安全分析报告:
安全分数
安全分数 51/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
1
用户/设备跟踪器
调研结果
高危
1
中危
9
信息
1
安全
1
关注
3
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: z3/a.java, line(s) 75
中危 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/jg/ids/i/i.java, line(s) 145 s7/b.java, line(s) 75 v6/b.java, line(s) 55
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: l7/i.java, line(s) 9,10,11,12,13,348 o2/m0.java, line(s) 5,6,266 o2/t0.java, line(s) 4,5,135
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: a2/e.java, line(s) 237,395 com/mr/flutter/plugin/filepicker/b.java, line(s) 248 com/mr/flutter/plugin/filepicker/e.java, line(s) 97 o8/i.java, line(s) 129,151 o8/j.java, line(s) 98
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: g9/a.java, line(s) 3 g9/b.java, line(s) 3 h9/a.java, line(s) 3 j7/d.java, line(s) 19 t2/r1.java, line(s) 6 u3/s0.java, line(s) 4 x3/b.java, line(s) 12
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: c6/b.java, line(s) 78 d6/e.java, line(s) 82 d6/w.java, line(s) 125 e0/g.java, line(s) 79 g0/d.java, line(s) 37 g0/p.java, line(s) 95 g0/x.java, line(s) 84 z1/f.java, line(s) 43
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: v6/c.java, line(s) 80
中危 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "google_crash_reporting_api_key" : "AIzaSyDxrIATpwHsDwMBHGqy8enFPDmntkSUqck" "google_api_key" : "AIzaSyDxrIATpwHsDwMBHGqy8enFPDmntkSUqck" 470fa2b4ae81cd56ecbcda9735803434cec591fa edef8ba9-79d6-4ace-a3c8-27dcd51d21ed 16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a VGhpcyBpcyB0aGUgcHJlZml4IGZvciBCaWdJbnRlZ2Vy
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a1/a.java, line(s) 72,73 a2/a.java, line(s) 477,482,520,524,529,534 a2/d.java, line(s) 500,505,510 a5/b.java, line(s) 57,68 b0/a.java, line(s) 17 b0/u.java, line(s) 56,84,87,258,271,277,285,303 b0/w.java, line(s) 75,79,84 b0/y.java, line(s) 59 b6/t.java, line(s) 192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210 c0/b.java, line(s) 275 c7/d0.java, line(s) 131,133 c7/g0.java, line(s) 87,100,213,224,233,295,315,116,323 c7/h.java, line(s) 28 c7/i0.java, line(s) 38 c7/l.java, line(s) 65,72,30 c7/y.java, line(s) 140 com/mr/flutter/plugin/filepicker/b.java, line(s) 89,98,118,135,249,265,282 com/mr/flutter/plugin/filepicker/e.java, line(s) 148,281,39,86,213,217,222,277,230,140 d0/d.java, line(s) 76,103,75,102 d0/e.java, line(s) 539,560,578,538,559,577 d2/a.java, line(s) 23,33,43,53 d7/a.java, line(s) 120,124,150 e7/c.java, line(s) 123 f0/c.java, line(s) 111,110 f0/e.java, line(s) 72,71 f1/b.java, line(s) 80 g0/h.java, line(s) 640,388,402,639,494 g0/i.java, line(s) 51,52 g0/k.java, line(s) 14,214 g0/q.java, line(s) 165 g0/z.java, line(s) 76,113,66,75,112,67 g1/a.java, line(s) 55 h0/i.java, line(s) 110,150,111,151 h0/j.java, line(s) 117,158,169,181,83,116,126,147,157,168,180,201,208,89,127,202,209,148 h2/k.java, line(s) 36,65,72,75,92,97,102,107,112 i0/e.java, line(s) 45,55,69,75,106,46,70,58,76,107 i0/i.java, line(s) 123,107 i5/a.java, line(s) 67,71 j0/a.java, line(s) 169,166 k0/c.java, line(s) 16,15 k0/d.java, line(s) 44,43 k0/h.java, line(s) 104,103 k0/u.java, line(s) 67,70 k0/v.java, line(s) 65,70,83,99,66,71,86,102 k0/w.java, line(s) 37,36 k2/a.java, line(s) 15,22,29,14,21,28,42,43,49,50 l1/a.java, line(s) 12 l5/i.java, line(s) 31,22,38,45,30,37,44,51,52,58,59 l7/c0.java, line(s) 83,121,184,199,250,263,269,286,291,358,367,427,87,362 l7/f0.java, line(s) 25 l7/i.java, line(s) 154,204,277,354,394,464,507,377 m0/a.java, line(s) 73,74 n0/d.java, line(s) 14,15 n0/h.java, line(s) 174,181,273,283,295,308,326,342,352,361,374,379,173,180,272,282,294,307,325,335,340,344,350,354,373,378 n0/j.java, line(s) 117,135,116,134,211,212,293 n0/k.java, line(s) 44,50,45,51 n0/n.java, line(s) 86,119,125,131,137,143,150,156,164,120,126,132,138,144,151,157,165,87 n0/z.java, line(s) 207,214,261,320,206,213,258,319 n8/i.java, line(s) 48 o7/d.java, line(s) 124,132,138,29,34,44,51,52,54,73,80,92,101,115,130,146,155,166,177,57,84,95 o8/j.java, line(s) 142 p/i.java, line(s) 123 p/k.java, line(s) 198 p/l.java, line(s) 185,80,100,112,113,128,132 p4/r.java, line(s) 38,33,43,28 p8/l.java, line(s) 80 q8/j.java, line(s) 18,34,44 r0/a.java, line(s) 87,92,97,106,88,93,98,107 r0/d.java, line(s) 21,22 r0/j.java, line(s) 39,42 s5/f.java, line(s) 178,249,253,265 t/b.java, line(s) 81 t0/d.java, line(s) 48,61,66,71,47,54,60,65,70,55 u4/f.java, line(s) 121,169,176 u4/j.java, line(s) 49,92,98,107,110 u4/k.java, line(s) 42 u4/n.java, line(s) 27 u4/u.java, line(s) 44 u4/y.java, line(s) 24 v0/k.java, line(s) 157,15,288,114 v5/g.java, line(s) 34,41,44,53,87 v5/o.java, line(s) 131 v6/b.java, line(s) 59,76 v7/b.java, line(s) 10,14,28,32,36 w1/b.java, line(s) 262 w4/y.java, line(s) 50 w6/c.java, line(s) 95,98,120,128,129,150,156 x4/a.java, line(s) 18 x4/a0.java, line(s) 98,101,105,109,113,117,126,130,133,136,168,176 x4/c.java, line(s) 189,207,427,431,435,441 x4/c1.java, line(s) 53,58 x4/d0.java, line(s) 26 x4/g1.java, line(s) 50 x4/p0.java, line(s) 35 x4/s0.java, line(s) 101 x4/t0.java, line(s) 28 x4/u0.java, line(s) 29 x4/w0.java, line(s) 45 y0/b.java, line(s) 20 y5/g.java, line(s) 31,41,18,51,61,71
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: b6/j.java, line(s) 290,290,291 l5/w.java, line(s) 24
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (dashif.org) 通信。
{'ip': '180.163.150.34', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '台州', 'latitude': '32.492168', 'longitude': '119.910767'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (aomedia.org) 通信。
{'ip': '180.163.150.34', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '台州', 'latitude': '32.492168', 'longitude': '119.910767'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (firebase-settings.crashlytics.com) 通信。
{'ip': '180.163.150.34', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}