安全分析报告:
安全分数
安全分数 51/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
1
用户/设备跟踪器
调研结果
高危
1
中危
12
信息
2
安全
1
关注
0
高危 WebView域控制不严格漏洞
WebView域控制不严格漏洞 Files: fmo/TcmFormulaCh/ViewFormulaActivity.java, line(s) 304,304
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Activity (fmo.TcmFormulaCh.ViewFormulaActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.google.android.play.core.assetpacks.AssetPackExtractionService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/smaato/sdk/core/errorreport/Report.java, line(s) 11 com/smaato/sdk/video/utils/RandomUtils.java, line(s) 3 d/l0.java, line(s) 33 g6/a.java, line(s) 3 g6/b.java, line(s) 3 g6/c.java, line(s) 3 h6/a.java, line(s) 3
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: c1/s.java, line(s) 5,41 com/smaato/sdk/core/kpi/KpiDBHelper.java, line(s) 6,7,51 fmo/TcmFormulaCh/MainActivity.java, line(s) 16,700 j0/d.java, line(s) 5,230 n1/b.java, line(s) 5,162 net/sqlcipher/DatabaseUtils.java, line(s) 6,7,8,9,10,11,59 net/sqlcipher/database/SQLiteDatabase.java, line(s) 7,8,679,698,287 o1/d.java, line(s) 7,67 o1/j.java, line(s) 4,27 o1/k.java, line(s) 4,5,117 p1/f.java, line(s) 4,30 p1/i.java, line(s) 3,56 p1/j.java, line(s) 4,23 p1/p.java, line(s) 4,5,70 x5/h.java, line(s) 6,7,133
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: g3/z0.java, line(s) 57,59
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: c5/c.java, line(s) 92 com/smaato/sdk/core/mvvm/model/imagead/Extension.java, line(s) 11,14,15,12,13 com/smaato/sdk/core/mvvm/model/imagead/ImageAdResponseParser.java, line(s) 18,20,19,21,26,22,25,27,23,24
中危 IP地址泄露
IP地址泄露 Files: com/smaato/sdk/core/dns/DiDns.java, line(s) 19 com/smaato/sdk/core/locationaware/DnsLookupImpl.java, line(s) 19
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: l3/g.java, line(s) 301
中危 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "library_android_database_sqlcipher_authorWebsite" : "https://www.zetetic.net/sqlcipher/" d79bfac645e9a792d4d5f17bb1ce637e
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a0/d.java, line(s) 30,33,36,84,166,177 a2/b.java, line(s) 53,63 b/a.java, line(s) 290 b2/b.java, line(s) 713,142,282,465,727,737,761,773 b3/g.java, line(s) 61 b3/k.java, line(s) 209,213 c0/m.java, line(s) 22 com/smaato/sdk/core/AndroidsInjector.java, line(s) 94 com/smaato/sdk/core/Config.java, line(s) 52,66 com/smaato/sdk/core/SmaatoSdk.java, line(s) 141,266,466,545,524 com/smaato/sdk/core/ad/KeyValuePairs.java, line(s) 37,48,62,67 com/smaato/sdk/core/browser/SmaatoSdkBrowserActivity.java, line(s) 150 com/smaato/sdk/core/gdpr/tcfv2/TCModel.java, line(s) 197,205,220,265,361,385,254,270,278,286,294,302,310,326,342,350,366,374 com/smaato/sdk/core/gdpr/tcfv2/encoder/Base64Converter.java, line(s) 33 com/smaato/sdk/core/gdpr/tcfv2/encoder/field/FixedVectorEncoder.java, line(s) 33 com/smaato/sdk/core/gdpr/tcfv2/encoder/field/IntEncoder.java, line(s) 21 com/smaato/sdk/core/gdpr/tcfv2/encoder/field/LangEncoder.java, line(s) 25 com/smaato/sdk/core/gdpr/tcfv2/encoder/field/PurposeRestrictionVectorEncoder.java, line(s) 58 com/smaato/sdk/core/gdpr/tcfv2/encoder/field/VendorVectorEncoder.java, line(s) 61 com/smaato/sdk/core/gdpr/tcfv2/encoder/segment/CoreTCEncoder.java, line(s) 56,68,73 com/smaato/sdk/core/gdpr/tcfv2/encoder/segment/OOBVendorsEncoder.java, line(s) 68 com/smaato/sdk/core/gdpr/tcfv2/encoder/segment/PublisherTCEncoder.java, line(s) 51 com/smaato/sdk/core/linkhandler/LinkHandler.java, line(s) 201 com/smaato/sdk/core/log/DiLogLayer.java, line(s) 30 com/smaato/sdk/core/openmeasurement/BaseOMViewabilityTracker.java, line(s) 36,69,105,110,157,182 com/smaato/sdk/core/openmeasurement/OMImageViewabilityTracker.java, line(s) 49 com/smaato/sdk/core/openmeasurement/OMWebViewViewabilityTracker.java, line(s) 41 com/smaato/sdk/core/util/Intents.java, line(s) 51 com/smaato/sdk/core/util/Threads.java, line(s) 160 com/smaato/sdk/richmedia/util/ViewUtils.java, line(s) 39 d/a0.java, line(s) 100 d/c.java, line(s) 495,80 d/f0.java, line(s) 732,1378,2030,2032,2035,1223,1232,1242,1251,1269,1278,909,1031,1034,1485,1498,1898 d/k.java, line(s) 387 d/p.java, line(s) 49 d/s0.java, line(s) 114,211,213 d1/e.java, line(s) 332 d1/p.java, line(s) 505 e0/e.java, line(s) 30 e4/a.java, line(s) 15 f1/a.java, line(s) 40,21,46,52,39,45,51,57,58,63,64 f1/p.java, line(s) 311 f1/w.java, line(s) 69,322 f3/b.java, line(s) 223,232 f4/a.java, line(s) 140,48,54,68,83,133 f4/b.java, line(s) 63,98 fmo/TcmFormulaCh/CustomFormulaFragment.java, line(s) 102 fmo/TcmFormulaCh/DBHelper.java, line(s) 208 fmo/TcmFormulaCh/MainActivity.java, line(s) 155,171,195,344,349 g0/a1.java, line(s) 20,31 g0/c.java, line(s) 83 g0/m0.java, line(s) 87 g0/p.java, line(s) 31,44,91,156,199,220,244 g0/s1.java, line(s) 31 g0/t1.java, line(s) 32,44,51,60 g0/x0.java, line(s) 220,197,219 g0/x1.java, line(s) 80,99,71 g2/a.java, line(s) 117,122 g3/p0.java, line(s) 357,371,382,412,566 h/j.java, line(s) 87,144,158,166 h/k.java, line(s) 175 i/i.java, line(s) 453 i/o.java, line(s) 532 i4/d.java, line(s) 95 j/a0.java, line(s) 210 j/c0.java, line(s) 539,550,570,585,590,595,600,605 j/c3.java, line(s) 234 j/j.java, line(s) 124,218,258,264 j/l4.java, line(s) 137,231 j/m.java, line(s) 162,354 j/n1.java, line(s) 20 j/p4.java, line(s) 26 j/r1.java, line(s) 91,100,199 j/s0.java, line(s) 25,99,104,124 j/s2.java, line(s) 327,79,84,91,204,310 j/u3.java, line(s) 101,278,404,198,370,385,448,462 j/y.java, line(s) 91 j/y0.java, line(s) 69 j/y2.java, line(s) 20 j/y3.java, line(s) 33 j/z2.java, line(s) 24,34,47,57 j0/d.java, line(s) 111,112,143,144,76 j2/b.java, line(s) 35 k0/u.java, line(s) 16,15 l0/d.java, line(s) 35 l3/g.java, line(s) 914,305,311,317,324,328,921,913,920,885 m4/d.java, line(s) 77 n0/e.java, line(s) 295 n1/b.java, line(s) 291,290 net/sqlcipher/AbstractCursor.java, line(s) 140 net/sqlcipher/BulkCursorToCursorAdaptor.java, line(s) 44,66,106,117,165,192,217,36,82,203 net/sqlcipher/DatabaseUtils.java, line(s) 120,161,559,570 net/sqlcipher/DefaultDatabaseErrorHandler.java, line(s) 14,24,26,30,18 net/sqlcipher/database/SQLiteCompiledSql.java, line(s) 49,61,74,85 net/sqlcipher/database/SQLiteContentHelper.java, line(s) 25 net/sqlcipher/database/SQLiteDatabase.java, line(s) 208,1262,1270,1290,1301 net/sqlcipher/database/SQLiteDebug.java, line(s) 7,8,9,10,11,12 net/sqlcipher/database/SQLiteOpenHelper.java, line(s) 108,129 net/sqlcipher/database/SQLiteProgram.java, line(s) 48,63 net/sqlcipher/database/SQLiteQuery.java, line(s) 136 net/sqlcipher/database/SQLiteQueryBuilder.java, line(s) 224,223 net/sqlcipher/database/SqliteWrapper.java, line(s) 30,40,54,64,74 o1/d.java, line(s) 94,93 o1/k.java, line(s) 515,516 p2/c.java, line(s) 129,165 q/e.java, line(s) 393 s/c.java, line(s) 72 s/g.java, line(s) 51 s/h.java, line(s) 36 s/j.java, line(s) 341,368 s/n.java, line(s) 405,540,546,547,548,557,595,601,602,603,612,661,442,449,485 u1/d.java, line(s) 84,156,163 u1/e.java, line(s) 84,98,142,170,178,200 u1/h.java, line(s) 41 u1/j.java, line(s) 28 u1/l.java, line(s) 40 u1/p.java, line(s) 24 v0/e.java, line(s) 698,705 w/f.java, line(s) 51 w/l.java, line(s) 46,56,66 w1/d.java, line(s) 275,483 w1/n.java, line(s) 35 w1/p.java, line(s) 293,336 w2/d.java, line(s) 94,128 x/d.java, line(s) 58 x0/d1.java, line(s) 174 x0/o0.java, line(s) 741 x0/y0.java, line(s) 42 x0/z.java, line(s) 154,122 x1/b0.java, line(s) 46,51 x1/d0.java, line(s) 28 x1/e.java, line(s) 75 x1/l.java, line(s) 85,88,92,96,100,104,113,117,120,123,169,174 x1/o.java, line(s) 17 x1/v.java, line(s) 109,117 x1/w.java, line(s) 46 x1/y.java, line(s) 38,53 x2/a.java, line(s) 18 x5/o.java, line(s) 185 x5/z.java, line(s) 22 y/p.java, line(s) 69,93,103 z/f.java, line(s) 36,41 z/g.java, line(s) 38 z/h.java, line(s) 55 z/i.java, line(s) 42 z/j.java, line(s) 55,226 z2/e.java, line(s) 263,355,358,426 z2/g.java, line(s) 142
信息 此应用程序使用SQL Cipher。SQLCipher为sqlite数据库文件提供256位AES加密
此应用程序使用SQL Cipher。SQLCipher为sqlite数据库文件提供256位AES加密 Files: fmo/TcmFormulaCh/DBHelper.java, line(s) 50,12,13,14
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: l3/h.java, line(s) 33