导航菜单
登录 注册

页面标题

页面副标题

移动应用安全检测报告

应用图标

Phone calls v14

Android APK 27a8534c...
44
安全评分

安全基线评分

44/100

中风险

综合风险等级

风险等级评定
  1. A
  2. B
  3. C
  4. F

应用存在一定安全风险,建议优化

漏洞与安全项分布

4 高危
18 中危
1 信息
1 安全

隐私风险评估

0
第三方跟踪器

隐私安全
未检测到第三方跟踪器


检测结果分布

高危安全漏洞 4
中危安全漏洞 18
安全提示信息 1
已通过安全项 1
重点安全关注 0

高危安全漏洞 Activity (com.android.server.telecom.components.UserCallActivity)如果未对输入进行校验,此配置允许同一设备上没有任何权限的第三方应用程序调用它并发起电话呼叫,而无需用户交互。 

一个导出的Activity ,如果没有对接收Intent的输入验证,则可以调用拨号程序进行拨打电话而无需用户交互,这很可能是一个高危漏洞,请人工核验。参考:CVE-2024-37574

高危安全漏洞 Activity (com.android.server.telecom.components.UserCallActivity)如果未对输入进行校验,此配置允许同一设备上没有任何权限的第三方应用程序调用它并发起电话呼叫,而无需用户交互。 

一个导出的Activity ,如果没有对接收Intent的输入验证,则可以调用拨号程序进行拨打电话而无需用户交互,这很可能是一个高危漏洞,请人工核验。参考:CVE-2024-37574

高危安全漏洞 Activity (com.android.server.telecom.components.UserCallActivity)如果未对输入进行校验,此配置允许同一设备上没有任何权限的第三方应用程序调用它并发起电话呼叫,而无需用户交互。 

一个导出的Activity ,如果没有对接收Intent的输入验证,则可以调用拨号程序进行拨打电话而无需用户交互,这很可能是一个高危漏洞,请人工核验。参考:CVE-2024-37574

高危安全漏洞 Activity (com.android.server.telecom.components.UserCallActivity)如果未对输入进行校验,此配置允许同一设备上没有任何权限的第三方应用程序调用它并发起电话呼叫,而无需用户交互。 

一个导出的Activity ,如果没有对接收Intent的输入验证,则可以调用拨号程序进行拨打电话而无需用户交互,这很可能是一个高危漏洞,请人工核验。参考:CVE-2024-37574

中危安全漏洞 Activity (com.android.server.telecom.settings.BlockedNumbersActivity) 未受保护。 

[android:exported=true]
检测到  Activity 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Activity (com.android.server.telecom.components.UserCallActivity) 受权限保护,但应检查权限保护级别。 

Permission: android.permission.CALL_PHONE [android:exported=true]
检测到  Activity 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Activity-Alias (com.android.server.telecom.EmergencyCallActivity) 受权限保护,但应检查权限保护级别。 

Permission: android.permission.CALL_PRIVILEGED [android:exported=true]
检测到  Activity-Alias 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Activity-Alias (com.android.server.telecom.PrivilegedCallActivity) 受权限保护,但应检查权限保护级别。 

Permission: android.permission.CALL_PRIVILEGED [android:exported=true]
检测到  Activity-Alias 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Broadcast Receiver (com.android.server.telecom.components.AppUninstallBroadcastReceiver) 未受保护。 

[android:exported=true]
检测到  Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Broadcast Receiver (com.samsung.server.telecom.advancedcall.hwtest.SamsungSecretCodeBroadcastReceiver) 受权限保护,但应检查权限保护级别。 

Permission: com.sec.android.app.servicemodeapp.permission.KEYSTRING [android:exported=true]
检测到  Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Activity (com.android.server.telecom.settings.EnableAccountPreferenceActivity) 未受保护。 

[android:exported=true]
检测到  Activity 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Service (com.android.server.telecom.components.BluetoothPhoneService) 未受保护。 

[android:exported=true]
检测到  Service 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Service (com.android.server.telecom.components.TelecomService) 未受保护。 

[android:exported=true]
检测到  Service 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Service (com.samsung.server.telecom.SamsungTelecomService) 未受保护。 

[android:exported=true]
检测到  Service 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Content Provider (com.samsung.server.telecom.advancedcall.nexti.SamsungNextiCannedTextProvider) 受权限保护,但应检查权限保护级别。 

Permission: com.nttdocomo.android.phonemotion.GET_CANNED_RESPONSE</br>protectionLevel: normal [android:exported=true]
检测到  Content Provider 已导出并受权限保护,但该权限保护级别为 normal。恶意应用可申请此权限并与组件交互。建议将权限保护级别设为 signature,仅允许同证书签名应用访问。

中危安全漏洞 Content Provider (com.samsung.server.telecom.model.ocp.SamsungOpenCommunicationPlatformProvider) 未受保护。 

[android:exported=true]
检测到  Content Provider 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 检测到拨号暗码:727728 

[android:scheme="android_secret_code"]
Manifest 中存在拨号暗码(如:*#*#4636#*#*),输入后可触发隐藏功能,存在敏感信息泄露风险。

中危安全漏洞 检测到拨号暗码:7277 

[android:scheme="android_secret_code"]
Manifest 中存在拨号暗码(如:*#*#4636#*#*),输入后可触发隐藏功能,存在敏感信息泄露风险。

中危安全漏洞 高优先级 Intent(1000) - {8} 个命中 

[android:priority]
通过设置较高的 Intent 优先级,应用可覆盖其他请求,可能导致安全风险。

中危安全漏洞 IP地址泄露 

IP地址泄露


Files:
com/samsung/android/cmcsetting/CmcSettingManager.java, line(s) 297

中危安全漏洞 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
com/samsung/server/telecom/model/echolocate/SamsungEchoLocateCallIdBuildRepositoryImpl.java, line(s) 8

中危安全漏洞 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
"phone_settings_private_num_txt" : "Private"
"samsung_account_app_id" : "0jkdn6dwx1"
"phone_settings_private_num_txt" : "Privat"
"phone_settings_private_num_txt" : "Privada"
"phone_settings_private_num_txt" : "Privato"
"phone_settings_private_num_txt" : "Particular"
"phone_settings_private_num_txt" : "Privado"
1c4eed7c-9132-11ed-a1eb-0242ac120002
f9a916c8-8d61-4550-9ad3-11c2e84f6364
4b093985-c78f-45e3-a9fe-5319f397b025
d57d8aab-d723-485e-a0dd-d1abb0f346c8
030b8b16-9139-11ed-a1eb-0242ac120002
4edf6c8d-1e43-4c94-b0fc-a40c8d80cfe8
a49eb41e-cb06-495c-9f4f-bb80a90cdf00
744fdf86-9137-11ed-a1eb-0242ac120002
3082036c30820254a00302010202044d23332e300d06092a864886f70d01010505003078310b3009060355040613025553310b3009060355040813024b53311630140603550407130d4f7665726c616e64205061726b310f300d060355040a1306537072696e74310b3009060355040b13024345312630240603550403131d537072696e7420416e64726f69642050726f64756374696f6e204b6579301e170d3131303130343134343831345a170d3338303532323134343831345a3078310b3009060355040613025553310b3009060355040813024b53311630140603550407130d4f7665726c616e64205061726b310f300d060355040a1306537072696e74310b3009060355040b13024345312630240603550403131d537072696e7420416e64726f69642050726f64756374696f6e204b657930820122300d06092a864886f70d01010105000382010f003082010a0282010100b3cca5f477ea6e744a61b7c19706d7976da388ea4b8598c4fbc5c31cc95abb3a7b949d5b10692d397f3d980eb7c5e305b2eac5329d485c76a2df1b530d3cffa5f4c436735449bd676eabc403e2981edfe883b296dbf89bdd655e2b8a065d68189db9763681aee66e1c0bed05defc4dbc9d749a04a4206b89cc9d6765ab726d3301fdffe21285fcffe8ba2c3069048e3435c8b73b0aeb79433e3dd5d19e35f3c618dc95103b89a562f4952543cf1221797fa3cbb224184e17fcb95c5c7474db377f106918cf84bbecb2da57c3bb2e01d4d4939dcf7e3c01288a9d3909606f99b040a62a920112a21b23602f1473966d3d3379018a2e0088e0209587ea06e084dd0203010001300d06092a864886f70d01010505000382010100766f3c7d3e9db4364856693f6acb07af7269d0524d5b6bb6072e78fd0873a102f427de9affa72d3b297c997d601d9678f6d670beaf0425653527ec327dc4817082b9afaa1ce10d3f979b5d950efe1ef5eeeecc06c0aebab6e941cc25983a6be2c724c7e2b2bbe52de9ffd10e0cb4b99f83c1680c5a5927e3752d9d5b7f30c53a93f83b17c708cb338550dc2d64b6f58f2594f6af3bef770dd4d2551818dbd8cbe6b853b9e8b611d2766dcadf57e2b2c42aa3bb7c914461686df500c0a9cc01ab3df1bc997a1c8608df7a3e335cf628682f8015ca274d10476b3b3eaa34c224301d6a92a85624a4c56473a54e56a7ae395edb012472c1b07bc84202da98433238
3f95808c-9134-11ed-a1eb-0242ac120002
54b7203d-a79f-4cbd-b639-85cd93a39cbb
0c2adf96-353a-433c-afe9-1e5564f304f9
2e994acb-1997-4345-8bf3-bad04303de26
5d347ce7-7527-40d3-b98a-09b423ad031c
308203623082024aa00302010202044df1bf45300d06092a864886f70d01010505003073310b3009060355040613025553310b30090603550408130257413111300f0603550407130842656c6c657675653111300f060355040a1308542d4d6f62696c6531133011060355040b130a546563686e6f6c6f6779311c301a0603550403131350726f64756374205265616c697a6174696f6e301e170d3131303631303036353235335a170d3338313032363036353235335a3073310b3009060355040613025553310b30090603550408130257413111300f0603550407130842656c6c657675653111300f060355040a1308542d4d6f62696c6531133011060355040b130a546563686e6f6c6f6779311c301a0603550403131350726f64756374205265616c697a6174696f6e30820122300d06092a864886f70d01010105000382010f003082010a0282010100c1456176d31c8989df7e0b30569da5c9b782380d3ff28fb48b4a17c8a125f40ba14862518397800f7a1030bf7cc188b9296d84af5cc5dc37752a1ca2c33d654258a3fdd29d19f2a0dd4e24b328b03bfef8c17bb8da11a25fdae10c1e1e288e3c1f47ee47617972382b0854474da1d6b526b9787d9a2f8e00600a4e436bfa790d04a0376fd7bd5c6ee78a6e522bbaa969d63667d17ca8fd90087fcc4acf2a2676d341a8e19dc46beb82bb1990710bd4101df8943ef8a3f2d7cb0bac6677ae69f9f3d25c134c08dfeb82000f44dea4164f90a65e352387fdd203c3479cfb380a2f8af5af3219a726ba9d82d72229a8d32979ce84be52006f4b71fe75011e8e2d090203010001300d06092a864886f70d01010505000382010100188d18ea72a49334736e118e766744489c7a5c47543cc35cc62a8cce35e84dfd426af3595fe55192dcb2a54c594a8d0de064dad96d72969fbc873c7a9fe7e14b11aed16c6d4bf90c1911b7d8a054c0c34c7a58c4a434d46e72f6142b654af24d461089c4633aa21cead0b154efac0aec4d68403c51bceab76c33a819857531c6a459a266f495f810417e9583d71f3f53a533f1e7013007253e9ed3466432a21977837669cff2b6b20612c055ff09b44ca15ca6830cdb289398d290852d3b0204deecbb00292194cc7533e5ae593e0d355883ea8022eb6fe5e807d6c059b3f6d6f637cd4014da425742f21b54ec37c6f55d3f0b8b6ced1cbc09376e8ea023396f
f272f89d-fb3a-4004-aa2d-20b8d679467e
0e49f82e-6acc-48a9-b088-66c8296c1eb5
b68c881d-0ed8-4f31-9342-8bf416c96d18
4244cb3f-bd02-4cc5-9f90-f41ea62ce0bb
b653c1f0-91b4-45c8-ad05-3ee4d1006c7f
caafe5ea-2472-4c61-b2d8-acb9d47e13dd
80866066-7818-4869-bd44-1f7f689543e2
4f39b865-01f2-4c1f-83a5-37ce52807e83

安全提示信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
com/samsung/android/cmcsetting/CmcSettingManager.java, line(s) 59,60,78,84,89,104,111,114,121,296,70,72,86,107,300
com/samsung/android/scloud/lib/platform/api/LOG.java, line(s) 20,28,12
com/samsung/android/sdk/cover/CoverListenerDelegate.java, line(s) 74
com/samsung/android/sdk/cover/ScoverManager.java, line(s) 85,89,115,162,156,197,213,232,235,83,117,121,125,164,168,172,204
com/samsung/server/telecom/SamsungTelecomSystem.java, line(s) 360
com/samsung/server/telecom/advancedcall/audio/SamsungSpeakerManagerForOutgoingCallIntent.java, line(s) 19
com/samsung/server/telecom/advancedcall/callImmediately/SamsungCallImmediatelyNewOutgoingIntentBroadcaster.java, line(s) 93,99
com/samsung/server/telecom/advancedcall/callcontrolpolicy/SamsungCallControlPolicyManager.java, line(s) 80
com/samsung/server/telecom/advancedcall/logging/SamsungTelecomLogging.java, line(s) 26
com/samsung/server/telecom/advancedcall/missedcall/SamsungMissedCallNotificationManager.java, line(s) 29,38
com/samsung/server/telecom/advancedcall/multinumber/SamsungTwoPhoneUserListener.java, line(s) 34,46,30,42
com/samsung/server/telecom/advancedcall/ocp/policy/broadcast/SamsungOpenCommunicationPlatformPolicyBroadcastReceiver.java, line(s) 55,40
com/samsung/server/telecom/advancedcall/ocp/policy/broadcast/SamsungOpenCommunicationPlatformPolicyPackageBroadcastReceiver.java, line(s) 62,43
com/samsung/server/telecom/advancedcall/ocp/policy/tracker/SamsungOpenCommunicationPlatformPolicyTracker.java, line(s) 57,75,93,110,46,64,82,99
com/samsung/server/telecom/advancedcall/ringer/SamsungRingerImpl.java, line(s) 52
com/samsung/server/telecom/advancedcall/ringer/SamsungRingtonePlayer.java, line(s) 139,142,133
com/samsung/server/telecom/advancedcall/ringer/tts/SamsungAsyncTtsHelper.java, line(s) 44,56,207
com/samsung/server/telecom/advancedcall/scpm/SamsungCloudPlatformBroadcastReceiver.java, line(s) 38,32
com/samsung/server/telecom/advancedcall/scpm/SamsungCloudPlatformUserListener.java, line(s) 23,19
com/samsung/server/telecom/advancedcall/tphone/SamsungTPhoneInCallControlUserListener.java, line(s) 29,25
com/samsung/server/telecom/basiccall/call/info/SamsungCallLogInfo.java, line(s) 244
com/samsung/server/telecom/basiccall/callfiltering/callscreeningservice/SamsungCallScreeningServiceFilter.java, line(s) 79,101,123,141,145,151,158,165,211,226,68,89,111,50,71,96,118
com/samsung/server/telecom/basiccall/calllog/SamsungCallLogManager.java, line(s) 610
com/samsung/server/telecom/basiccall/callsmanager/phoneaccount/SamsungPhoneAccountListener.java, line(s) 86
com/samsung/server/telecom/basiccall/callsmanager/translator/SamsungInCallTranslatorAdapter.java, line(s) 29,51,22,44,37,59
com/samsung/server/telecom/basiccall/telecom/SamsungSemTelecomServiceImpl.java, line(s) 58,67,84,93,115,124,141,151,168,178,199,207,233,44,73,100,130,157,184,213
com/samsung/server/telecom/basiccall/telecom/SamsungTelecomServiceImpl.java, line(s) 211,214,230
com/samsung/server/telecom/basiccall/telecom/SamsungTelecomServiceManager.java, line(s) 174,157,163
com/samsung/server/telecom/basiccall/ui/missedcall/SamsungMissedCallNotifierLogger.java, line(s) 32
com/samsung/server/telecom/device/audio/SamsungCallAudioModeStateMachine.java, line(s) 289
com/samsung/server/telecom/device/audio/SamsungCallAudioRouteStateMachine.java, line(s) 70,85,89
com/samsung/server/telecom/model/audio/SamsungAudioRepositoryImpl.java, line(s) 15
com/samsung/server/telecom/model/callsettings/blocknumbers/SamsungBlockNumbersRepositoryImpl.java, line(s) 25
com/samsung/server/telecom/model/logging/gatelogging/SamsungGateLoggingRepositoryImpl.java, line(s) 16,23,30
com/samsung/server/telecom/model/ocp/dump/SamsungOpenCommunicationPlatformDumper.java, line(s) 101
com/samsung/server/telecom/model/ocp/phoneaccount/allowed/dump/SamsungAllowedPhoneAccountDumper.java, line(s) 38
com/samsung/server/telecom/model/vipmode/SamsungVipModeBlockCheckerAdapter.java, line(s) 36

已通过安全项 此应用程序没有隐私跟踪程序 

此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。

综合安全基线评分总结

应用图标

Phone calls v14

Android APK
44
综合安全评分
中风险