移动应用安全检测报告:
安全基线评分
安全基线评分 49/100
综合风险等级
风险等级评定
- A
- B
- C
- F
漏洞与安全项分布(%)
隐私风险
10
检测到的第三方跟踪器数量
检测结果分布
高危安全漏洞
3
中危安全漏洞
24
安全提示信息
4
已通过安全项
2
重点安全关注
0
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/pushwoosh/inapp/view/c.java, line(s) 212,15
高危安全漏洞 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: ee/forgr/capacitor_inappbrowser/WebViewDialog.java, line(s) 567,565
高危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个10隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 Activity (com.vk.id.internal.auth.AuthActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危安全漏洞 Activity (com.facebook.CustomTabActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危安全漏洞 Broadcast Receiver (com.pushwoosh.BootReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.RECEIVE_BOOT_COMPLETED [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危安全漏洞 Content Provider (com.pushwoosh.PushwooshSharedDataProvider) 未被保护。
[android:exported=true] 发现 Content Provider与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危安全漏洞 Content Provider (com.yandex.metrica.PreloadInfoContentProvider) 未被保护。
[android:exported=true] 发现 Content Provider与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危安全漏洞 Broadcast Receiver (com.yandex.metrica.push.core.notification.MetricaPushNotificationStatusChangeHandler) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/pushwoosh/internal/network/a.java, line(s) 6,7,121,153 com/pushwoosh/j0/p.java, line(s) 6,7,34,66,110 com/pushwoosh/j0/r.java, line(s) 6,7,30,187,223 com/pushwoosh/m/b.java, line(s) 6,7,163,171,172,175,180 com/pushwoosh/repository/InboxNotificationStorageImpl.java, line(s) 6,7,35,51 com/pushwoosh/repository/LockScreenMediaStorageImpl.java, line(s) 6,7,53,62,71,191,253,254 com/pushwoosh/repository/PushBundleStorageImpl.java, line(s) 6,7,104,169,280,281 com/pushwoosh/repository/a.java, line(s) 7,8,100,104 com/yandex/metrica/impl/ob/A8.java, line(s) 3,11 com/yandex/metrica/impl/ob/B8.java, line(s) 3,11 com/yandex/metrica/impl/ob/C0112b.java, line(s) 7,153 com/yandex/metrica/impl/ob/C0173b.java, line(s) 7,152 com/yandex/metrica/impl/ob/C0370l8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0395m8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0420n8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0431l8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0445o8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0456m8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0470p8.java, line(s) 3,10,11,12,13 com/yandex/metrica/impl/ob/C0481n8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0494q8.java, line(s) 3,9,10,11 com/yandex/metrica/impl/ob/C0506o8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0517r8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0531p8.java, line(s) 3,10,11,12,13 com/yandex/metrica/impl/ob/C0541s8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0555q8.java, line(s) 3,9,10,11 com/yandex/metrica/impl/ob/C0565t8.java, line(s) 3,10,11,12,13,14 com/yandex/metrica/impl/ob/C0578r8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0589u8.java, line(s) 3,10,11,12,13,14,15,16 com/yandex/metrica/impl/ob/C0602s8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0613v8.java, line(s) 4,11 com/yandex/metrica/impl/ob/C0626t8.java, line(s) 3,10,11,12,13,14 com/yandex/metrica/impl/ob/C0637w8.java, line(s) 3,9,10 com/yandex/metrica/impl/ob/C0650u8.java, line(s) 3,10,11,12,13,14,15,16 com/yandex/metrica/impl/ob/C0661x8.java, line(s) 3,9,10 com/yandex/metrica/impl/ob/C0674v8.java, line(s) 4,11 com/yandex/metrica/impl/ob/C0685y8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0698w8.java, line(s) 3,9,10 com/yandex/metrica/impl/ob/C0709z8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0722x8.java, line(s) 3,9,10 com/yandex/metrica/impl/ob/C0746y8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0770z8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C8.java, line(s) 3,10 com/yandex/metrica/impl/ob/D8.java, line(s) 3,11 com/yandex/metrica/impl/ob/E8.java, line(s) 6,24 com/yandex/metrica/impl/ob/F8.java, line(s) 3,9,10,14,19,20,21,22 com/yandex/metrica/impl/ob/G8.java, line(s) 6,20 com/yandex/metrica/impl/ob/H8.java, line(s) 3,9 com/yandex/metrica/impl/ob/I8.java, line(s) 3,10,11 com/yandex/metrica/impl/ob/J7.java, line(s) 5,113 com/yandex/metrica/impl/ob/J8.java, line(s) 3,9,10 com/yandex/metrica/impl/ob/K8.java, line(s) 3,9,10 com/yandex/metrica/impl/ob/L7.java, line(s) 7,8,186,222,409 com/yandex/metrica/impl/ob/L8.java, line(s) 3,10 com/yandex/metrica/impl/ob/M8.java, line(s) 3,12,13,14 com/yandex/metrica/impl/ob/N8.java, line(s) 3,11,12 com/yandex/metrica/impl/ob/O8.java, line(s) 3,9 com/yandex/metrica/impl/ob/Q8.java, line(s) 3,12,13 com/yandex/metrica/impl/ob/R8.java, line(s) 3,9 com/yandex/metrica/impl/ob/S8.java, line(s) 3,14,15,16 com/yandex/metrica/impl/ob/T8.java, line(s) 3,11 com/yandex/metrica/impl/ob/U8.java, line(s) 3,11 com/yandex/metrica/impl/ob/V7.java, line(s) 4,22 com/yandex/metrica/impl/ob/V8.java, line(s) 3,11 com/yandex/metrica/impl/ob/W8.java, line(s) 3,11 com/yandex/metrica/impl/ob/X8.java, line(s) 3,12 ru/rustore/sdk/metrics/internal/b0.java, line(s) 4,58 ru/rustore/sdk/metrics/internal/i0.java, line(s) 4,66 ru/rustore/sdk/metrics/internal/o.java, line(s) 4,5,21
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/adapty/internal/data/cache/CacheKeysKt.java, line(s) 10,18,40,41,42,43,44 com/adapty/internal/data/cloud/RequestFactory.java, line(s) 51 com/adapty/internal/utils/AnalyticsEventTypeAdapter.java, line(s) 40 com/amplitude/android/migration/RemnantDataMigration.java, line(s) 16,17,18,19,20 com/amplitude/id/FileIdentityStorage.java, line(s) 13,14,15,17 com/amplitude/id/IdentityConfiguration.java, line(s) 123 com/capacitorjs/plugins/localnotifications/LocalNotificationManager.java, line(s) 39,37,40,38,34 com/capacitorjs/plugins/localnotifications/NotificationStorage.java, line(s) 16 com/capacitorjs/plugins/localnotifications/TimedNotificationPublisher.java, line(s) 16,17 com/getcapacitor/AppUUID.java, line(s) 13 com/getcapacitor/Bridge.java, line(s) 57,56,58,59 com/getcapacitor/Plugin.java, line(s) 33 com/pushwoosh/repository/RegistrationPrefs.java, line(s) 40 com/vk/id/internal/api/VKIDApi.java, line(s) 19 com/vk/id/internal/auth/AuthOptions.java, line(s) 148 com/vk/id/internal/auth/ServiceCredentials.java, line(s) 72 com/vk/id/internal/auth/VKIDTokenPayload.java, line(s) 90 com/yandex/metrica/impl/ob/C0292i4.java, line(s) 76 com/yandex/metrica/impl/ob/C0353i4.java, line(s) 77 com/yandex/metrica/impl/ob/D4.java, line(s) 40 com/yandex/metrica/impl/ob/Lg.java, line(s) 380 com/yandex/metrica/impl/ob/Ln.java, line(s) 17 io/branch/referral/Branch.java, line(s) 49 io/branch/referral/BranchPreinstall.java, line(s) 18,17 io/branch/referral/PrefHelper.java, line(s) 32 io/branch/referral/ServerRequest.java, line(s) 17,18 io/branch/referral/ServerRequestQueue.java, line(s) 26 io/branch/referral/UniversalResourceAnalyser.java, line(s) 15,14,17 io/branch/referral/validators/DeepLinkRoutingValidator.java, line(s) 22,19,25,24 io/grpc/internal/DnsNameResolver.java, line(s) 72,70,71,73 io/grpc/internal/TransportFrameUtil.java, line(s) 33 io/sentry/Baggage.java, line(s) 35 io/sentry/SpanDataConvention.java, line(s) 4,5,8,9,15,17,16,20,18 io/sentry/TraceContext.java, line(s) 25 io/sentry/protocol/User.java, line(s) 41 ru/rustore/sdk/core/BuildConfig.java, line(s) 8,7 ru/rustore/sdk/core/config/SdkType.java, line(s) 20
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/pushwoosh/internal/network/c.java, line(s) 21 im/crisp/client/internal/v/f.java, line(s) 22 io/grpc/internal/DnsNameResolver.java, line(s) 31 io/grpc/internal/ExponentialBackoffPolicy.java, line(s) 5 io/grpc/internal/RetriableStream.java, line(s) 23 io/grpc/okhttp/OkHttpClientTransport.java, line(s) 72 io/grpc/util/OutlierDetectionLoadBalancer.java, line(s) 26 io/grpc/util/RoundRobinLoadBalancer.java, line(s) 20 org/junit/runner/manipulation/Ordering.java, line(s) 7
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/pushwoosh/d0/d.java, line(s) 51 com/pushwoosh/internal/platform/utils/GeneralUtils.java, line(s) 136 com/vk/id/internal/util/MD5.java, line(s) 38 com/yandex/metrica/impl/ob/Pl.java, line(s) 69 com/yandex/metrica/impl/ob/Tl.java, line(s) 90
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/capacitorjs/plugins/camera/CameraUtils.java, line(s) 19 com/capacitorjs/plugins/filesystem/Filesystem.java, line(s) 167,169,176 com/getcapacitor/BridgeWebChromeClient.java, line(s) 455 com/getcapacitor/FileUtils.java, line(s) 94 io/sentry/android/core/DeviceInfoUtil.java, line(s) 166,341
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/capacitorjs/plugins/camera/CameraUtils.java, line(s) 19 com/getcapacitor/BridgeWebChromeClient.java, line(s) 455 io/noties/markwon/image/DefaultDownScalingMediaDecoder.java, line(s) 56 org/junit/rules/TemporaryFolder.java, line(s) 79,164
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: io/sentry/android/core/internal/util/RootChecker.java, line(s) 23,23,23,23,23
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/pushwoosh/inapp/view/c.java, line(s) 211,244 ee/forgr/capacitor_inappbrowser/WebViewDialog.java, line(s) 133,125
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/yandex/metrica/impl/ob/H.java, line(s) 43 io/sentry/util/StringUtils.java, line(s) 73
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: ee/forgr/capacitor_inappbrowser/WebViewDialog.java, line(s) 123,124,125
中危安全漏洞 IP地址泄露
IP地址泄露 Files: io/grpc/okhttp/OkHttpClientTransport.java, line(s) 251 io/grpc/okhttp/OkHttpServerTransport.java, line(s) 601,607,613,698
中危安全漏洞 Firebase远程配置已启用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/817694478994/namespaces/firebase:fetch?key=AIzaSyAZbj1vKsmxAtMyCxLxavVaauDS8t0d9hs ) 已启用。请确保这些配置不包含敏感信息。响应内容如下所示:
{
"entries": {
"googlePlayBillingAvailable": "true",
"launchPlacementId": "launch_placement",
"liveStream": "{}",
"mainPlacementId": "test_customsation_v3",
"onboardingRateAppPaneActive": "true",
"payOnWebsiteLink": "https://momslab.app/ru/actual_programs_new#tariffs",
"pushNotificationsRequestLocation": "onboarding-program-selected",
"surveyFirstHear": "{\"isActive\":false,\"options\":[]}",
"tinkoffPaymentActive": "false"
},
"state": "UPDATE",
"templateVersion": "111"
}
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 凭证信息=> "io.branch.sdk.BranchKey.test" : "@string/branch_test_key" 凭证信息=> "io.branch.sdk.BranchKey" : "@string/branch_key" 凭证信息=> "com.pushwoosh.appid" : "@string/pushwoosh_app_id" Google_Drive_API_Key: AIzaSyAZkYOg3NmgiXAVC6R8wyiW4VQPP3_MOis "google_app_id" : "1:817694478994:android:ba1e18386c6ce39b390c4b" "firebase_database_url" : "https://momslab.firebaseio.com" "fb_app_id" : "388235655240118" "facebook_client_token" : "2e000b90b91eca37c49f72999603f259" "google_api_key" : "AIzaSyAZbj1vKsmxAtMyCxLxavVaauDS8t0d9hs" "pushwoosh_api_token" : "aHLKAmyNCPY6Nj7U0E6YHbbLQCh6K1ePM9RxLRiK1D" "appmetrica_api_key" : "fcf1c352-c867-4104-92b9-3f7ae144e732" "branch_key" : "key_live_oo7jZVi5LzFK2r0QsdPU0hkirue42HGk" "branch_test_key" : "key_test_leYd7Sp2GztG2F4IAgGJ2hfbEtj1WTVD" "facebook_app_id" : "388235655240118" "adapty_sdk_key" : "public_live_jHtUZqYz.XISoQeOh7UftVzjCxY1P" "google_crash_reporting_api_key" : "AIzaSyAZbj1vKsmxAtMyCxLxavVaauDS8t0d9hs" "pushwoosh_app_id" : "C5ADE-68CDF" "amplitude_api_key" : "2688237e6460ce386c402b7641bbdc00" 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 6c5f504e-8928-47b5-bfb5-73af8d8bf4b4 4e610cd2-753f-4bfc-9b05-772ce8905c5e 9b8f518b086098de3d77736f9458a3d2f6f95a37 sha256/K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= 67bb016b-be40-4c08-a190-96a3f3b503d3 86259288a43f6c409a922bc3ce40ba08085bbadb ABi2fbt8vkzj7SJ8aD5jc4xJFTDFntdkMrYXL3itsvqY1QIw 0e5e9c33-f8c3-4568-86c5-2e4f57523f72 bbf54f5f-e380-46ee-8506-384200b4448a c56fb7d591ba6704df047fd98f535372fea00211 7d962ba4-a392-449a-a02d-6c5be5613928 e4250327-8d3c-4d35-b9e8-3c1720a64b91 dZozdop5rgKNxjbrQAd5nntAGpgh9w84O1Xgg== 20799a27-fa80-4b36-b2db-0f8141f24180 a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc a72bf6f57701ed3c2b8ed570054febbff4e58c12 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 48761eef50ee53afc4cc9c5f10e6bde7f8f5b82f cc2751449a350f668590264ed76692694a80308a df6b721c8b4d3b6eb44c861d4415007e5a35fc95 01528cc0-dd34-494d-9218-24af1317e1ee 7fmduHKTdHHrlMvldlEqAIlSfii1tl35bxj1OXN5Ve8c4lU6URVu4xtSHc3BVZxS6WWJnxMDhIfQN0N0K2NDJg==
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/adapty/internal/utils/DefaultLogHandler.java, line(s) 236,241,140,145,90,95,188,193 com/amplitude/common/android/LogcatLogger.java, line(s) 33,41,49,57 com/amplitude/common/jvm/ConsoleLogger.java, line(s) 53 com/caverock/androidsvg/CSSParser.java, line(s) 998,367 com/caverock/androidsvg/SVG.java, line(s) 360 com/caverock/androidsvg/SVGAndroidRenderer.java, line(s) 116,345,1280,168,173,341 com/caverock/androidsvg/SVGImageView.java, line(s) 113,120,146,164,186,216 com/caverock/androidsvg/SVGParser.java, line(s) 616,640,660,960,527,645,2934,2970,2987 com/caverock/androidsvg/SimpleAssetResolver.java, line(s) 41,55,70 com/codetrixstudio/capacitor/GoogleAuth/GoogleAuth.java, line(s) 184 com/getcapacitor/Logger.java, line(s) 49,83,59,39,69 com/getcapacitor/community/facebooklogin/FacebookLogin.java, line(s) 67,73,90,120,122,135,153,160,173,177,179,187,190,195,226,75,92,105,107,137,146,162,124 com/hutchind/cordova/plugins/streamingmedia/SimpleAudioStream.java, line(s) 119,121,127,150,161,201,260,107,215,253,232 com/hutchind/cordova/plugins/streamingmedia/StreamingMedia.java, line(s) 78,69,72,75,87 com/jakewharton/disklrucache/DiskLruCache.java, line(s) 112 com/lofelt/haptics/LofeltHaptics.java, line(s) 41,44,50,60,66 com/momslab/plugins/UtilPlugin.java, line(s) 34 com/pushwoosh/BootReceiver.java, line(s) 20,28,32 com/pushwoosh/DeepLinkActivity.java, line(s) 54,60 com/pushwoosh/GDPRManager.java, line(s) 41,156,161,166,201,206,72,100 com/pushwoosh/Pushwoosh.java, line(s) 78,378,90,98 com/pushwoosh/PushwooshInitializer.java, line(s) 37 com/pushwoosh/PushwooshMessagingServiceHelper.java, line(s) 29,37 com/pushwoosh/PushwooshPlatform.java, line(s) 160,110 com/pushwoosh/PushwooshWorkManagerHelper.java, line(s) 18,28 com/pushwoosh/a.java, line(s) 165,168,73,176 com/pushwoosh/a/a.java, line(s) 25 com/pushwoosh/b.java, line(s) 71,84,133,152,184,213,119,70,72,251 com/pushwoosh/d/a.java, line(s) 21,27,29,38,42 com/pushwoosh/d/c.java, line(s) 148,154,135,239 com/pushwoosh/d0/d.java, line(s) 68,77,87,98 com/pushwoosh/d0/e.java, line(s) 97,98,104,135,179,220,233 com/pushwoosh/e/a.java, line(s) 164,235,241,249,256,145 com/pushwoosh/e/d.java, line(s) 77,81 com/pushwoosh/f0/a.java, line(s) 126,178,204,220 com/pushwoosh/f0/b.java, line(s) 61,102,215,254 com/pushwoosh/firebase/PushwooshFcmHelper.java, line(s) 54,40,48,59,34 com/pushwoosh/firebase/internal/checker/FirebaseChecker.java, line(s) 13 com/pushwoosh/firebase/internal/registrar/FcmRegistrar.java, line(s) 52 com/pushwoosh/firebase/internal/registrar/FcmRegistrarWorker.java, line(s) 22,40,43,34,37 com/pushwoosh/h/a.java, line(s) 33,310 com/pushwoosh/h/b.java, line(s) 27,43,59 com/pushwoosh/inapp/view/RichMediaWebActivity.java, line(s) 81,202 com/pushwoosh/inapp/view/a.java, line(s) 49 com/pushwoosh/inapp/view/c.java, line(s) 143 com/pushwoosh/internal/network/NetworkModule.java, line(s) 24 com/pushwoosh/internal/network/a.java, line(s) 37,50,74,103,146 com/pushwoosh/internal/network/c.java, line(s) 253,141,185,116 com/pushwoosh/internal/platform/prefs/migration/MigrationScheme.java, line(s) 53 com/pushwoosh/internal/platform/utils/GeneralUtils.java, line(s) 54,83,166 com/pushwoosh/internal/preference/PreferenceArrayListValue.java, line(s) 31,47,63,72,85,95 com/pushwoosh/internal/preference/PreferenceBooleanValue.java, line(s) 20,36 com/pushwoosh/internal/preference/PreferenceClassValue.java, line(s) 20,39 com/pushwoosh/internal/preference/PreferenceIntValue.java, line(s) 20,36 com/pushwoosh/internal/preference/PreferenceJsonObjectValue.java, line(s) 24,67 com/pushwoosh/internal/preference/PreferenceLongValue.java, line(s) 21,37 com/pushwoosh/internal/preference/PreferenceSoundTypeValue.java, line(s) 17,31 com/pushwoosh/internal/preference/PreferenceStringValue.java, line(s) 20,36 com/pushwoosh/internal/preference/PreferenceVibrateTypeValue.java, line(s) 17,31 com/pushwoosh/internal/utils/JsonUtils.java, line(s) 72,243,257 com/pushwoosh/internal/utils/LockScreenReceiver.java, line(s) 60,100 com/pushwoosh/internal/utils/NotificationPermissionActivity.java, line(s) 9,11 com/pushwoosh/internal/utils/NotificationRegistrarHelper.java, line(s) 87 com/pushwoosh/internal/utils/PWLog.java, line(s) 72,79,97,104,151,158,192,199,232,239,126,133,257,264 com/pushwoosh/internal/utils/PermissionActivity.java, line(s) 57,59 com/pushwoosh/j/c.java, line(s) 259,234,285,392,405 com/pushwoosh/j/f.java, line(s) 40 com/pushwoosh/j0/c.java, line(s) 63,90,39,58,84,32,49 com/pushwoosh/j0/j.java, line(s) 89,122,165,261,174,221 com/pushwoosh/j0/p.java, line(s) 58,83,87 com/pushwoosh/j0/r.java, line(s) 56,84,104,131,148,211,235,155 com/pushwoosh/k/c.java, line(s) 48,96 com/pushwoosh/k0/b.java, line(s) 20 com/pushwoosh/m/b.java, line(s) 76,116,150,45 com/pushwoosh/n/d.java, line(s) 54,68,85,144 com/pushwoosh/notification/Action.java, line(s) 35 com/pushwoosh/notification/LocalNotificationReceiver.java, line(s) 56,71,79,94,102,110,124,142 com/pushwoosh/notification/NotificationServiceExtension.java, line(s) 25,28,50,68 com/pushwoosh/notification/PushwooshNotificationManager.java, line(s) 91,106,149,167,176,208,216,255 com/pushwoosh/notification/RescheduleNotificationsWorker.java, line(s) 24 com/pushwoosh/notification/SummaryNotificationFactory.java, line(s) 48 com/pushwoosh/notification/SummaryNotificationUtils.java, line(s) 52,60,84 com/pushwoosh/notification/a.java, line(s) 66,83,60 com/pushwoosh/notification/builder/NotificationBuilderManager.java, line(s) 68,102,132,179,231,272,278,295 com/pushwoosh/notification/builder/a.java, line(s) 33,56 com/pushwoosh/notification/handlers/message/user/c.java, line(s) 74,83,135 com/pushwoosh/notification/handlers/notification/a.java, line(s) 18,30 com/pushwoosh/o/b.java, line(s) 52,79,100 com/pushwoosh/o/c.java, line(s) 151,216,241,251 com/pushwoosh/p/d.java, line(s) 32,46 com/pushwoosh/p/e.java, line(s) 22 com/pushwoosh/p/f.java, line(s) 33 com/pushwoosh/q/b.java, line(s) 41 com/pushwoosh/r/b.java, line(s) 113,52,53 com/pushwoosh/repository/InboxNotificationStorageImpl.java, line(s) 65,84,112,127,146,98 com/pushwoosh/repository/LockScreenMediaStorageImpl.java, line(s) 84,115,129,179,204,239,94,101,133 com/pushwoosh/repository/PushBundleStorageImpl.java, line(s) 57,73,92,148,235,42 com/pushwoosh/repository/RepositoryModule.java, line(s) 49 com/pushwoosh/repository/a.java, line(s) 175,54,132,247,286,322,353,372,87,95 com/pushwoosh/repository/b.java, line(s) 18,51,58,72,89,94 com/pushwoosh/richmedia/RichMedia.java, line(s) 41 com/pushwoosh/richmedia/RichMediaManager.java, line(s) 25 com/pushwoosh/richmedia/a.java, line(s) 57,71,81,99,130,147 com/pushwoosh/tags/TagsBundle.java, line(s) 85 com/pushwoosh/thirdpart/com/ironz/binaryprefs/dump/DumpReceiver.java, line(s) 25,30,19 com/pushwoosh/u/b.java, line(s) 61,76,78,111,115,125,168,173,180,183,191,198,200,212,220,226,233,245,248,104 com/pushwoosh/u/c.java, line(s) 48,114 com/pushwoosh/u/g.java, line(s) 8 com/pushwoosh/w/b.java, line(s) 37,58,71 com/pushwoosh/y/a.java, line(s) 13 com/silkimen/cordovahttp/CordovaClientAuth.java, line(s) 67,86 com/silkimen/cordovahttp/CordovaHttpBase.java, line(s) 99,108,216,78,82,86,92,213 com/silkimen/cordovahttp/CordovaHttpPlugin.java, line(s) 43 com/silkimen/cordovahttp/CordovaServerTrust.java, line(s) 71 com/vk/id/internal/auth/web/WhiteListedBrowserHelper.java, line(s) 36 com/vk/id/internal/log/AndroidLogcatLogEngine.java, line(s) 42,47,40 com/yandex/metrica/gpllibrary/a.java, line(s) 45,54,60 com/yandex/metrica/impl/ob/C0265h2.java, line(s) 46,24,42,72 com/yandex/metrica/impl/ob/C0326h2.java, line(s) 48,26,44,74 com/yandex/metrica/impl/ob/Nf.java, line(s) 73 com/yandex/metrica/impl/ob/R1.java, line(s) 93 com/yandex/metrica/impl/ob/T2.java, line(s) 124 com/yandex/metrica/impl/ob/Tf.java, line(s) 88 com/yandex/metrica/impl/ob/Uf.java, line(s) 551 ee/forgr/capacitor_inappbrowser/InAppBrowserPlugin.java, line(s) 378,417,129,330,389,494,272 ee/forgr/capacitor_inappbrowser/WebViewDialog.java, line(s) 218,247,250,255,146,148,150,159,236 im/crisp/client/ChatActivity.java, line(s) 30 im/crisp/client/internal/b/b.java, line(s) 255,61,85,261,267 im/crisp/client/internal/f/a.java, line(s) 168,390,443,474,521,534,600,602,606,656,671,713,731,264,430,100,623 im/crisp/client/internal/f/b.java, line(s) 918,1244 im/crisp/client/internal/h/p.java, line(s) 62 im/crisp/client/internal/i/a.java, line(s) 55,64 im/crisp/client/internal/l/a.java, line(s) 118,123 im/crisp/client/internal/m/i.java, line(s) 44,58 im/crisp/client/internal/m/j.java, line(s) 20,26,45 im/crisp/client/internal/t/b.java, line(s) 217,650 im/crisp/client/internal/v/a.java, line(s) 52 im/crisp/client/internal/v/f.java, line(s) 165 im/crisp/client/internal/v/h.java, line(s) 94,102,289,448,521 im/crisp/client/internal/v/i.java, line(s) 26,43,33,48,38 im/crisp/client/internal/z/a.java, line(s) 13 io/branch/referral/BranchJsonConfig.java, line(s) 51,53,76,88,100,115,127,143,155,171,187 io/branch/referral/BranchLogger.java, line(s) 144,95,127,174,159,111 io/branch/referral/validators/IntegrationValidator.java, line(s) 131,132,194,198,202 io/grpc/okhttp/internal/Platform.java, line(s) 73 io/noties/markwon/LinkResolverDef.java, line(s) 23 io/noties/markwon/PrecomputedTextSetterCompat.java, line(s) 36 io/noties/markwon/image/AsyncDrawableLoaderImpl.java, line(s) 83,106 io/noties/markwon/image/gif/GifSupport.java, line(s) 22 io/noties/markwon/image/svg/SvgSupport.java, line(s) 22 io/sentry/SystemOutLogger.java, line(s) 14,22,31 io/sentry/android/core/AndroidLogger.java, line(s) 78,74,66,70,76 io/sentry/android/core/SentryLogcatAdapter.java, line(s) 43,48,78,83,53,58,33,38,63,68,73,88,93,98 io/sentry/android/replay/WindowManagerSpy.java, line(s) 27,87 io/sentry/android/replay/WindowSpy.java, line(s) 28,49 io/sentry/transport/StdoutTransport.java, line(s) 51 junit/runner/BaseTestRunner.java, line(s) 154 junit/runner/Version.java, line(s) 12 junit/textui/TestRunner.java, line(s) 93,117,142 ru/rustore/sdk/analytics/AnalyticsEventProvider.java, line(s) 88 ru/rustore/sdk/core/util/ContextExtKt.java, line(s) 64
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/capacitorjs/plugins/clipboard/Clipboard.java, line(s) 4,29 io/branch/referral/ShareLinkManager.java, line(s) 5,336
安全提示信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: com/amplitude/android/utilities/AndroidStorage.java, line(s) 67,70,67,70
安全提示信息 应用与Firebase数据库通信
该应用与位于 https://momslab.firebaseio.com 的 Firebase 数据库进行通信
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/silkimen/cordovahttp/CordovaHttpPlugin.java, line(s) 38,36,37,34,34 com/silkimen/cordovahttp/CordovaServerTrust.java, line(s) 79,78,91,57,60,63,66,77,77 com/silkimen/http/HttpRequest.java, line(s) 432,439,446,453,460,467,474,481,1583 com/vk/id/internal/di/VKIDDepsProd.java, line(s) 328,328,328,328,328,328,328 im/crisp/client/internal/k/a.java, line(s) 93,93 im/crisp/client/internal/l/a.java, line(s) 104,104 io/grpc/okhttp/OkHttpChannelBuilder.java, line(s) 418,419,506,432,479,505,502,504,504 io/grpc/okhttp/OkHttpServerBuilder.java, line(s) 264,265,278 io/grpc/util/AdvancedTlsX509TrustManager.java, line(s) 109,108,99,107,107,125
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/yandex/metrica/impl/ob/X1.java, line(s) 15 io/sentry/android/core/DeviceInfoUtil.java, line(s) 141 io/sentry/android/core/internal/util/RootChecker.java, line(s) 41,23,23,23,23,23,23,35