0d820e838427018b6435f903df04ba7fd34d73f843df9434b164e0220baabb10c8978c3f4c6b7da79d8220a968356d15090dea07df9606f665cbec14d218dd3d691cce2866a58840971b6a57b76af88b1a65fdffd2c080281a6ab20be5879e0330eb7ff70871ce684e7174ada5dc3159c461375a0796b17ce7beca83cf34f65976d237aee993db48d34a4e344f4d8b7e99119168bdd7
d68bd3e17ec59119b1c8d4e91c43e587
4F521E8A6AAB77CF386A10579F976115FAB1EBC3BB3A0E513D29F9BF65D87100225F7C8E717A1EF27ADF4EAC85E0544EBDCBE9A54B16C33D8858A204E76A6301E3393354FB58B9BB8CE028FABDAB13B9DF95179B463F5CC3C6EDB3BFC4D9E3504F44CA375B0A84D732A1D2A1453F9B8C559048CD79B18DD04146CE93A24DB8C2D89FB34407BE4125B460CCC79B84548F531E9311A16FD5B17B5AAA3979EC518F9A461B7DB3063B0D34DB61788AB2CFD3DF391DF49C6AE5542DEE736F654285F220F100A5CBA97FFB0A468ED6A81B60FEB7001E262862371A709FE7058F6BDA2D0097BB0D8A62FDDDE8616151F3D60532E9360EB499226F70424A1DFA98A4854A8B5F87BC43BA4516C9EF5E55F0979F2B7463186E74B9B3D8DA12CD78FEA943CE272CDEA66DBDD433087A3D2C980EA1A913A30C48653153F75D50ADC1DFC16E3D93E63FA8820959AE8882C8EFA889492C7AB7F8E9141DCE96314CF0D8EA56612F88C480D2D63785981B12BE8C1AB47CB8DE060597383519279D60B647568BDE21EC00401B31670BB2E60EC61C8D48CF220232A887C4707581357606F81B1726DFBF148FF0F0A8D2161442EE522C3B4DE984B26BB3581315047119397041990FDB5D9B650197B51CB91EC8B3140C5C10B34B059D5362F8856664EA0A58DC7E548D724A690351C7A2031D2D4225040CB17B20F100A5CBA97FFBC46CE703372B7A148743DBDE52D62687994C7A8CAA8BBD0F765629048A244F2D33417B502BD3F25E7CFA97F5641CFA819A56D82B918EC9AEF1E17A951C046EBFD81DB61FEBE8EF6B6FC078574E540E1438BA65E0561F797B27A5DA830A1041FF7CFA97F5641CFA8129FFB1D444AB9F09F93ECC9A5EE5B2103251A4D455AEA56C7CFA97F5641CFA8129FFB1D444AB9F0939A77067762F263C68A8CC2C675BD6D8535D16535C90A82FD2238390F11D5735583F032A1208E7E1994C7A8CAA8BBD0F63436BF059FD28E51EC8B3140C5C10B31D6122035DD30B391C4267A4161903C4DEEE180C6AB022DD27D45B4DD616BCF5F0D152669800C70627BC63FB1E54FE88D8A97CAB12FAA32605C1C71A066E7312B8C2424F4609120B70CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF173B3037F0543C48128387CC94F63F6A65C73C0CAC359C7BC559A24D8E09B46979E1D4344B630F999F87859DFD71A23F4EFE1AA54631C6EF0F53585743061D205F0D152669800C70627BC63FB1E54FE88D8A97CAB12FAA32605C1C71A066E7312593A0A76019C89B2E3EE6A540659EC36A47D26F2030A719A8D52B473CF94E4A739EAA2BC1612BA928309505F08EDB9685A7431A42C05459B735089CCF741AD577CFA97F5641CFA81025E76F571E4977245062A3A69DD0FBBF98205E4F23E6403E3EE6A540659EC36A47D26F2030A719A8D52B473CF94E4A7EC65E005628B6C707F85740EA68C86E7C0B1374E93184933DAD0B9BA2A5EE65D7287F1AFF184EC9CECA6A2F66693E2C75A74ED6D745324CFE889A2DAC321DBB82F4761935B39DA8D559A24D8E09B46979E1D4344B630F999F87859DFD71A23F44A25F3F5137DE66F3606A0EA2FFDAF4FF612143D117DB0B8559A24D8E09B46979E1D4344B630F999F87859DFD71A23F4477A793F6E2437EFB3DEDD68ACF310F17CFA97F5641CFA81025E76F571E4977239D3302E3250CB9880EFE05EBC2968B270CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1BE12B88DEF739A90C7B32BF723230C2F7287F1AFF184EC9CECA6A2F66693E2C719CFC3EFC7A8D86D9C052F25412364F41AEEC209743E432EF0D152669800C70627BC63FB1E54FE88FF349A84FD6C5C25DFD6BB1B1C39D5844DAEE8DC08F725697CFA97F5641CFA81025E76F571E497728EA445B7ACB39101F15C4D836A91597C6520AFB56BE383771EC8B3140C5C10B31D6122035DD30B39F8BBB60D6072AFF985C4380D630BB13070CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1796FFDF5530642151018BFCC33E3B7D070CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1796FFDF553064215C4E9B26E1419EFA7EB4AF97CE01B3C617CFA97F5641CFA81025E76F571E497720D40467365780E8F7EB79F1C82D5525D47017E1CCB45910B93E63FA8820959AE568352A9E960A8D2604CF715FFFD7A475C9EA9A391D1170E559A24D8E09B46979E1D4344B630F999F87859DFD71A23F49A040FA38044EA2F852BB2B9C2A89983F0D152669800C70627BC63FB1E54FE88752FD5EA8FAD900AB7BFFEC4A085824361BBD20DCED48F207287F1AFF184EC9CECA6A2F66693E2C7C6590DBC6D9CB1E6C48B0DDD3684718470CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1F1338F6FE0928799DAB6296C9DA90D007287F1AFF184EC9CECA6A2F66693E2C7C6590DBC6D9CB1E64573A0A64445FBE470CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1C7D60CC598FB63D5967BC7079E77A1E57287F1AFF184EC9CECA6A2F66693E2C731AEB6EBDAC6FB4036EC7774BFFD2C04A3CABD31CEACDDEEF0D152669800C70627BC63FB1E54FE889E1F7AFC7B2F89EC75B61C48BBC8DA486520AFB56BE383771EC8B3140C5C10B31D6122035DD30B391984388149364DDFDF6D73BA51089F75AC0D25F082359884A47D26F2030A719A8D52B473CF94E4A74B53B64E5567954DDE890440492686A2440AB07D24D951DC70CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1BF68A17F52D094E1B3C66A1E85FC3F4947017E1CCB45910B93E63FA8820959AE568352A9E960A8D2D73091457CBACBF45983BC95AF66737570CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1BF68A17F52D094E11FBEA7EEE885F4306520AFB56BE383771EC8B3140C5C10B31D6122035DD30B3983CFFCD7671A58BC94EA9734B6F91AE270CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1BF68A17F52D094E1389F7E7DB4E81478EB4AF97CE01B3C617CFA97F5641CFA81025E76F571E49772FD88F93E9B9DD146EE7E34F6F9CB9C63D1E05EB691D338C37287F1AFF184EC9CECA6A2F66693E2C7702F76120FF6ADE0889059CE3B8A14CC0EB2861D4C25511547017E1CCB45910B93E63FA8820959AE568352A9E960A8D25A2CF0FD173521F630AA7BD7FDB7FD5FA3CABD31CEACDDEEF0D152669800C70627BC63FB1E54FE88D61423336407E2459DD200BF1AAFE6F670CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1FDAE350EF44B143C963B389AF32A86A4A47D26F2030A719A8D52B473CF94E4A724719D0F8B44E0497B70C9EB6C3EDBB64F7AC23830786D947CFA97F5641CFA81025E76F571E4977243F757B36992A71C5032F93835D3A0FA90F3A806B9272B607287F1AFF184EC9CECA6A2F66693E2C75788AA99DEBD6807325B394E1DE72E28FF53580A1F18538C6520AFB56BE383771EC8B3140C5C10B31D6122035DD30B398EB62D4197DF608CF8EF5FAB33217549B6D00DAEDA4DD041F0D152669800C70627BC63FB1E54FE8843720D22FA47720D55534C1FBCCC4097E90AB35305789DC670CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1B9B5E50A3757BDBA5B120755E701CF931AEE475A3148EEDF7287F1AFF184EC9CECA6A2F66693E2C79A47BD8A1AAFFCCC7C3A9C2FFFF8267B70CEE92160E5322A55219D8F755AC97F5CA5AB02BD7BCAF1A39DD698EE2B621204D747701049EB787287F1AFF184EC9CECA6A2F66693E2C78EC721CE81F65B4FFE6D9141414AAB23439FEE431D2A109AA47D26F2030A719A8D52B473CF94E4A74B53B64E5567954D3FD92C8076749C8049D63B49544EAE22559A24D8E09B46979E1D4344B630F999F87859DFD71A23F4C6887BAE6EF35D9AE727DF88C8E12626AC0D25F082359884A47D26F2030A719A8D52B473CF94E4A791BDF2810CC4B7EDBE9EA338F18127DB7897DAD57F865C1770CEE92160E5322A55219D8F755AC97FA603C591EF7B9D60A3A5EBA2ACBFA368A47D26F2030A719A8D52B473CF94E4A7C6A8FE5516AEA935F1C85535C9BC69E67CFA97F5641CFA819BD204B00C300067AF16610481DE8A49B3D819A29076F47C9A9B1CA5864DDE79ABD7A436C7820A5E76378FCE9991964850EADA7590E8C30EF3FBD73B16C4C0A889548EE23834F3CB
05f72a0600ffff0022025ac7ea91b205
c39a52ef3ee1d99818ff3e646e51c541
e731e10d-9362-4b09-b2a5-8edce39c2f5b
c80a1ba9-da24-4efb-9dac-0f94f0c32a04
1957b82a-7919-4812-b55b-074813d7df07
3b957206-f3b9-4188-ae07-4825e176594f
9dd1b930-130f-432e-9d07-deea27b63b64
f9e4af3d-786c-4c21-b215-08bdbacd2937
fcf594afc6a1429f1547022895884
932ebc42-5fa1-4476-b118-46b71eb192a9
4445bda9-5884-415e-9569-4698fd9f195a
b1d7c815-3083-438d-925c-9d2c4043e2fc
acd67fcb-efbd-4f95-be38-72849ee7017d
0716be20-daeb-43e5-8f96-b13dd746a323
bfb26292-574a-4f8d-bb1f-d722b11b314d
f72f659f2133eed1536982598608
ab83ee0e-4756-4ffa-a151-26e27f2c0555
5516c030-bfc0-4319-9c4b-440d29d8ada1
0a625fe1f7f3de2313142d33822d9de3
d51f83f8-5227-415a-8b0e-bbc51fe448df
b4fc6572-d153-493b-aacf-8f668948b1bf
9d68117b-a603-4035-ab9c-9f30db7b7155
f5dfc7e0-9388-4747-b317-419dfcf9c0f3
297c4a84-40bc-4d25-81be-8becbb34f0e6
QrMgt8GGYI6T52ZY5AnhtxkLzb8egpFn3j5JELI8H6wtACbUnZ5cc3aYTsTRbmkAkRJeYbtx92LPBWm7nBO9UIl7y5i5MQNmUZNf5QENurR5tGyo7yJ2G0MBjWvy6iAtlAbacKP0SwOUeUWx5dsBdyhxa7Id1APtybSdDgicBDuNjI0mlZFUzZSS9dmN8lBD0WTVOMz0pRZbR3cysomRXOO1ghqjJdTcyDIxzpNAEszN8RMGjrzyU7Hjbmwi6YNK
fb118ce9b53288566f5b5780a883dc54
b93b0479-03a1-4c42-b6a1-0b83d0c5ed3b
4ce0e2e3-3dc5-4ecc-adfc-3903c791ba3f
06cde7e5-dc52-40a1-b938-260cf5f17faf
5066a78f-caf3-479f-931c-8adae9131cca

信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
a0/a.java, line(s) 154,163,205,215
a0/t.java, line(s) 43,66
b1/k.java, line(s) 111,101,105
b6/a.java, line(s) 323
ch/qos/logback/core/spi/d.java, line(s) 26
ch/qos/logback/core/spi/e.java, line(s) 22
com/aliyun/sls/android/producer/LogProducerHttpTool.java, line(s) 62,67
com/davemorrissey/labs/subscaleview/SubsamplingScaleImageView.java, line(s) 206,210,336,340,408,749,756,785,790,1703,1906,2268
com/larvalabs/svgandroid/SVGParser.java, line(s) 497
com/race604/drawable/wave/WaveDrawable.java, line(s) 157
com/smallbuer/jsbridge/core/BaseJavascriptInterface.java, line(s) 20
com/smallbuer/jsbridge/core/BridgeLog.java, line(s) 12,18,24
com/smallbuer/jsbridge/core/BridgeTiny.java, line(s) 129
com/smallbuer/jsbridge/core/BridgeWebviewChromeClient.java, line(s) 19
com/tbruyelle/rxpermissions2/RxPermissionsFragment.java, line(s) 47
com/tonicartos/superslim/GridSLM.java, line(s) 378,50
com/tonicartos/superslim/LayoutManager.java, line(s) 1107,1166,1320
com/wang/avi/AVLoadingIndicatorView.java, line(s) 333
d0/f.java, line(s) 42
e3/b.java, line(s) 21
e4/w.java, line(s) 40,44,10
f1/h.java, line(s) 52,63,77
f1/p0.java, line(s) 34,76
f2/a.java, line(s) 17
g1/h.java, line(s) 275,278
g3/a.java, line(s) 31,45
gb/d.java, line(s) 161,152
h0/a3.java, line(s) 43,52,66,86,100,113,129
h0/c1.java, line(s) 1416,1559
h0/i3.java, line(s) 705,724,477,489,496,505,47,66,696
h0/l0.java, line(s) 96
h0/w2.java, line(s) 50,61
i0/c0.java, line(s) 299
j1/a.java, line(s) 29,28,36,42,43,48,51,37
k0/f.java, line(s) 185
k2/c.java, line(s) 40
ka/b.java, line(s) 347,365,368,373,382,475
la/c.java, line(s) 25,41,59,78
la/h.java, line(s) 426,443,608,619,665,692,716,743,752,792,802,827,831,841
m/c.java, line(s) 165
m/l.java, line(s) 48,49
m/o.java, line(s) 127
m0/c.java, line(s) 135
m5/b.java, line(s) 74
m9/o.java, line(s) 30,31
n6/a.java, line(s) 18,25,32,49
n8/e.java, line(s) 58,97,99
o5/h.java, line(s) 548
p4/c.java, line(s) 75,80
q4/b.java, line(s) 208
r/a.java, line(s) 96,99
r/c.java, line(s) 68,70
r/d.java, line(s) 118,120
r/f.java, line(s) 170,172
r0/b.java, line(s) 640,648,682,694,706,718,730,742,754,766,778,785,796,808,134,791,1168,1652,1661,1733,1743,2112,2348,2385,2388,2619
r3/a.java, line(s) 61,162,173
r3/b.java, line(s) 27
s/e.java, line(s) 93
s/f.java, line(s) 182
s/g.java, line(s) 32,108
s/h.java, line(s) 122,127
s/j.java, line(s) 97,355
s/k.java, line(s) 98,400,407
s/l.java, line(s) 260,267
s/m.java, line(s) 1103
t/a.java, line(s) 235
u5/a.java, line(s) 313
us/pinguo/pat360/cameraman/home/fragment/CMUpdateAiToningLoadingFragment.java, line(s) 49
us/pinguo/pat360/cameraman/redux/action/compat/CMActionSDCardSettingCompat.java, line(s) 80
us/pinguo/pat360/cameraman/usercenter/CMLoginActivity.java, line(s) 163,164,188,189
us/pinguo/pat360/cameraman/widget/X5WebViewV2.java, line(s) 63
v/g.java, line(s) 91,190
v/r.java, line(s) 46
v/w.java, line(s) 68
v0/b.java, line(s) 62
v3/a.java, line(s) 68,92
wa/a.java, line(s) 48,62,79,99
y/c.java, line(s) 62
y/d.java, line(s) 67
y/h.java, line(s) 339,357,363,157,166,290
y4/b.java, line(s) 8
z/f.java, line(s) 564,569
z/f0.java, line(s) 106
z/h.java, line(s) 69
z/i.java, line(s) 40,73
z/n.java, line(s) 55,227
z4/h.java, line(s) 52

信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 

此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard

Files:
us/pinguo/pat360/cameraman/dialog/CMControlDialog.java, line(s) 6,75,70
us/pinguo/pat360/cameraman/home/customerServiceStaff/CMCustomerServiceStaffFragment.java, line(s) 4,97,93
us/pinguo/pat360/cameraman/setting/CMOrderSettingsFragment.java, line(s) 4,134,130
y8/b.java, line(s) 5,94,91

安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
m8/f.java, line(s) 112,110,109
m8/g.java, line(s) 155,144,165,152,152,154
m8/l.java, line(s) 113,111,110,110
m8/m.java, line(s) 259,246,256,256
us/pinguo/pat360/cameraman/lib/api/CMApi.java, line(s) 439,439

安全 此应用程序可能具有Root检测功能 

此应用程序可能具有Root检测功能
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
w3/b.java, line(s) 20,20,20,20,20,20

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (y-dev.camera360.com) 通信。 

{'ip': '47.99.140.28', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (beian.miit.gov.cn) 通信。 

{'ip': '157.185.188.1', 'country_short': 'CN', 'country_long': '中国', 'region': '福建', 'city': '福州', 'latitude': '26.061390', 'longitude': '119.306107'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (h5.m.taobao.com) 通信。 

{'ip': '110.75.132.131', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '镇江', 'latitude': '32.209366', 'longitude': '119.434372'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (api.foundertype.com) 通信。 

{'ip': '39.99.165.15', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (www.yipai360.com) 通信。 

{'ip': '58.222.46.210', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (up4.ucweb.com) 通信。 

{'ip': '58.222.46.210', 'country_short': 'CN', 'country_long': '中国', 'region': '河北', 'city': '张家口', 'latitude': '40.810024', 'longitude': '114.879349'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (ypjc-resource.c360dn.com) 通信。 

{'ip': '122.228.207.51', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '温州', 'latitude': '27.999420', 'longitude': '120.666817'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (c360-o2o.c360dn.com) 通信。 

{'ip': '122.228.207.51', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '南通', 'latitude': '32.030296', 'longitude': '120.874779'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (item.taobao.com) 通信。 

{'ip': '110.75.132.131', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '台州', 'latitude': '32.492168', 'longitude': '119.910767'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (applog.uc.cn) 通信。 

{'ip': '58.222.46.210', 'country_short': 'CN', 'country_long': '中国', 'region': '河北', 'city': '张家口', 'latitude': '40.810024', 'longitude': '114.879349'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (mobilegw.alipaydev.com) 通信。 

{'ip': '110.75.132.131', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (offlinelog.faceplusplus.com) 通信。 

{'ip': '42.121.128.228', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (www.qiniu.com) 通信。 

{'ip': '123.182.48.117', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '盐城', 'latitude': '33.385559', 'longitude': '120.125282'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (woodpecker.uc.cn) 通信。 

{'ip': '123.182.48.117', 'country_short': 'CN', 'country_long': '中国', 'region': '河北', 'city': '张家口', 'latitude': '40.810024', 'longitude': '114.879349'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (store-bsy.c360dn.com) 通信。 

{'ip': '58.216.2.41', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '常州', 'latitude': '31.783331', 'longitude': '119.966667'}

安全评分: ( 一拍即传 7.4.0)