安全分析报告:
安全分数
安全分数 45/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
0
用户/设备跟踪器
调研结果
高危
3
中危
15
信息
1
安全
1
关注
0
高危 应用程序存在Janus漏洞
应用程序使用了v1签名方案进行签名,如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞的攻击。在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
高危 Activity (com.kyee.nursestation.controller.NurseStationActivity) is vulnerable to StrandHogg 2.0
已发现活动存在 StrandHogg 2.0 栈劫持漏洞的风险。漏洞利用时,其他应用程序可以将恶意活动放置在易受攻击的应用程序的活动栈顶部,从而使应用程序成为网络钓鱼攻击的易受攻击目标。可以通过将启动模式属性设置为“singleInstance”并设置空 taskAffinity (taskAffinity="") 来修复此漏洞。您还可以将应用的目标 SDK 版本 (19) 更新到 29 或更高版本以在平台级别修复此问题。
高危 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/kyee/mobilenursestation/BuildConfig.java, line(s) 2,3
中危 应用程序可以安装在有漏洞的已更新 Android 版本上
Android 2.2-2.2.3, [minSdk=8] 该应用程序可以安装在具有多个未修复漏洞的旧版本 Android 上。这些设备不会从 Google 接收合理的安全更新。支持 Android 版本 => 10、API 29 以接收合理的安全更新。
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Activity (com.kyee.nursestation.controller.UserLoginActivity) 未被保护。
存在一个intent-filter。 发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。
中危 Activity (com.kyee.nursestation.controller.NurseStationActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此使其对设备上的任何其他应用程序都可访问。
中危 Activity (com.kyee.nursestation.views.menu.checkout.CheckoutDetailActivity) 未被保护。
存在一个intent-filter。 发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。
中危 Broadcast Receiver (com.kyee.nursestation.utils.scancontrol.BNBroadCastReceiver) 未被保护。
存在一个intent-filter。 发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。
中危 Broadcast Receiver (com.kyee.nursestation.utils.scancontrol.EMHBroadCastReceiver) 未被保护。
存在一个intent-filter。 发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。
中危 高优先级的Intent (1000)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 高优先级的Intent (1000)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: cn/com/kyee/KingYeeWebSocketClient.java, line(s) 41 com/kyee/apkupdate/AppUpdateManager.java, line(s) 24,32,33,35,38,39 com/kyee/nursestation/global/CustomApplication.java, line(s) 29 com/kyee/nursestation/global/HttpParamsConstants.java, line(s) 14 com/kyee/nursestation/model/UserInfoEntity.java, line(s) 18 com/kyee/nursestation/views/menu/AutarRiskRcordsFragment.java, line(s) 465 com/kyee/nursestation/views/menu/PainFragment.java, line(s) 148 com/kyee/nursestation/views/menu/PressureSoresFragment.java, line(s) 278
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/kyee/apkupdate/MD5Util.java, line(s) 17
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: de/tavendo/autobahn/WampConnection.java, line(s) 8 de/tavendo/autobahn/WebSocketWriter.java, line(s) 13
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/honeywell/imagingmanager/ImagingManager.java, line(s) 32 com/kyee/apkupdate/AppUpdateUtil.java, line(s) 61,89,90,119,120,149,153,188 com/kyee/nursestation/global/CustomApplication.java, line(s) 60 com/kyee/nursestation/utils/CommonUtil.java, line(s) 782,783,813,814 com/kyee/nursestation/utils/ConfigureLog4J.java, line(s) 10 com/kyee/nursestation/utils/FileUtil.java, line(s) 12,13 com/kyee/nursestation/utils/LoadUtil.java, line(s) 164,168,212,234,238
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/kyee/nursestation/utils/DBHelperUtil.java, line(s) 7,8,58 com/kyee/nursestation/utils/DBHelperUtilView.java, line(s) 6,7,8,93
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "elder_nusing_username" : "姓名" "medicine_first_patlookuser" : "日常照顾者" "user_name" : "请输入用户名" "user_password" : "请输入密码"
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: bn/Common/CommonSet.java, line(s) 163,177,181,185,189,198,204,208,212,216,221,228,234,264,277,283,289,295,766,847,853,856,1030 bn/Handle/HandleSet.java, line(s) 208 com/honeywell/aidc/AidcManager.java, line(s) 21,29,30,35,39,42,46,50,59,64 com/honeywell/aidc/BarcodeFailureEvent.java, line(s) 10,11,13 com/honeywell/aidc/BarcodeReadEvent.java, line(s) 20,21,22,23,24,25,32,74 com/honeywell/aidc/BarcodeReader.java, line(s) 287,289,651,653 com/honeywell/aidc/TriggerStateChangeEvent.java, line(s) 10,11,13 com/honeywell/decodeconfigcommon/SymbologyConfigDoc.java, line(s) 166,201,232,242,296,319,333,384,419,456,474,496,513,534,555,580,604,624,645,657,683,695,754,770,773,869,886,889,894 com/honeywell/decodemanager/DecodeManager.java, line(s) 52,60,66,81,85,95,105,107,177,804,231,239,247,255,263,271,279,287,295,303,311,319,327,335,343,351,359,367,380,388,396,408,417,425,433,441,449,454,467,475,483,491,499,507,515,523,531,539,713,832,840,848 com/honeywell/decodemanager/barcode/Decoder.java, line(s) 121,128,133,138,143,148,153,158,163,168,173,178,183,188,193,198,203,208,213,218,223,228,233,238,243,252,257,262,267,272,277,282,287,292,297,302,307,308,311,316,321,326,331,336,341,346,353,356,360,365,374,379,384,389,394,399,404,409 com/honeywell/imagingmanager/Imaging.java, line(s) 16,23 com/honeywell/imagingmanager/ImagingManager.java, line(s) 53,59,70 com/honeywell/ioctl/HoneywellIOCTL.java, line(s) 34 com/honeywell/iqimagemanager/IQImageManager.java, line(s) 36,43,59,61,110 com/honeywell/test/IQTest.java, line(s) 42,44 com/honeywell/test/ImagingManagerTest.java, line(s) 103 com/kyee/apkupdate/AppUpdateManager.java, line(s) 90,111,156,215,272,316,367,369,167,221,260,377 com/kyee/apkupdate/AppUpdateService.java, line(s) 26 com/kyee/apkupdate/AppUpdateUtil.java, line(s) 54,71,81,109,112,132,161,177 com/kyee/apkupdate/MD5Util.java, line(s) 19 com/kyee/nursestation/controller/NurseStationActivity.java, line(s) 390,243,347,352,753,877,146,430,742,793,813,816,818,824 com/kyee/nursestation/controller/UserLoginActivity.java, line(s) 282 com/kyee/nursestation/global/CustomApplication.java, line(s) 71 com/kyee/nursestation/utils/CommonUtil.java, line(s) 805,105,221,228,1085,1127,1208 com/kyee/nursestation/utils/DBHelperUtil.java, line(s) 48,88,130 com/kyee/nursestation/utils/HttpUtils.java, line(s) 119,203 com/kyee/nursestation/utils/LoadUtil.java, line(s) 166 com/kyee/nursestation/utils/RecievePushInformationUtil.java, line(s) 37,57,62,67,72,79 com/kyee/nursestation/utils/SyncDataUtil.java, line(s) 181 com/kyee/nursestation/utils/SynchronousDataService.java, line(s) 33,61,64,67,70,77 com/kyee/nursestation/utils/createutil/util/ConfigViewUpdateManager.java, line(s) 49,72,40 com/kyee/nursestation/utils/datacontrol/DataController.java, line(s) 233,341,68,85,122,133,168,179,189,191,214,222,294,324 com/kyee/nursestation/utils/datacontrol/JsonHelper.java, line(s) 30,32,35,38 com/kyee/nursestation/utils/datacontrol/URLConnection.java, line(s) 40,84,91,128,134,137,155 com/kyee/nursestation/utils/scancontrol/BCRSBroadCastReceiver.java, line(s) 18,22 com/kyee/nursestation/utils/scancontrol/BNBroadCastReceiver.java, line(s) 20,24,37 com/kyee/nursestation/utils/scancontrol/BNScanUtil.java, line(s) 21 com/kyee/nursestation/utils/scancontrol/BroadCastReceiver_BN.java, line(s) 20,24,37 com/kyee/nursestation/utils/scancontrol/BroadCastReceiver_LX.java, line(s) 14 com/kyee/nursestation/utils/scancontrol/BroadCastReceiver_Saga.java, line(s) 14 com/kyee/nursestation/utils/scancontrol/EMHBroadCastReceiver.java, line(s) 18,22 com/kyee/nursestation/utils/scancontrol/Glory50ScanUtil.java, line(s) 69,72 com/kyee/nursestation/utils/scancontrol/NeusoftScanManager_BCR.java, line(s) 37,51,66 com/kyee/nursestation/utils/scancontrol/ScanUtil.java, line(s) 63,64,57,158,170,174,206,240,267,276 com/kyee/nursestation/utils/scancontrol/ScanUtil_BN.java, line(s) 21 com/kyee/nursestation/utils/scancontrol/ScanUtil_D75E.java, line(s) 69,72 com/kyee/nursestation/utils/widget/MyListView.java, line(s) 82,106,113,122,128,137,147,151,160,164,195,211,220,229 com/kyee/nursestation/views/main/adapter/PatientListOfDialogAdapter.java, line(s) 107 com/kyee/nursestation/views/menu/AutarRiskRcordsFragment.java, line(s) 468,469,335,345,359,409,524,550 com/kyee/nursestation/views/menu/BloodAdviceFragment.java, line(s) 204 com/kyee/nursestation/views/menu/CatheterSlipFragment.java, line(s) 625 com/kyee/nursestation/views/menu/CheckoutFragment.java, line(s) 74 com/kyee/nursestation/views/menu/ExamineFragment.java, line(s) 73 com/kyee/nursestation/views/menu/FallDownFragment.java, line(s) 603 com/kyee/nursestation/views/menu/GCSFragment.java, line(s) 529,514 com/kyee/nursestation/views/menu/GeneralSignsFragment.java, line(s) 137,444,449,457,606,635,661,784,293,301,440 com/kyee/nursestation/views/menu/LoginInfoFragment.java, line(s) 172,196 com/kyee/nursestation/views/menu/MedicineCheckFragment.java, line(s) 137,294,300,244 com/kyee/nursestation/views/menu/NurseTaskFragment.java, line(s) 238 com/kyee/nursestation/views/menu/OrdersFragment.java, line(s) 244,537,548,554,565,722 com/kyee/nursestation/views/menu/PainFragment.java, line(s) 405 com/kyee/nursestation/views/menu/PatListFragment.java, line(s) 27,33 com/kyee/nursestation/views/menu/PressureSoresFragment.java, line(s) 281,282,130,250,410,460,496,505 com/kyee/nursestation/views/menu/SelfCareFragment.java, line(s) 362,452,437 com/kyee/nursestation/views/menu/adminasses/AdminAssesFragmentMain.java, line(s) 333,730,493,496 com/kyee/nursestation/views/menu/adminasses/AdminAssesUtil.java, line(s) 81,110,127,144,82 com/kyee/nursestation/views/menu/autar/AutarUtil.java, line(s) 120,126 com/kyee/nursestation/views/menu/bloodAdvice/activity/BloodAdviceActivity.java, line(s) 88,143,146,239,254,190,222 com/kyee/nursestation/views/menu/bloodAdvice/advices/AdvicesFragment.java, line(s) 277,348,455 com/kyee/nursestation/views/menu/bloodAdvice/advices/BloodOrdersFragment.java, line(s) 81,142,344 com/kyee/nursestation/views/menu/bloodAdvice/remind/BloodPushInfoHandler.java, line(s) 38,55,58 com/kyee/nursestation/views/menu/bloodAdvice/remind/BloodPushRemindHandler.java, line(s) 31,52,55,63,66 com/kyee/nursestation/views/menu/bloodAdvice/remind/PrepareBloodTimer.java, line(s) 68,75,78,83,87 com/kyee/nursestation/views/menu/bloodAdvice/remind/RemindTimer.java, line(s) 41,116 com/kyee/nursestation/views/menu/bloodAdvice/tube/TubeCheckedResultFragment.java, line(s) 153 com/kyee/nursestation/views/menu/checkout/CheckoutDetailActivity.java, line(s) 73 com/kyee/nursestation/views/menu/elderlynusing/ElderlyNusingFragment.java, line(s) 621 com/kyee/nursestation/views/menu/nursetask/table/InterceptScrollContainer.java, line(s) 19 com/kyee/nursestation/views/menu/nursingrcord/NormalCareRecord.java, line(s) 216,375 com/kyee/nursestation/views/menu/nursingrcord/PsychiatryCareRecord.java, line(s) 256,439 com/kyee/nursestation/views/menu/orders/NewOrdersPushInfoHandler.java, line(s) 32 com/kyee/nursestation/views/menu/patlist/PatListJiankaPatsAdapter.java, line(s) 85,129 com/kyee/nursestation/views/menu/surgerynursing/SurgeryNursingFragment.java, line(s) 476,519 com/kyee/nursestation/views/menu/vitalsigns/BedEventActivity.java, line(s) 288,379 com/kyee/nursestation/views/menu/vitalsigns/VitalSignsFragmentMain.java, line(s) 158,185,1092,1096,1064,1071 com/kyee/widget/MyListView.java, line(s) 82,106,113,122,128,137,147,151,160,164,195,211,220,229 com/ningfeifei/swipemenulistview/SwipeMenuLayout.java, line(s) 240 de/mindpipe/android/logging/log4j/LogCatAppender.java, line(s) 39,42,63,66,47,50,31,34,55,58,71,74 de/mindpipe/android/logging/log4j/LogConfigurator.java, line(s) 75 de/tavendo/autobahn/WampConnection.java, line(s) 64,71,107,116,126,174,176 de/tavendo/autobahn/WampCraConnection.java, line(s) 30 de/tavendo/autobahn/WampReader.java, line(s) 32,66,78,94,111,114,117,120 de/tavendo/autobahn/WampWriter.java, line(s) 24 de/tavendo/autobahn/WebSocketConnection.java, line(s) 79,106,115,125,134,137,202,207,225,229,255,265,272,279,285,291,294,308,311,341,347 de/tavendo/autobahn/WebSocketReader.java, line(s) 62,67,373,385,391,394,397,402,323,355 de/tavendo/autobahn/WebSocketWriter.java, line(s) 34,219,244
安全 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。