安全分析报告:
安全分数
安全分数 44/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
14
用户/设备跟踪器
调研结果
高危
7
中危
30
信息
1
安全
2
关注
7
高危 基本配置不安全地配置为允许到所有域的明文流量。
Scope: *
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/applovin/impl/adview/b.java, line(s) 548,13 com/applovin/impl/sdk/e/t.java, line(s) 107,4 com/mbridge/msdk/click/l.java, line(s) 200,13,14 com/mbridge/msdk/mbbanner/common/bridge/BannerExpandDialog.java, line(s) 211,15 com/mbridge/msdk/mbbanner/common/c/c.java, line(s) 679,14 com/mbridge/msdk/nativex/view/MBMediaView.java, line(s) 483,2573,24,25 com/mbridge/msdk/splash/signal/SplashExpandDialog.java, line(s) 216,15 com/mbridge/msdk/video/bt/module/MBridgeBTWebView.java, line(s) 372,13 com/mbridge/msdk/video/module/MBridgeAlertWebview.java, line(s) 85,7 com/mbridge/msdk/video/module/MBridgeH5EndCardView.java, line(s) 755,17 com/unity3d/services/core/webview/WebViewApp.java, line(s) 391,10,57,63,77,114 g2/t.java, line(s) 141,6,7
高危 WebView域控制不严格漏洞
WebView域控制不严格漏洞 Files: com/adcolony/sdk/b1.java, line(s) 988,979 com/game/humpbackwhale/recover/files/activity/WebActivity.java, line(s) 132,116 com/mbridge/msdk/foundation/webview/BrowserView.java, line(s) 200,196 com/mbridge/msdk/mbsignalcommon/base/BaseWebView.java, line(s) 86,82 com/unity3d/services/core/webview/WebView.java, line(s) 124,121
高危 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/mbridge/msdk/mbbid/common/b.java, line(s) 73
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: v0/a.java, line(s) 50,89
高危 已启用远程WebView调试
已启用远程WebView调试 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/applovin/impl/adview/d.java, line(s) 149,10
高危 应用程序包含隐私跟踪程序
此应用程序有多个14隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Activity设置了TaskAffinity属性
(com.game.humpbackwhale.recover.files.activity.notifyAct.NotifyMoreActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Activity设置了TaskAffinity属性
(com.game.humpbackwhale.recover.files.activity.notifyAct.NotifyLargeActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Content Provider (com.game.humpbackwhale.recover.keep.account.SyncAccountProvider) 未被保护。
[android:exported=true] 发现 Content Provider与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.game.humpbackwhale.recover.keep.account.SyncAccountService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.game.humpbackwhale.recover.keep.receiver.AliveKeepReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.game.humpbackwhale.recover.keep.receiver.AliveKeepReceiver2) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Activity (com.facebook.CustomTabActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 高优先级的Intent (2147483647)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 高优先级的Intent (2147483647)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 高优先级的Intent (2147483647)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 高优先级的Intent (2147483647)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 高优先级的Intent (2147483647)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 高优先级的Intent (2147483647)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 高优先级的Intent (2147483647)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 高优先级的Intent (2147483647)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: a9/w.java, line(s) 15 com/apm/insight/i.java, line(s) 9 com/applovin/exoplayer2/h/z.java, line(s) 4 com/applovin/impl/c/m.java, line(s) 17 com/game/humpbackwhale/recover/files/activity/SaveProgressActivity.java, line(s) 16 com/game/humpbackwhale/recover/files/utils/p.java, line(s) 13 com/mbridge/msdk/dycreator/baseview/rewardpopview/MBAcquireRewardPopView.java, line(s) 26 com/mbridge/msdk/playercommon/exoplayer2/source/ShuffleOrder.java, line(s) 4 com/mbridge/msdk/playercommon/exoplayer2/trackselection/RandomTrackSelection.java, line(s) 6 com/mbridge/msdk/playercommon/exoplayer2/upstream/cache/CachedContentIndex.java, line(s) 21 com/mbridge/msdk/thrid/okhttp/OkHttpClient.java, line(s) 30 com/mbridge/msdk/thrid/okhttp/internal/ws/RealWebSocket.java, line(s) 31 com/mbridge/msdk/thrid/okhttp/internal/ws/WebSocketWriter.java, line(s) 11 com/unity3d/services/core/request/metrics/SDKMetrics.java, line(s) 10 com/whale/restore/handler/e.java, line(s) 43 gf/a.java, line(s) 4 gf/b.java, line(s) 4 gf/c.java, line(s) 4 gf/d.java, line(s) 5 gf/e.java, line(s) 5 hf/a.java, line(s) 4 hg/a.java, line(s) 12 hg/d.java, line(s) 5 l5/b.java, line(s) 11 u1/d.java, line(s) 11 vh/a.java, line(s) 3 y5/b.java, line(s) 49 y5/c.java, line(s) 25 ya/l.java, line(s) 19 z1/e.java, line(s) 15
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/applovin/impl/mediation/b/a/a.java, line(s) 43 com/applovin/impl/sdk/o.java, line(s) 1270 com/applovin/mediation/AppLovinUtils.java, line(s) 27 com/applovin/mediation/ads/MaxAdView.java, line(s) 131,121 com/applovin/mediation/ads/MaxAppOpenAd.java, line(s) 61,51 com/applovin/mediation/ads/MaxInterstitialAd.java, line(s) 70,60 com/applovin/mediation/ads/MaxRewardedAd.java, line(s) 90,80 com/applovin/mediation/ads/MaxRewardedInterstitialAd.java, line(s) 65,55 com/applovin/mediation/nativeAds/MaxNativeAdLoader.java, line(s) 72,67 com/applovin/sdk/AppLovinSdk.java, line(s) 185 com/applovin/sdk/AppLovinSdkSettings.java, line(s) 175 com/applovin/sdk/AppLovinWebViewActivity.java, line(s) 26 com/mbridge/msdk/MBridgeConstans.java, line(s) 14,55 com/mbridge/msdk/click/b/a.java, line(s) 43 com/mbridge/msdk/foundation/db/m.java, line(s) 83,35,69 com/mbridge/msdk/foundation/download/core/DownloadCommon.java, line(s) 21 com/mbridge/msdk/foundation/download/core/DownloaderReporter.java, line(s) 15 com/mbridge/msdk/foundation/entity/CampaignEx.java, line(s) 39 com/mbridge/msdk/foundation/entity/n.java, line(s) 517,528,792,802,450,463,590,370,383,820,832,580,412,750,421,760,486,555,731 com/mbridge/msdk/foundation/same/report/f.java, line(s) 100 com/mbridge/msdk/foundation/same/report/p.java, line(s) 174 com/mbridge/msdk/playercommon/exoplayer2/drm/DefaultDrmSessionManager.java, line(s) 31 com/mbridge/msdk/video/dynview/moffer/MOfferModel.java, line(s) 115 com/unity3d/ads/metadata/InAppPurchaseMetaData.java, line(s) 14 com/unity3d/services/ads/gmascar/utils/ScarConstants.java, line(s) 4,5,6,8,9 com/unity3d/services/core/configuration/ExperimentObject.java, line(s) 7,8 com/unity3d/services/core/device/reader/DeviceInfoReaderFilterProvider.java, line(s) 11,12 com/unity3d/services/core/device/reader/JsonStorageKeyNames.java, line(s) 4,6,7,8,10,11,12,13,9,14,5,15,16,17 com/unity3d/services/core/properties/SdkProperties.java, line(s) 30 com/zhy/http/okhttp/builder/PostFormBuilder.java, line(s) 26 f3/h.java, line(s) 83 h3/d.java, line(s) 45 h3/p.java, line(s) 103 h3/x.java, line(s) 88 v/i.java, line(s) 127
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/adcolony/sdk/d1.java, line(s) 6,20 com/adcolony/sdk/w0.java, line(s) 5,255 com/adcolony/sdk/y0.java, line(s) 6,293 com/apm/insight/e/b/a.java, line(s) 4,39 com/apm/insight/e/b/b.java, line(s) 5,40 com/bykv/vk/openvk/preload/geckox/a/b.java, line(s) 6,7,58 com/mbridge/msdk/e/b.java, line(s) 4,5,22 com/mbridge/msdk/foundation/db/BatchReportDao.java, line(s) 6,74 com/mbridge/msdk/foundation/db/b.java, line(s) 6,45 com/mbridge/msdk/foundation/db/c.java, line(s) 5,27 com/mbridge/msdk/foundation/db/f.java, line(s) 6,98 com/mbridge/msdk/foundation/db/h.java, line(s) 4,29 com/mbridge/msdk/foundation/download/database/DatabaseHelper.java, line(s) 6,83 i1/b.java, line(s) 8,155 i1/d.java, line(s) 5,6,42 x/d.java, line(s) 4,5,14
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/adcolony/sdk/d0.java, line(s) 9 com/adcolony/sdk/e2.java, line(s) 632 com/applovin/impl/sdk/utils/StringUtils.java, line(s) 32 com/applovin/impl/sdk/utils/r.java, line(s) 380 com/pgl/ssdk/ces/d.java, line(s) 234 com/unity3d/services/core/device/Device.java, line(s) 171 n5/a.java, line(s) 18 q8/b.java, line(s) 72 w8/a0.java, line(s) 120
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: ce/d.java, line(s) 53,35,41 com/apm/insight/entity/d.java, line(s) 20 com/apm/insight/l/w.java, line(s) 53,64,95 com/apm/insight/nativecrash/c.java, line(s) 483 com/game/humpbackwhale/recover/files/utils/i.java, line(s) 61 com/lxj/xpopup/util/h.java, line(s) 120,143 com/mbridge/msdk/foundation/same/report/b/d.java, line(s) 203 com/mbridge/msdk/foundation/tools/ad.java, line(s) 55,64,91,103,152 com/pgl/ssdk/ces/d.java, line(s) 379 com/unity3d/services/core/cache/CacheDirectory.java, line(s) 54 com/whale/restore/handler/e.java, line(s) 772
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/apm/insight/l/v.java, line(s) 240 com/bykv/vk/openvk/preload/geckox/utils/g.java, line(s) 13 com/mbridge/msdk/foundation/download/resource/MBResourceManager.java, line(s) 96 com/mbridge/msdk/foundation/tools/SameMD5.java, line(s) 56,70,111 com/mbridge/msdk/foundation/tools/x.java, line(s) 21 e1/c.java, line(s) 14 q/b.java, line(s) 45 q4/g.java, line(s) 21
中危 IP地址泄露
IP地址泄露 Files: com/applovin/mediation/BuildConfig.java, line(s) 4 com/applovin/mediation/adapters/NimbusMediationAdapter.java, line(s) 30 f6/a.java, line(s) 11 h6/a.java, line(s) 11 hc/d.java, line(s) 11 l6/a.java, line(s) 11 w6/e.java, line(s) 35,33
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: b/b/a/a/d/h/e.java, line(s) 70,154 com/game/humpbackwhale/recover/files/activity/WebActivity.java, line(s) 113,134 com/unity3d/services/ads/webplayer/WebPlayerView.java, line(s) 334,318 com/unity3d/services/core/webview/WebView.java, line(s) 182,135 g2/t.java, line(s) 135,132
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/mbridge/msdk/playercommon/exoplayer2/util/Util.java, line(s) 185 q8/c.java, line(s) 75 v6/r.java, line(s) 161
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "ca-app-pub-4310827909950583~3499584088" "google_api_key" : "AIzaSyAnZLBzzdftsbX63SovMLLNLFT96mHDtGU" "google_crash_reporting_api_key" : "AIzaSyAnZLBzzdftsbX63SovMLLNLFT96mHDtGU" "dyStrategy.privateAddress" : "privateAddress" d2404c0189b55466711b49389beccf39 DFK/HrQgJ+zQW+xUhoPwJ7JgY7K0DkeAWrfXYN== cca47107bfcbdb211d88f3385aeede40 df6b721c8b4d3b6eb44c861d4415007e5a35fc95 cc2751449a350f668590264ed76692694a80308a DFKwWgtuDkKwLZPwD+z8H+N/xj26Vjcdx5KanjKnxVN= h7KsLkfPW+xUhoPwJ7JgY7K0DkeAWrfXYN== 258EAFA5-E914-47DA-95CA-C5AB0DC85B11 92762936dcbdd57fe235fd7cf61c2e93da3c4 HSrCHRtOan6wp2kwOIGJC1RDtuSrF2mWVbio2aBcMHX9KF3iTJ1lLSzCKP1ZSo5yNolPNw1kCTtWpxELFF4ah1 h7KsLkfPW+xUhoPBD+QqJk2MWrfXYN== 0000016742C00BDA259000000168CE0F13200000016588840DCE7118A0002FBF1C31C3275D78 DkPtYdQTLkfAW+xUhoPwJ7JgY7K0DkeAWrfXYN== DFK/HrQgJ+zQW+xUhoPBD+QqJk2MWrfXYN== 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 Y7c14Z2TDbv/Y+xgHFeXDrcshBPUYFT= bb2cf0647ba654d7228dd3f9405bbc6a 936dcbdd57fe235fd7cf61c2e93da3c4 ewogICJjYWNoZV90aW1lIjogMzYwMCwKICAiY2xpY2tfbGltaXQiOiA1LAogICJzcGxhc2hfb3BlbiI6IFsKICAgIHsKICAgICAgImlkIjogImNhLWFwcC1wdWItNDMxMDgyNzkwOTk1MDU4My8yNzA2NDAyNTA4IiwKICAgICAgInByaW9yaXR5IjogMSwKICAgICAgIm5hbWUiOiAic3BsYXNoX29wZW4iLAogICAgICAidHlwZSI6ICJvcGVuX2FkIgogICAgfQogIF0sCiAgImFsbF9pbnNlcnQiOiBbCiAgICB7CiAgICAgICJpZCI6ICJjYS1hcHAtcHViLTQzMTA4Mjc5MDk5NTA1ODMvNDYzOTgxNDE2OSIsCiAgICAgICJwcmlvcml0eSI6IDEsCiAgICAgICJuYW1lIjogImFsbF9pbnNlcnQiLAogICAgICAidHlwZSI6ICJpbnNlcnRfYWQiCiAgICB9CiAgXSwKICAiY2xlYW5fcHJvZ3Jlc3MiOiBbCiAgICB7CiAgICAgICJpZCI6ICJjYS1hcHAtcHViLTQzMTA4Mjc5MDk5NTA1ODMvMzQ1OTAxMDAzMSIsCiAgICAgICJwcmlvcml0eSI6IDEsCiAgICAgICJuYW1lIjogImNsZWFuX3Byb2dyZXNzIiwKICAgICAgInR5cGUiOiAiaW5zZXJ0X2FkIgogICAgfQogIF0sCiAgInByZXZpZXdfaW5zZXJ0IjogWwogICAgewogICAgICAiaWQiOiAiY2EtYXBwLXB1Yi00MzEwODI3OTA5OTUwNTgzLzI4ODc3NDg3OTYiLAogICAgICAicHJpb3JpdHkiOiAxLAogICAgICAibmFtZSI6ICJwcmV2aWV3X2luc2VydCIsCiAgICAgICJ0eXBlIjogImluc2VydF9hZCIKICAgIH0sCiAgICB7CiAgICAgICJpZCI6ICJjYS1hcHAtcHViLTQzMTA4Mjc5MDk5NTA1ODMvMzgzNDI0NjM3OCIsCiAgICAgICJwcmlvcml0eSI6IDIsCiAgICAgICJuYW1lIjogInByZXZpZXdfaW5zZXJ0IiwKICAgICAgInR5cGUiOiAiaW5zZXJ0X2FkIgogICAgfSwKICAgIHsKICAgICAgImlkIjogImNhLWFwcC1wdWItNDMxMDgyNzkwOTk1MDU4My83NzgwOTgyODIyIiwKICAgICAgInByaW9yaXR5IjogMywKICAgICAgIm5hbWUiOiAicHJldmlld19pbnNlcnQiLAogICAgICAidHlwZSI6ICJpbnNlcnRfYWQiCiAgICB9CiAgXSwKICAic2Nhbl9iYWNrX2luc2VydCI6IFsKICAgIHsKICAgICAgImlkIjogImNhLWFwcC1wdWItNDMxMDgyNzkwOTk1MDU4My81MDUwODc3NzA3IiwKICAgICAgInByaW9yaXR5IjogMSwKICAgICAgIm5hbWUiOiAic2Nhbl9iYWNrX2luc2VydCIsCiAgICAgICJ0eXBlIjogImluc2VydF9hZCIKICAgIH0sCiAgICB7CiAgICAgICJpZCI6ICJjYS1hcHAtcHViLTQzMTA4Mjc5MDk5NTA1ODMvMTc4NjY2NzUzMiIsCiAgICAgICJwcmlvcml0eSI6IDIsCiAgICAgICJuYW1lIjogInNjYW5fYmFja19pbnNlcnQiLAogICAgICAidHlwZSI6ICJpbnNlcnRfYWQiCiAgICB9LAogICAgewogICAgICAiaWQiOiAiY2EtYXBwLXB1Yi00MzEwODI3OTA5OTUwNTgzLzcyOTM4OTc2NjEiLAogICAgICAicHJpb3JpdHkiOiAzLAogICAgICAibmFtZSI6ICJzY2FuX2JhY2tfaW5zZXJ0IiwKICAgICAgInR5cGUiOiAiaW5zZXJ0X2FkIgogICAgfQogIF0sCiAgImJpbl9iYWNrX2luc2VydCI6IFsKICAgIHsKICAgICAgImlkIjogImNhLWFwcC1wdWItNDMxMDgyNzkwOTk1MDU4My82MjAwMzA3ODQyIiwKICAgICAgInByaW9yaXR5IjogMSwKICAgICAgIm5hbWUiOiAiYmluX2JhY2tfaW5zZXJ0IiwKICAgICAgInR5cGUiOiAiaW5zZXJ0X2FkIgogICAgfQogIF0sCiAgImd1aWRlX2JhY2tfaW5zZXJ0IjogWwogICAgewogICAgICAiaWQiOiAiY2EtYXBwLXB1Yi00MzEwODI3OTA5OTUwNTgzLzQ0MjQxOTE3NDAiLAogICAgICAicHJpb3JpdHkiOiAxLAogICAgICAibmFtZSI6ICJndWlkZV9iYWNrX2luc2VydCIsCiAgICAgICJ0eXBlIjogImluc2VydF9hZCIKICAgIH0KICBdLAogICJzdWJzX2JhY2tfaW5zZXJ0IjogWwogICAgewogICAgICAiaWQiOiAiY2EtYXBwLXB1Yi00MzEwODI3OTA5OTUwNTgzLzExNTExNjExNDQiLAogICAgICAicHJpb3JpdHkiOiAxLAogICAgICAibmFtZSI6ICJzdWJzX2JhY2tfaW5zZXJ0IiwKICAgICAgInR5cGUiOiAiaW5zZXJ0X2FkIgogICAgfQogIF0sCiAgInNjYW5fZGlhbG9nX25hdGl2ZSI6IFsKICAgIHsKICAgICAgImlkIjogImNhLWFwcC1wdWItNDMxMDgyNzkwOTk1MDU4My85MzczMjY2MDkyIiwKICAgICAgInByaW9yaXR5IjogMSwKICAgICAgIm5hbWUiOiAic2Nhbl9kaWFsb2dfbmF0aXZlIiwKICAgICAgInR5cGUiOiAibmF0aXZlX2FkIgogICAgfQogIF0sCiAgImFsbF9uYXRpdmUiOiBbCiAgICB7CiAgICAgICJpZCI6ICJjYS1hcHAtcHViLTQzMTA4Mjc5MDk5NTA1ODMvNjA1NzA4NTAzOSIsCiAgICAgICJwcmlvcml0eSI6IDEsCiAgICAgICJuYW1lIjogImFsbF9uYXRpdmUiLAogICAgICAidHlwZSI6ICJuYXRpdmVfYWQiCiAgICB9CiAgXSwKICAic2Nhbl9uYXRpdmUiOiBbCiAgICB7CiAgICAgICJpZCI6ICJjYS1hcHAtcHViLTQzMTA4Mjc5MDk5NTA1ODMvNzgwMTQxMTU0MiIsCiAgICAgICJwcmlvcml0eSI6IDEsCiAgICAgICJuYW1lIjogInNjYW5fbmF0aXZlIiwKICAgICAgInR5cGUiOiAibmF0aXZlX2FkIgogICAgfQogIF0sCiAgIm1haW5fbmF0aXZlIjogWwogICAgewogICAgICAiaWQiOiAiY2EtYXBwLXB1Yi00MzEwODI3OTA5OTUwNTgzLzI4NDIxMzM4NzEiLAogICAgICAicHJpb3JpdHkiOiAxLAogICAgICAibmFtZSI6ICJtYWluX25hdGl2ZSIsCiAgICAgICJ0eXBlIjogIm5hdGl2ZV9hZCIKICAgIH0KICBdLAogICJiaW5fbmF0aXZlIjogWwogICAgewogICAgICAiaWQiOiAiY2EtYXBwLXB1Yi00MzEwODI3OTA5OTUwNTgzLzM2NzQ0NjQyNzQiLAogICAgICAicHJpb3JpdHkiOiAxLAogICAgICAibmFtZSI6ICJiaW5fbmF0aXZlIiwKICAgICAgInR5cGUiOiAibmF0aXZlX2FkIgogICAgfQogIF0sCiAgInJlY292ZXJfbmF0aXZlIjogWwogICAgewogICAgICAiaWQiOiAiY2EtYXBwLXB1Yi00MzEwODI3OTA5OTUwNTgzLzQzMjQxMTkzOTMiLAogICAgICAicHJpb3JpdHkiOiAxLAogICAgICAibmFtZSI6ICJyZWNvdmVyX25hdGl2ZSIsCiAgICAgICJ0eXBlIjogIm5hdGl2ZV9hZCIKICAgIH0KICBdLAogICJyZWNvdmVyX3Jld2FyZCI6IFsKICAgIHsKICAgICAgImlkIjogImNhLWFwcC1wdWItNDMxMDgyNzkwOTk1MDU4My80MzEyNTExMTA2IiwKICAgICAgInByaW9yaXR5IjogMSwKICAgICAgIm5hbWUiOiAicmVjb3Zlcl9yZXdhcmQiLAogICAgICAidHlwZSI6ICJyZXdhcmRfYWQiCiAgICB9CiAgXSwKICAic3BlZWRfcmV3YXJkIjogWwogICAgewogICAgICAiaWQiOiAiY2EtYXBwLXB1Yi00MzEwODI3OTA5OTUwNTgzLzc0MzczNjc4OTIiLAogICAgICAicHJpb3JpdHkiOiAxLAogICAgICAibmFtZSI6ICJzcGVlZF9yZXdhcmQiLAogICAgICAidHlwZSI6ICJyZXdhcmRfYWQiCiAgICB9CiAgXSwKICAiYmluX3Jld2FyZF9pbnNlcnQiOiBbCiAgICB7CiAgICAgICJpZCI6ICJjYS1hcHAtcHViLTQzMTA4Mjc5MDk5NTA1ODMvODgzODA3OTQ3MiIsCiAgICAgICJwcmlvcml0eSI6IDEsCiAgICAgICJuYW1lIjogImJpbl9yZXdhcmRfaW5zZXJ0IiwKICAgICAgInR5cGUiOiAicmV3YXJkX2luc2VydF9hZCIKICAgIH0KICBdCn0= 5e8f16062ea3cd2c4a0d547876baa6f38cabf625 470fa2b4ae81cd56ecbcda9735803434cec591fa 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 DFeuWkH0W+xUhoPwJ7JgY7K0DkeAWrfXYN== DFKwWgtuDkKwLZPwD+z8H+N/xj26Vjcdx5KyVj5GxVN= 9b8f518b086098de3d77736f9458a3d2f6f95a37 a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc LdxThdi1WBKUL75ULBPBD+QqJk2MWrfXYN== aHR0cHM6Ly9hZG1pbmFwaS53ZWF0aGVycGx1c2FwcC5jb20vcGlwbC9sYi8= DFKwWgtuDkKwLZPwD+z8H+N/xjQZxVfV+T2SZVe6V2xS5c5n B3EEABB8EE11C2BE770B684D95219ECB 026ae9c9824b3e483fa6c71fa88f57ae27816141 LdxThdi1WBKUL75ULBPwJ7JgY7K0DkeAWrfXYN== 7bf3a1e7bbd31e612eda3310c2cdb8075c43c6b5 028749b157a3f0b09b4f63cb32d5ac62
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: c4/b.java, line(s) 41 com/adcolony/sdk/k0.java, line(s) 281 com/adcolony/sdk/n1.java, line(s) 134 com/mbridge/msdk/dycreator/a/a.java, line(s) 100,101,102,106,114,116,260,274,329 com/mbridge/msdk/foundation/tools/x.java, line(s) 23 com/unity3d/ads/UnityAdsBaseOptions.java, line(s) 20 com/unity3d/ads/metadata/InAppPurchaseMetaData.java, line(s) 37,57,66 com/unity3d/ads/metadata/MetaData.java, line(s) 45,56 com/unity3d/services/UnityServices.java, line(s) 86,136,146,151,162,167,181,190,176,185,120 com/unity3d/services/ads/UnityAdsImplementation.java, line(s) 85,146 com/unity3d/services/ads/adunit/AdUnitActivityController.java, line(s) 363,365,53,134,190,223,264,294,314,381,230 com/unity3d/services/ads/adunit/AdUnitViewHandlerFactory.java, line(s) 22 com/unity3d/services/ads/adunit/VideoPlayerHandler.java, line(s) 17,35 com/unity3d/services/ads/api/AdUnit.java, line(s) 209,215,262,266,271,275,499,502,505,508,531,122,138,167,175,358,452,522,535,540,545 com/unity3d/services/ads/api/VideoPlayer.java, line(s) 59,77,100,149,160,178 com/unity3d/services/ads/api/WebPlayer.java, line(s) 49 com/unity3d/services/ads/gmascar/adapters/ScarAdapterFactory.java, line(s) 46 com/unity3d/services/ads/gmascar/bridges/AdapterStatusBridge.java, line(s) 21,37 com/unity3d/services/ads/gmascar/bridges/InitializeListenerBridge.java, line(s) 22,41 com/unity3d/services/ads/gmascar/bridges/mobileads/MobileAdsBridge.java, line(s) 21 com/unity3d/services/ads/gmascar/bridges/mobileads/MobileAdsBridgeLegacy.java, line(s) 23 com/unity3d/services/ads/gmascar/finder/GMAInitializer.java, line(s) 53 com/unity3d/services/ads/gmascar/finder/ScarVersionFinder.java, line(s) 44,56 com/unity3d/services/ads/token/InMemoryAsyncTokenStorage.java, line(s) 154,187 com/unity3d/services/ads/token/NativeTokenGenerator.java, line(s) 35 com/unity3d/services/ads/video/VideoPlayerView.java, line(s) 42,45,70,113,118,140,183,195,227 com/unity3d/services/ads/webplayer/WebPlayerView.java, line(s) 66,70,311,353,412,427,442,455,696,698,720 com/unity3d/services/banners/BannerView.java, line(s) 106 com/unity3d/services/banners/UnityBanners.java, line(s) 139 com/unity3d/services/core/api/Cache.java, line(s) 166,180,56,132,185,276,293,320 com/unity3d/services/core/api/DeviceInfo.java, line(s) 136,154,177,321,341,357,414 com/unity3d/services/core/api/Intent.java, line(s) 50,64,213,239,252 com/unity3d/services/core/api/Request.java, line(s) 33,45,96,108,131,143 com/unity3d/services/core/api/Sdk.java, line(s) 17,38,54,84,90,96,102 com/unity3d/services/core/broadcast/BroadcastEventReceiver.java, line(s) 44 com/unity3d/services/core/cache/CacheDirectory.java, line(s) 24,26,65,69,75,103,107,113,120,29,58,78 com/unity3d/services/core/cache/CacheThread.java, line(s) 79 com/unity3d/services/core/cache/CacheThreadHandler.java, line(s) 39,42,46,69 com/unity3d/services/core/configuration/ConfigurationReader.java, line(s) 25 com/unity3d/services/core/configuration/ConfigurationRequestFactory.java, line(s) 38 com/unity3d/services/core/configuration/EnvironmentCheck.java, line(s) 32,44,35,47,50,53,56 com/unity3d/services/core/configuration/ExperimentObject.java, line(s) 22 com/unity3d/services/core/configuration/ExperimentsReader.java, line(s) 25 com/unity3d/services/core/configuration/InitializationNotificationCenter.java, line(s) 43 com/unity3d/services/core/configuration/InitializeEventsMetricSender.java, line(s) 53,60,67,82,177,184 com/unity3d/services/core/configuration/InitializeThread.java, line(s) 294,335,466,481,525,533,636,648,675,732,127,307,310,346,349,394,414,582,622,736,886,895,198,375,473,559 com/unity3d/services/core/configuration/PrivacyConfigurationLoader.java, line(s) 69 com/unity3d/services/core/connectivity/ConnectivityMonitor.java, line(s) 56,88,98,79,127 com/unity3d/services/core/device/AdvertisingId.java, line(s) 201,132,142 com/unity3d/services/core/device/Device.java, line(s) 173,273,279,292,302,423,436,451,624,687,700,366 com/unity3d/services/core/device/OpenAdvertisingId.java, line(s) 193,140,146 com/unity3d/services/core/device/Storage.java, line(s) 47,51,62 com/unity3d/services/core/device/reader/DeviceInfoReaderCompressor.java, line(s) 30,34 com/unity3d/services/core/device/reader/DeviceInfoReaderExtended.java, line(s) 47 com/unity3d/services/core/domain/task/InitializeSDK$doWork$2.java, line(s) 151,168 com/unity3d/services/core/domain/task/InitializeStateConfig$doWork$2.java, line(s) 53 com/unity3d/services/core/domain/task/InitializeStateCreate$doWork$2.java, line(s) 44,57,60 com/unity3d/services/core/domain/task/InitializeStateCreateWithRemote$doWork$2.java, line(s) 44,56,59 com/unity3d/services/core/domain/task/InitializeStateError$doWork$2.java, line(s) 43 com/unity3d/services/core/domain/task/InitializeStateLoadCache$doWork$2.java, line(s) 46,60 com/unity3d/services/core/domain/task/InitializeStateLoadCache.java, line(s) 177 com/unity3d/services/core/domain/task/InitializeStateLoadWeb$doWork$2.java, line(s) 140 com/unity3d/services/core/domain/task/InitializeStateNetworkError$doWork$2.java, line(s) 51 com/unity3d/services/core/domain/task/InitializeStateNetworkError.java, line(s) 121,138 com/unity3d/services/core/domain/task/InitializeStateReset$doWork$2.java, line(s) 58 com/unity3d/services/core/extensions/TaskExtensionsKt.java, line(s) 140 com/unity3d/services/core/log/DeviceLog.java, line(s) 72 com/unity3d/services/core/misc/JsonFlattener.java, line(s) 46 com/unity3d/services/core/misc/JsonStorage.java, line(s) 172,27,33,52,73,88,100,166,175 com/unity3d/services/core/misc/JsonStorageAggregator.java, line(s) 34 com/unity3d/services/core/misc/Utilities.java, line(s) 182,126,152,158,163,176,196,230 com/unity3d/services/core/misc/ViewUtilities.java, line(s) 23,32 com/unity3d/services/core/preferences/AndroidPreferences.java, line(s) 17,31,45,59,73 com/unity3d/services/core/properties/ClientProperties.java, line(s) 45,80,92,94 com/unity3d/services/core/properties/SdkProperties.java, line(s) 250,252,98 com/unity3d/services/core/reflection/GenericBridge.java, line(s) 32,47,56,62,70,76,84,91 com/unity3d/services/core/request/WebRequest.java, line(s) 67,159,164 com/unity3d/services/core/request/WebRequestRunnable.java, line(s) 92,77,96 com/unity3d/services/core/request/WebRequestThread.java, line(s) 64,116,131 com/unity3d/services/core/request/metrics/MetricCommonTags.java, line(s) 74 com/unity3d/services/core/request/metrics/MetricSender$sendMetrics$$inlined$CoroutineExceptionHandler$1.java, line(s) 24 com/unity3d/services/core/request/metrics/MetricSender$sendMetrics$1.java, line(s) 85,87 com/unity3d/services/core/request/metrics/MetricSender.java, line(s) 95,112,122 com/unity3d/services/core/request/metrics/MetricSenderWithBatch.java, line(s) 55 com/unity3d/services/core/request/metrics/SDKMetrics.java, line(s) 38,43,53,89,102 com/unity3d/services/core/sensorinfo/SensorInfoListener.java, line(s) 27 com/unity3d/services/core/timer/BaseTimer.java, line(s) 77 com/unity3d/services/core/webview/WebView.java, line(s) 82 com/unity3d/services/core/webview/WebViewApp.java, line(s) 59,115,184,238,282,332,66,70,73,90,142,274,304,345,380,394 com/unity3d/services/core/webview/WebViewUrlBuilder.java, line(s) 31 com/unity3d/services/core/webview/bridge/Invocation.java, line(s) 66 com/unity3d/services/core/webview/bridge/NativeCallback.java, line(s) 40 com/unity3d/services/core/webview/bridge/WebViewBridge.java, line(s) 108 com/unity3d/services/core/webview/bridge/WebViewBridgeInterface.java, line(s) 54,61 com/unity3d/services/core/webview/bridge/WebViewCallback.java, line(s) 69 com/unity3d/services/store/core/StoreLifecycleListener.java, line(s) 31 com/unity3d/services/store/gpbl/bridges/CommonJsonResponseBridge.java, line(s) 33 com/unity3d/services/store/gpbl/bridges/PurchaseBridge.java, line(s) 37 d3/b.java, line(s) 356 d4/a.java, line(s) 55 e3/d.java, line(s) 162,189 e3/f.java, line(s) 120,144,159 g3/c.java, line(s) 112 g3/e.java, line(s) 52,91 h3/h.java, line(s) 427,442,569 h3/i.java, line(s) 63 h3/k.java, line(s) 39 h3/z.java, line(s) 75,108,120 i3/j.java, line(s) 176,226 i3/k.java, line(s) 130,143,164,171,214,248,258,277,286 j3/e.java, line(s) 57,64,74,85,91,121 j3/l.java, line(s) 198 k3/a.java, line(s) 370 k3/b.java, line(s) 46 l3/a.java, line(s) 87 m3/c.java, line(s) 19 m3/d.java, line(s) 50 m3/f.java, line(s) 152 m3/s.java, line(s) 40 m3/t.java, line(s) 39 m7/f.java, line(s) 24 o3/j.java, line(s) 90 p3/c0.java, line(s) 158,166,170,174,178,182,187,191,195 p3/e.java, line(s) 67,75,89 p3/f.java, line(s) 26 p3/m0.java, line(s) 178,181,224,231,236,354 p3/p.java, line(s) 235,253,255,258,265,267,272,304,309,415,422,429,435,441 p3/r0.java, line(s) 162 p3/w.java, line(s) 210,220,237,257,394,525,554 p3/x.java, line(s) 40,46 rf/b.java, line(s) 82 t3/a.java, line(s) 79,106,111,116 t3/c.java, line(s) 28 t3/h.java, line(s) 46 v2/x.java, line(s) 14,122,132,136 v3/f.java, line(s) 24 v3/o.java, line(s) 162 v3/q.java, line(s) 247,454,457,480,484,486 v3/s.java, line(s) 105 v3/t.java, line(s) 149,182,204,218 w3/e.java, line(s) 66,71,74,80,83 w8/c0.java, line(s) 59,65,82 w8/j.java, line(s) 45 w8/j0.java, line(s) 40,48 w8/o0.java, line(s) 71,108,124,154 w8/r0.java, line(s) 75,75,105 w8/v0.java, line(s) 99,99 w8/w0.java, line(s) 114,138,138 y3/k.java, line(s) 105 z3/f.java, line(s) 83,162 z3/r.java, line(s) 85,164
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/mbridge/msdk/thrid/okhttp/internal/Util.java, line(s) 506,505,504,504 com/zhy/http/okhttp/https/HttpsUtils.java, line(s) 123,144,61,121,121,142,142 vf/c.java, line(s) 166,165,164,164
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/apm/insight/nativecrash/c.java, line(s) 326,326,326,326,326 p7/g.java, line(s) 138,138,141
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (firebase-settings.crashlytics.com) 通信。
{'ip': '180.163.150.162', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app.adjust.cn) 通信。
{'ip': '47.104.30.117', 'country_short': 'CN', 'country_long': '中国', 'region': '山东', 'city': '青岛', 'latitude': '36.098610', 'longitude': '120.371941'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app-measurement.com) 通信。
{'ip': '180.163.150.161', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (www.googletagmanager.com) 通信。
{'ip': '180.163.151.169', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (update.crashlytics.com) 通信。
{'ip': '180.163.150.34', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (pagead2.googlesyndication.com) 通信。
{'ip': '180.163.151.38', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (googleads.g.doubleclick.net) 通信。
{'ip': '180.163.150.38', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}