安全分析报告:
安全分数
安全分数 40/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
26
用户/设备跟踪器
调研结果
高危
12
中危
32
信息
3
安全
2
关注
4
高危 应用程序容易受到 Janus 漏洞的影响
应用程序使用 v1 签名方案进行签名,如果仅使用 v1 签名方案进行签名,则在 Android 5.0-8.0 上容易受到 Janus 漏洞的影响。在使用 v1 和 v2/v3 方案签名的 Android 5.0-7.0 上运行的应用程序也容易受到攻击。
高危 域配置不安全地配置为允许明文流量到达范围内的这些域。
Scope: 127.0.0.1
高危 Activity (com.nomonkeys.ballblasv.MainActivity) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
高危 Activity (com.facebook.unity.FBUnityAppLinkActivity) 容易受到StrandHogg 2.0的攻击
已发现活动存在 StrandHogg 2.0 栈劫持漏洞的风险。漏洞利用时,其他应用程序可以将恶意活动放置在易受攻击的应用程序的活动栈顶部,从而使应用程序成为网络钓鱼攻击的易受攻击目标。可以通过将启动模式属性设置为“singleInstance”并设置空 taskAffinity (taskAffinity="") 来修复此漏洞。您还可以将应用的目标 SDK 版本 (28) 更新到 29 或更高版本以在平台级别修复此问题。
高危 Activity (com.facebook.unity.FBUnityDeepLinkingActivity) 容易受到StrandHogg 2.0的攻击
已发现活动存在 StrandHogg 2.0 栈劫持漏洞的风险。漏洞利用时,其他应用程序可以将恶意活动放置在易受攻击的应用程序的活动栈顶部,从而使应用程序成为网络钓鱼攻击的易受攻击目标。可以通过将启动模式属性设置为“singleInstance”并设置空 taskAffinity (taskAffinity="") 来修复此漏洞。您还可以将应用的目标 SDK 版本 (28) 更新到 29 或更高版本以在平台级别修复此问题。
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/ironsource/mediationsdk/utils/IronSourceAES.java, line(s) 33,69
高危 该文件是World Writable。任何应用程序都可以写入文件
该文件是World Writable。任何应用程序都可以写入文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/ironsource/mediationsdk/utils/IronSourceUtils.java, line(s) 260
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: bolts/WebViewAppLinkResolver.java, line(s) 224,6,7 com/applovin/impl/adview/AdViewControllerImpl.java, line(s) 83,15 com/chartboost/sdk/impl/bg.java, line(s) 37,8 com/chartboost/sdk/impl/bh.java, line(s) 175,20,21 com/criteo/view/CriteoBannerAd.java, line(s) 110,14,15 com/criteo/view/InterstialHtmlAdActivity.java, line(s) 150,10,11 com/fyber/inneractive/sdk/g/f/b.java, line(s) 527,13 com/fyber/inneractive/sdk/k/a.java, line(s) 256,12 com/mintegral/msdk/click/f.java, line(s) 257,14,15 com/mintegral/msdk/nativex/view/MTGMediaView.java, line(s) 463,1369,22,23 com/mintegral/msdk/reward/a/c.java, line(s) 434,698,10 com/mintegral/msdk/video/module/MintegralH5EndCardView.java, line(s) 359,13 com/mopub/common/privacy/ConsentDialogLayout.java, line(s) 291,13,14 com/mopub/mobileads/BaseWebView.java, line(s) 36,8 com/mopub/mobileads/MraidActivity.java, line(s) 101,10 com/mopub/mraid/MraidBridge.java, line(s) 549,15,16 com/unity3d/gametune/webview/WebViewApp.java, line(s) 137,9,69,75,89 com/unity3d/services/core/webview/WebViewApp.java, line(s) 157,10,73,79,93,111 com/verizon/ads/webview/VASAdsWebView.java, line(s) 418,449,15 io/presage/StRomans.java, line(s) 136,7
高危 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/applovin/impl/adview/c.java, line(s) 97,11 com/chartboost/sdk/impl/bh.java, line(s) 173,20,21 com/fyber/inneractive/sdk/k/a.java, line(s) 167,12 com/tapjoy/TapjoyLog.java, line(s) 55,8
高危 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: a/a/splashscreen/a/a/utils/b.java, line(s) 7,8,9,10,3,41 com/mopub/network/CustomSSLSocketFactory.java, line(s) 16,17,18,19,3 io/voodoo/ads/sdk/a/api/utils/CustomSSLSocketFactory.java, line(s) 7,8,9,10,3,43 io/voodoo/ads/sdk/data/api/utils/CustomSSLSocketFactory.java, line(s) 7,8,9,10,3,42
高危 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/applisto/appcloner/classes/BuildConfig.java, line(s) 3,6 com/gameanalytics/sdk/unity/BuildConfig.java, line(s) 3,6 com/mopub/mobileads/mobivsta/BuildConfig.java, line(s) 3,6 com/unity/purchasing/BuildConfig.java, line(s) 3,6 com/unity/purchasing/googleplay/BuildConfig.java, line(s) 3,6 io/fabric/unity/crashlytics/android/BuildConfig.java, line(s) 3,6
高危 应用程序包含隐私跟踪程序
此应用程序有多个26隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 Activity (com.facebook.unity.FBUnityAppLinkActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.facebook.unity.FBUnityDeepLinkingActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Content Provider (com.facebook.FacebookContentProvider) 未被保护。
[android:exported=true] 发现 Content Provider与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.nomonkeys.ballblasv.InstallTrackingReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.facebook.CampaignTrackingReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.INSTALL_PACKAGES [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.INSTALL_PACKAGES [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (com.tapjoy.InstallReferrerReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.vungle.warren.NetworkProviderReceiver) 未被保护。
存在一个intent-filter。 发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。
中危 Activity (com.unity.purchasing.googleplay.VRPurchaseActivity) 未被保护。
存在一个intent-filter。 发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。
中危 Broadcast Receiver (com.adjust.sdk.AdjustReferrerReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (io.presage.mraid.browser.ShortcutActivity) 未被保护。
存在一个intent-filter。 发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。
中危 Broadcast Receiver (io.presage.core.receiver.UserPresentReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (io.presage.core.receiver.BootCompletedReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (io.presage.core.receiver.TimeSetReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (io.presage.core.receiver.CarrierConfigChangedReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (io.presage.core.receiver.NextAlarmClockChangedReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (io.presage.core.receiver.EventReminderReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (io.presage.core.receiver.BluetoothReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (io.presage.core.receiver.PackageFullyRemovedReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (io.presage.core.receiver.AlarmReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity设置了TaskAffinity属性
(disabled_io.presage.core.activity.SBActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 IP地址泄露
IP地址泄露 Files: com/fyber/inneractive/sdk/g/a/l.java, line(s) 78,142 com/fyber/inneractive/sdk/video/IAVideoKit.java, line(s) 42,62 com/mintegral/msdk/base/common/net/h.java, line(s) 59,69,49,72 com/mopub/mobileads/AdColonyAdapterConfiguration.java, line(s) 19,40 com/mopub/mobileads/AppLovinAdapterConfiguration.java, line(s) 17,18,62 com/mopub/mobileads/AppLovinBanner.java, line(s) 123 com/mopub/mobileads/AppLovinInterstitial.java, line(s) 175 com/mopub/mobileads/AppLovinRewardedVideo.java, line(s) 121 com/mopub/mobileads/ChartboostAdapterConfiguration.java, line(s) 18,48 com/mopub/mobileads/FacebookAdapterConfiguration.java, line(s) 17,50,81 com/mopub/mobileads/GooglePlayServicesAdapterConfiguration.java, line(s) 16,34 com/mopub/mobileads/IronSourceAdapterConfiguration.java, line(s) 19,34 com/mopub/mobileads/TapjoyAdapterConfiguration.java, line(s) 17,25 com/mopub/mobileads/UnityAdsAdapterConfiguration.java, line(s) 17,23 com/mopub/mobileads/UnityRouter.java, line(s) 77 com/mopub/mobileads/VerizonAdapterConfiguration.java, line(s) 19,20,27 com/mopub/mobileads/VungleAdapterConfiguration.java, line(s) 11,45 com/mopub/mobileads/VungleRouter.java, line(s) 119 com/mopub/mobileads/adcolony/BuildConfig.java, line(s) 10 com/mopub/mobileads/admob/BuildConfig.java, line(s) 10 com/mopub/mobileads/applovin/BuildConfig.java, line(s) 10 com/mopub/mobileads/chartboost/BuildConfig.java, line(s) 10 com/mopub/mobileads/facebookaudiencenetwork/BuildConfig.java, line(s) 10 com/mopub/mobileads/ironsource/BuildConfig.java, line(s) 10 com/mopub/mobileads/tapjoy/BuildConfig.java, line(s) 10 com/mopub/mobileads/unityads/BuildConfig.java, line(s) 10 com/mopub/mobileads/verizon/BuildConfig.java, line(s) 10 com/mopub/mobileads/vungle/BuildConfig.java, line(s) 10 com/mopub/nativeads/VerizonNative.java, line(s) 196
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: bolts/MeasurementEvent.java, line(s) 19,20 com/alphab/c/b.java, line(s) 45,47 com/applovin/impl/sdk/j.java, line(s) 603 com/applovin/sdk/AppLovinSdk.java, line(s) 206 com/applovin/sdk/AppLovinWebViewActivity.java, line(s) 16 com/gameanalytics/sdk/state/GAState.java, line(s) 754,756,761,772,787,791,766,777,784,170 com/ironsource/adapters/ironsource/IronSourceAdapter.java, line(s) 225 com/ironsource/adapters/supersonicads/SupersonicAdsAdapter.java, line(s) 100 com/ironsource/adapters/supersonicads/SupersonicConfig.java, line(s) 24 com/ironsource/environment/DeviceStatus.java, line(s) 35 com/ironsource/mediationsdk/AbstractSmash.java, line(s) 29,28,27 com/ironsource/mediationsdk/logger/LogsSender.java, line(s) 15,14 com/ironsource/mediationsdk/sdk/GeneralProperties.java, line(s) 7 com/ironsource/mediationsdk/server/ServerURL.java, line(s) 20,34 com/ironsource/mediationsdk/utils/IronSourceConstants.java, line(s) 53 com/ironsource/mediationsdk/utils/IronSourceUtils.java, line(s) 40,42,32,45,47 com/ironsource/sdk/ISNAdView/ISNAdViewConstants.java, line(s) 17,19,20,27 com/ironsource/sdk/constants/Constants.java, line(s) 311,258,31 com/ironsource/sdk/utils/IronSourceSharedPrefHelper.java, line(s) 18 com/mintegral/msdk/MIntegralConstans.java, line(s) 17,38 com/mintegral/msdk/base/common/d/a.java, line(s) 504,528 com/mintegral/msdk/base/entity/CampaignEx.java, line(s) 148,34 com/mintegral/msdk/base/entity/p.java, line(s) 583 com/mopub/common/AdUrlGenerator.java, line(s) 17,19,18,20,21,22,28,25,26,27,29,30,23,31,24,32,34,35,33 com/mopub/common/AdapterConfigurationManager.java, line(s) 24 com/mopub/common/AvidViewabilitySession.java, line(s) 20 com/mopub/common/BaseUrlGenerator.java, line(s) 21,30,22,23,24,31,25,28,18,29,32,33,34 com/mopub/common/Constants.java, line(s) 22,23 com/mopub/common/DataKeys.java, line(s) 4,13,15,14,8,23,16,18,19,7,29,31,30,32,33,37,38 com/mopub/common/GpsHelper.java, line(s) 14 com/mopub/common/MoPubAdvancedBidderData.java, line(s) 9 com/mopub/common/MoPubBrowser.java, line(s) 22 com/mopub/common/MoatViewabilitySession.java, line(s) 29,34,33 com/mopub/common/privacy/ConsentDialogRequest.java, line(s) 17 com/mopub/common/privacy/ConsentDialogUrlGenerator.java, line(s) 12 com/mopub/common/privacy/PersonalInfoData.java, line(s) 33,15,16,20,22,21,17,18,19,23,24,25,26,27,28,29,30,31,32,34,35,38,39 com/mopub/common/privacy/SyncUrlGenerator.java, line(s) 13,14,15,17,18 com/mopub/mobileads/AdColonyAdapterConfiguration.java, line(s) 20,21,23 com/mopub/mobileads/AdColonyInterstitial.java, line(s) 22,23,24,30 com/mopub/mobileads/AdColonyRewardedVideo.java, line(s) 33,34,35,41,42 com/mopub/mobileads/AppLovinAdapterConfiguration.java, line(s) 20,19 com/mopub/mobileads/AppLovinBanner.java, line(s) 27,28,30 com/mopub/mobileads/AppLovinInterstitial.java, line(s) 30 com/mopub/mobileads/AppLovinRewardedVideo.java, line(s) 31 com/mopub/mobileads/BaseVideoPlayerActivity.java, line(s) 17 com/mopub/mobileads/BidCache.java, line(s) 8 com/mopub/mobileads/ChartboostAdapterConfiguration.java, line(s) 19,20 com/mopub/mobileads/ChartboostRewardedVideo.java, line(s) 16 com/mopub/mobileads/ChartboostShared.java, line(s) 25,26,28 com/mopub/mobileads/ConversionUrlGenerator.java, line(s) 11,12 com/mopub/mobileads/CriteoBanner.java, line(s) 11,12 com/mopub/mobileads/FacebookAdapterConfiguration.java, line(s) 19 com/mopub/mobileads/FacebookBanner.java, line(s) 22 com/mopub/mobileads/FacebookInterstitial.java, line(s) 19 com/mopub/mobileads/GooglePlayServicesBanner.java, line(s) 21,22,23,24,25 com/mopub/mobileads/GooglePlayServicesInterstitial.java, line(s) 18,19,20,21,22 com/mopub/mobileads/GooglePlayServicesRewardedVideo.java, line(s) 29,30,31 com/mopub/mobileads/IronSourceAdapterConfiguration.java, line(s) 20 com/mopub/mobileads/IronSourceInterstitial.java, line(s) 21,22 com/mopub/mobileads/IronSourceRewardedVideo.java, line(s) 19,20 com/mopub/mobileads/MoPubRewardedVideoManager.java, line(s) 54,55,53 com/mopub/mobileads/RewardedVideoCompletionRequestHandler.java, line(s) 23,21,29,27,22,28,20 com/mopub/mobileads/TapjoyAdapterConfiguration.java, line(s) 20 com/mopub/mobileads/TapjoyInterstitial.java, line(s) 26,29 com/mopub/mobileads/TapjoyRewardedVideo.java, line(s) 30,34 com/mopub/mobileads/UnityRouter.java, line(s) 17,18,19 com/mopub/mobileads/VerizonAdapterConfiguration.java, line(s) 22 com/mopub/mobileads/VerizonBanner.java, line(s) 31,35,30,34,32,33 com/mopub/mobileads/VerizonInterstitial.java, line(s) 25,26 com/mopub/mobileads/VerizonRewardedVideo.java, line(s) 24,25 com/mopub/mobileads/VungleAdapterConfiguration.java, line(s) 12 com/mopub/mobileads/VungleBanner.java, line(s) 21,25,24 com/mopub/mobileads/VungleInterstitial.java, line(s) 15,20,19,17,18,21 com/mopub/mobileads/VungleRewardedVideo.java, line(s) 19,20,21,22,23,24,25,26,27,28,29 com/mopub/nativeads/FacebookNative.java, line(s) 28,29 com/mopub/nativeads/GooglePlayServicesNative.java, line(s) 34,35,36 com/mopub/nativeads/PositioningRequest.java, line(s) 22,23,25,26,27 com/mopub/nativeads/VerizonNative.java, line(s) 33,34 com/mopub/sniffer/SnifferManager.java, line(s) 31,37 com/tapjoy/TapjoyConstants.java, line(s) 53,56 com/tenjin/android/TenjinSDK.java, line(s) 56,60,61,63,64 com/unity3d/ads/metadata/InAppPurchaseMetaData.java, line(s) 6 com/verizon/ads/RequestMetadata.java, line(s) 13,14,15,16,17,18,19,20,12,21,22,23,11,24,25,26 com/verizon/ads/VASAds.java, line(s) 30,33,34,42,45,46,47,48,49,51,52,53,54,50 com/verizon/ads/edition/StandardEdition.java, line(s) 31,32,33 com/verizon/ads/inlineplacement/InlineAdFactory.java, line(s) 54,55,56,43,45,57,58,59 com/verizon/ads/inlineplacement/InlineAdView.java, line(s) 35,39,36 com/verizon/ads/interstitialplacement/InterstitialAdFactory.java, line(s) 49,37,41,50 com/verizon/ads/nativeplacement/NativeAd.java, line(s) 30,32 com/verizon/ads/nativeplacement/NativeAdFactory.java, line(s) 52,46,48,50,53,54 com/verizon/ads/omsdk/OMSDKPlugin.java, line(s) 12 com/verizon/ads/support/VASActivity.java, line(s) 18 com/verizon/ads/support/WaterfallProviderFactory.java, line(s) 10 com/verizon/ads/vastcontroller/VASTVideoView.java, line(s) 78,80 com/verizon/ads/verizonnativecontroller/VerizonNativeAd.java, line(s) 49,65,58 com/verizon/ads/verizonnativecontroller/VerizonNativeController.java, line(s) 19,20 com/verizon/ads/verizonnativecontroller/VerizonNativeVideoComponent.java, line(s) 35 com/verizon/ads/verizonsspreporter/VerizonSSPReporter.java, line(s) 46,51,52,53 com/verizon/ads/verizonsspwaterfallprovider/VerizonSSPWaterfallProvider.java, line(s) 50,85,104,54,105,51,106,58,107,108,61,62,109,467,110,70,111,86,87,88,112,468,113,114,52,89,115,116,90,96,97,99,117,71,72,91,120,92 com/verizon/ads/webview/MRAIDExpandedActivity.java, line(s) 28 com/verizon/ads/webview/VASAdsMRAIDWebView.java, line(s) 100,131,133 com/verizon/ads/webview/VASAdsWebView.java, line(s) 51 com/vungle/warren/tasks/DownloadJob.java, line(s) 10 io/fabric/unity/android/BundleKitDataProvider.java, line(s) 13 io/fabric/unity/android/KitInstantiator.java, line(s) 8,9
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: a/a/splashscreen/CacheManager.java, line(s) 104 com/fyber/inneractive/sdk/g/a/e.java, line(s) 160 com/ironsource/mediationsdk/utils/IronSourceUtils.java, line(s) 176 com/ironsource/sdk/utils/SDKUtils.java, line(s) 311 com/mintegral/msdk/base/utils/e.java, line(s) 18 io/presage/CoeurdeNeufchatel.java, line(s) 17,18
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/applovin/impl/a/i.java, line(s) 19 com/inmobi/media/ad.java, line(s) 11 com/inmobi/media/aq.java, line(s) 5 com/ironsource/mediationsdk/utils/DailyCappingManager.java, line(s) 14 com/mintegral/msdk/interactiveads/activity/InteractiveShowActivity.java, line(s) 42 io/presage/core/lIIIIIIl.java, line(s) 9
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/inmobi/media/fx.java, line(s) 5,48,105 com/ironsource/eventsmodule/DataBaseEventsStorage.java, line(s) 5,6,92,97 com/mintegral/msdk/base/b/i.java, line(s) 4,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71 com/tapjoy/internal/g.java, line(s) 5,37,62,97 com/tapjoy/internal/gg.java, line(s) 6,32,34,114,161,200 com/vungle/warren/persistence/DatabaseHelper.java, line(s) 7,8,107 com/vungle/warren/persistence/Repository.java, line(s) 7,173 io/voodoo/ads/sdk/a/db/DatabaseFactory.java, line(s) 4,5,35 io/voodoo/ads/sdk/data/db/DatabaseFactory.java, line(s) 4,5,33
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/adcolony/sdk/at.java, line(s) 318 com/adcolony/sdk/aw.java, line(s) 13 com/applovin/impl/sdk/utils/l.java, line(s) 146 com/applovin/impl/sdk/utils/n.java, line(s) 39 com/chartboost/sdk/Libraries/c.java, line(s) 19 com/fyber/inneractive/sdk/g/a/e.java, line(s) 115 com/inmobi/media/gn.java, line(s) 135 com/mopub/common/util/Utils.java, line(s) 28 com/tapjoy/internal/ch.java, line(s) 10 com/unity3d/gametune/device/Device.java, line(s) 156 com/unity3d/services/core/device/Device.java, line(s) 156
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: bolts/WebViewAppLinkResolver.java, line(s) 214,189 com/adcolony/sdk/av.java, line(s) 564,500 com/inmobi/media/j.java, line(s) 840,836 com/ironsource/sdk/ISNAdView/ISNAdView.java, line(s) 37,36 com/ironsource/sdk/controller/IronSourceWebView.java, line(s) 1828,2492 com/unity3d/gametune/webview/WebView.java, line(s) 100,76 com/unity3d/services/ads/webplayer/WebPlayerView.java, line(s) 543,527 com/unity3d/services/core/webview/WebView.java, line(s) 100,76 com/verizon/ads/webview/VASAdsWebView.java, line(s) 181,158
中危 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/adcolony/sdk/av.java, line(s) 509,500 com/chartboost/sdk/impl/bg.java, line(s) 57,56 com/ironsource/sdk/controller/IronSourceWebView.java, line(s) 2486,2492 com/mintegral/msdk/mtgjscommon/base/BaseWebView.java, line(s) 43,47,44 com/unity3d/gametune/webview/WebView.java, line(s) 50,76 com/unity3d/services/core/webview/WebView.java, line(s) 50,76 com/vungle/warren/ui/VungleWebViewActivity.java, line(s) 44,35
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/adcolony/sdk/aq.java, line(s) 318,324,325 com/applisto/appcloner/classes/DebugUtilsProvider.java, line(s) 68,98,119 com/applovin/impl/sdk/n.java, line(s) 198 com/chartboost/sdk/impl/s.java, line(s) 47,51 com/fyber/inneractive/sdk/g/a/l.java, line(s) 53,54 com/fyber/inneractive/sdk/k/d.java, line(s) 931 com/fyber/inneractive/sdk/util/j.java, line(s) 86 com/ironsource/environment/DeviceStatus.java, line(s) 110,261 com/ironsource/mediationsdk/utils/GeneralPropertiesWorker.java, line(s) 129,236 com/ironsource/sdk/utils/SDKUtils.java, line(s) 371 com/mintegral/msdk/base/common/d/a/a.java, line(s) 89 com/mintegral/msdk/base/utils/f.java, line(s) 23 com/mintegral/msdk/base/utils/k.java, line(s) 70,101,111 com/mintegral/msdk/optimize/SensitiveDataUtil.java, line(s) 101 com/mopub/mraid/MraidNativeCommandHandler.java, line(s) 86 com/tapjoy/TapjoyCache.java, line(s) 215,216,217 com/unity3d/gametune/cache/CacheDirectory.java, line(s) 39 com/unity3d/services/core/cache/CacheDirectory.java, line(s) 54 com/verizon/ads/EnvironmentInfo.java, line(s) 161,164,356 com/verizon/ads/webview/MediaUtils.java, line(s) 38 com/vungle/warren/download/APKDirectDownloadManager.java, line(s) 49 com/vungle/warren/persistence/CacheManager.java, line(s) 89,92 com/vungle/warren/persistence/Repository.java, line(s) 128,129
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/tapjoy/internal/hx.java, line(s) 179 com/verizon/ads/utils/IOUtils.java, line(s) 169
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AppLovin广告SDK的=> "applovin.sdk.key" : "E1M7r57HoT7PoxvgxbXnJLA55TKI1GOGHmO6rVNdzV1mQwQMWz7rJIxOrGgtW48prWwf1II-oKkDF9Zn7gbQzX" 凭证信息=> "io.fabric.ApiKey" : "b9e01c05f0d33a64b66fed1a4e262744bdeb4bce" AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "ca-app-pub-6354112556091525~7075850253" HSrCHRtOan6wp2kwOIGJC1RDtuSrF2mWVbio2aBcMHX9KF3iTJ1lLSzCKP1ZSo5yNolPNw1kCTtWpxELFF4ah1 5e8f16062ea3cd2c4a0d547876baa6f38cabf625 BfMkx2g9RbT9xfdqHPh/xf41sLJ3uUSiuPQ= QpJPrpv1F2x67iN6asqAf0H2Qeu6asxBFsxM7ELOr3K4asqAf0H2 A1gTINoDMcBzxZkNSWFxP0FTMSdSWJlsSy== iVBORw0KGgoAAAANSUhEUgAAAAgAAAANCAYAAACUwi84AAAAAXNSR0IArs4c6QAAAHlJREFUGBljZsAOBIHCu4FYC5u0GFDwAhD/B+IN6ApkgAI3oJIrgTQrsgJlIOc+VHIukGZCltQGcp5BJScCaUZkSWMg5w1UshlZAsa+A5XcCRNApwmaANKA7IYJQD6KG2Am4vUFTBHecIApQglJrHYBVYLiYhMQnwAAeiYfS1LRd+4AAAAASUVORK5CYII= cc2751449a350f668590264ed76692694a80308a 9b8f518b086098de3d77736f9458a3d2f6f95a37 A1uYNcSJYqXvNcJZVNgtudkFOJWxxSQOPX0TKy8LA31eYpNfDYNlYcB7FOv6DPyp S1gTINoDMcpvKp5eT0JSOdIWwovuMSIZJy== hZOcuqyyMs7Gx0NwJhtC01bTp9sO9t5v4LBnUkSB 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 df6b721c8b4d3b6eb44c861d4415007e5a35fc95 iVBORw0KGgoAAAANSUhEUgAAABAAAAAaCAYAAAC+aNwHAAAAAXNSR0IArs4c6QAAAPZJREFUOBFjYCAdWAG1PADiCUDMBMQkAReg6i9A/B+KZ5Ki2w+o+AeSZpAhF4g1IBKo8Dea5utAvjQxBqQCFf1F03wOyBclRnMRmkaQs48CsQAxmuuxaN4DFOMmRnMPFs0bgWLshDSD4hUUNbBogtHLgGIshDSDFCzFonkWUIxgggE5bQMWzX1AMYIAFCi7gRjmXBjdSFAnVMFOLJqLidUM8hvIRooALi80kGIqRYEIs4iiaIQZQlFCghkConuBGBadMJqopIxsSD0WQ4jOTDCDcGVnfpgCYmiKChSYBdiKtGtASaKKNJghFBWqMEMoKtZhhqBULADcM3nkekaNxwAAAABJRU5ErkJggg== 7fc7bc32841a43689553f0e08928c7ad6ed7e23b S1gTINoDMcpUPMBQU0NXOdyHYVJ3uUu9RZgiv3TkF2prQ3S= SNkAZNIFOINwPJ5MVXBWPX4XYSXxIc0VMWXDMXXOUcptMNpKWJzIOTRJX11KVzyju1pYMTTUP0TwV1WnNeAYWWBtTdo= 35d482907bc2811c2e46b96f16eb5f9fe00185f3 69d341e3b34ee6c6195868a115e5a9c6934e5d43 C38FB23A402222A0C17D34A92F971D1F a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc QpJPrpv1F2x67iN6asqAf0H2Qeu6asxBFsbz7i7Arkxg7iJPQELe 5e29fb7ac3f5a02776850780700bd118383621e1 bb2cf0647ba654d7228dd3f9405bbc6a SNkAZNAEMzTvMNItSWJRJWIWJWzUNTWHPMWOMXhvKeh3vfXgC39iQa1eHYppDPchx3daxbW= E72409364B865B757E1D6B8DB73011BBB1D20C1A9F931ADD3C4C09E2794CE102F8AA7F2D50EB88F9880A576E6C7B0E95712CAE9416F7BACB798564627846E93B T2kWJcuFOyFZNdFvHMNKOYySJzRlNoADOS== c61b082e4837b5ed783132b87857decbf9e39340 aEqMQ3ckisLAfcxK7En575xOayJIYsT= 422de421e0f4e019426b9abfd780746bc40740eb aELKr0xI7ULGYsLP7ELPFKA6f3H6fX7IYpJArR== A1uYNcSJYqXvNcJZVNgtudkFOJWxxzWDM1kDSpMR 8f1d08a2d6496191a5ebae8f0590f513e2619489 7bf3a1e7bbd31e612eda3310c2cdb8075c43c6b5 iVBORw0KGgoAAAANSUhEUgAAAA0AAAANCAYAAABy6+R8AAAAAXNSR0IArs4c6QAAAHtJREFUKBWVkksKwCAMREOh99+3y97GU3iTdp6tRcUoBgbJfEgCmpkF4RA2YVTo+PDbKdzCJXhBeHR8BJMxE71gGah0T/B4hqVqDbvY0QZfrF41ip3d+geZkAO89MMqV4xyTieVAW6Z3tQG6CmP94U319dXfwT+pb9HIDwrxDUcBOiFBQAAAABJRU5ErkJggg== 4a83dda1-db61-47de-87a1-13a26142a92d A1uYNcSJYqXvNcJZVNgtudkFOJWxwIQVMXuPKy8LLy== DZW9R2obwaFyvO92Dfd1wYyruqN3wVMfRy== T2kWJcuFOyFZNdFvHMNKOYySJzRlIzQTN1uOKy== aELKr0xI7ULIYeJAYeN6aEbPQEx6FAVVNPBVJPHmNZJXJZN= SNkAZNIFOINwPJ5MVXBWPX4XYShLJS0TPXuPX1dKZNvZI0QRTXFPLo9tWNhuVS== 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 SNkAZNIFOINwPJ5MVXBWPX4XYSXxIc0VMWXDMXXOUcptMNpKWJzCMpTUVXTOLYM2u2hc c334ae83accfebb8da23104450c896463c9cfab7 bHpoa3NuOmdocWhtZi1yY2pAbmZ0cXguYm4/cnRhaWRicz1WZCUyMHZ6bXMlMjB4bnQh EfMewZAdur1yxP16FZFqtYMcvKF7RqQo FzNDvPuSLd9SwONEAXQTvezvsT0CsWTMWcImTogAUMM= Y3FGQN5NZrACPSkECXuVRecYJcFjVrzOSeXFP0EEX1S= fd28fb8353d87dc1a1db3246752e21ccc3328cbf 026ae9c9824b3e483fa6c71fa88f57ae27816141 SNkDJ1QEIdyvX1FsVpzPPNELOI9OZoSCJd0APTlJXdvXJXTXLX5IJJRtX0g=
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a/a/splashscreen/a/a/utils/SSLHttpClient.java, line(s) 50 bitter/jnibridge/JNIBridge.java, line(s) 62 bolts/MeasurementEvent.java, line(s) 103,115 com/adcolony/sdk/AdColonyAppOptions.java, line(s) 54,71 com/adcolony/sdk/ai.java, line(s) 107,128,87 com/adcolony/sdk/ak.java, line(s) 210,147,222,254,359 com/adcolony/sdk/am.java, line(s) 82 com/adcolony/sdk/g.java, line(s) 320 com/adcolony/sdk/y.java, line(s) 144,107,150,152,146,181,148,173 com/applisto/appcloner/classes/AccessibleDataDirectoryProvider.java, line(s) 18,66,74,78,84,87,90,61,70,76 com/applisto/appcloner/classes/DebugUtilsProvider.java, line(s) 67,69,71,84,97,99,101,118,120,122,58,106,127 com/applisto/appcloner/classes/DisableMobileDataProvider.java, line(s) 47,56,69,82,84,101,115,119,147,162,62,89,93,103,108,124,156 com/applisto/appcloner/classes/DisableMobileDataReceiver.java, line(s) 13,21 com/applisto/appcloner/classes/DummyActivity.java, line(s) 39,41,44 com/applisto/appcloner/classes/DummyApplication.java, line(s) 11 com/applisto/appcloner/classes/IncognitoModeProvider.java, line(s) 12,18 com/applisto/appcloner/classes/IncognitoModeReceiver.java, line(s) 20,31,46,25,35,48,52,93 com/applisto/appcloner/classes/IncognitoModeService.java, line(s) 28,34,47,60,77,96,55,87 com/applisto/appcloner/classes/MuteOnStartProvider.java, line(s) 18,23,63,67,75,28,77,84 com/applisto/appcloner/classes/PasswordActivity.java, line(s) 58,194,226,50,124,137,159,164,198,206,217 com/applisto/appcloner/classes/SecureWindowsProvider.java, line(s) 45,51,67,75,29,35,54 com/applisto/appcloner/classes/SocketFactoryProvider.java, line(s) 63,77,140,143,193,217,225,233,238,256,268,310,353,363,373,385,66,246,315,338,342,388 com/applisto/appcloner/classes/TrustAllCertificatesProvider.java, line(s) 35,37 com/applisto/appcloner/classes/Utils.java, line(s) 32,39,51,54,65,69,105,115,125,134,155,168 com/applovin/impl/sdk/p.java, line(s) 22,78,18,47,26,90,30,70 com/chartboost/sdk/Libraries/CBLogging.java, line(s) 17,23,29,59,35,41,47,53 com/chartboost/sdk/impl/as.java, line(s) 13,20,23,29,35,42 com/chartboost/sdk/impl/bf.java, line(s) 199,240,243,256,259,262,265,268,271,278,285,275 com/chartboost/sdk/impl/bi.java, line(s) 59,70,125,176 com/criteo/controller/AppConfigFileTask.java, line(s) 84,111 com/criteo/controller/GlobalConfigFileTask.java, line(s) 78,111 com/criteo/sync/sdk/AdvertisingInfoLoader.java, line(s) 16 com/criteo/sync/sdk/ConfigClient.java, line(s) 57 com/criteo/sync/sdk/ConfigManager.java, line(s) 20 com/criteo/sync/sdk/CriteoSync.java, line(s) 23 com/criteo/sync/sdk/CriteoSyncManager.java, line(s) 56,58,62,64,67,71,118,120,156,159,152,51,103,171,173,27 com/criteo/sync/sdk/CrtoLog.java, line(s) 20,32,37,48,68 com/criteo/sync/sdk/CustomTabsServiceCaller.java, line(s) 27,39,42,62,75,78,31,55 com/criteo/sync/sdk/EnvironmentChecker.java, line(s) 17,26,30,39,47,55 com/criteo/sync/sdk/ErrorReporting.java, line(s) 16,17,29,30,55 com/criteo/sync/sdk/customtabs/CustomTabsHelper.java, line(s) 72 com/criteo/sync/sdk/customtabs/CustomTabsSessionToken.java, line(s) 21,30,39,48,57 com/fyber/inneractive/sdk/a.java, line(s) 29 com/fyber/inneractive/sdk/a/a.java, line(s) 39,44,53 com/fyber/inneractive/sdk/c/h.java, line(s) 71 com/fyber/inneractive/sdk/external/InneractiveAdViewUnitController.java, line(s) 188 com/fyber/inneractive/sdk/f/h.java, line(s) 117,131 com/fyber/inneractive/sdk/f/j.java, line(s) 59 com/fyber/inneractive/sdk/g/a/c.java, line(s) 268 com/fyber/inneractive/sdk/i/d.java, line(s) 29 com/fyber/inneractive/sdk/k/a.java, line(s) 225 com/fyber/inneractive/sdk/util/IAlog.java, line(s) 47,41,65,53,35,59 com/fyber/inneractive/sdk/util/v.java, line(s) 46 com/fyber/mediation/mopub/FyberAdapterConfiguration.java, line(s) 77,42 com/gameanalytics/sdk/errorreporter/GameAnalyticsExceptionReportService.java, line(s) 48 com/gameanalytics/sdk/logging/GALogger.java, line(s) 93,87,98,91 com/gameanalytics/sdk/validators/GAValidator.java, line(s) 21,29,37,89 com/iab/omid/library/adcolony/d/c.java, line(s) 11 com/iab/omid/library/inmobi/d/c.java, line(s) 11 com/iab/omid/library/oath/d/c.java, line(s) 11 com/iab/omid/library/oguryco/d/c.java, line(s) 11 com/inmobi/media/e.java, line(s) 63 com/inmobi/media/gh.java, line(s) 18,25,29,32,39,44,14,37 com/inmobi/media/gq.java, line(s) 42 com/ironsource/mediationsdk/integration/IntegrationHelper.java, line(s) 28,31,45,50,87,90,100,118,134,139,159,162,179,181,193,198,214,25,40,48,60,62,84,97,109,115,129,137,153,156,169,174,176,188,191,196,204,151,206 com/ironsource/mediationsdk/logger/ConsoleLogger.java, line(s) 36,26,22,30 com/ironsource/sdk/ISNAdView/ISNAdView.java, line(s) 122 com/ironsource/sdk/ISNAdView/ISNAdViewLogic.java, line(s) 47,86,101,132,140,211,225,233,250 com/ironsource/sdk/controller/IronSourceWebView.java, line(s) 346,354,420,836,994,1014,1043,1063,1085,1105,1131,1159,1179,1338,1366,2571,3011,3015,3023,3031,3039,3045,3054,3056,3145 com/ironsource/sdk/service/TokenService.java, line(s) 98 com/ironsource/sdk/utils/Logger.java, line(s) 12,18,24,30,44,52,57,63,69,75 com/mintegral/msdk/appwall/TabListFragment.java, line(s) 905 com/mintegral/msdk/base/common/b/e.java, line(s) 37 com/mintegral/msdk/base/utils/e.java, line(s) 20 com/mintegral/msdk/base/utils/i.java, line(s) 32,38,68,78,50,44,56,62 com/mintegral/msdk/click/g.java, line(s) 205 com/mintegral/msdk/mtgnative/c/b.java, line(s) 1796 com/mintegral/msdk/mtgnative/c/c.java, line(s) 683 com/mintegral/msdk/playercommon/PlayerView.java, line(s) 182 com/mintegral/msdk/reward/player/MTGRewardVideoActivity.java, line(s) 161 com/mintegral/msdk/video/module/MintegralBaseView.java, line(s) 147,159 com/mintegral/msdk/videocommon/view/MyImageView.java, line(s) 27 com/moat/analytics/mobile/cha/a.java, line(s) 113 com/moat/analytics/mobile/cha/o.java, line(s) 115 com/moat/analytics/mobile/inm/m.java, line(s) 38 com/moat/analytics/mobile/inm/p.java, line(s) 39 com/moat/analytics/mobile/iro/n.java, line(s) 38 com/moat/analytics/mobile/iro/p.java, line(s) 44 com/moat/analytics/mobile/ogury/e.java, line(s) 83 com/moat/analytics/mobile/ogury/l.java, line(s) 139 com/moat/analytics/mobile/vng/m.java, line(s) 38 com/moat/analytics/mobile/vng/o.java, line(s) 44 com/mopub/common/DiskLruCache.java, line(s) 431 com/mopub/common/MoPub.java, line(s) 159 com/mopub/common/SdkConfiguration.java, line(s) 57 com/mopub/common/logging/MoPubDefaultLogger.java, line(s) 31,33 com/mopub/common/logging/MoPubLog.java, line(s) 348,349 com/mopub/common/privacy/MoPubIdentifier.java, line(s) 192 com/mopub/mobileads/AdapterCommonUtil.java, line(s) 31,35 com/mopub/mobileads/AdapterTools.java, line(s) 12,14 com/mopub/mobileads/CriteoInterstitial.java, line(s) 117,31,36,40 com/mopub/mobileads/MintegralInterstitialVideoAdapter.java, line(s) 78,87,103,112,121,126 com/mopub/mobileads/MintegralNative.java, line(s) 80,155,173 com/mopub/mobileads/MoPubActivity.java, line(s) 119 com/mopub/mobileads/MobvistaInterstitialAdapter.java, line(s) 69,78,94,103,112,117 com/mopub/mobileads/MobvistaRewardVideo.java, line(s) 148,188,198 com/mopub/mobileads/MraidActivity.java, line(s) 111 com/mopub/mobileads/RewardedMraidActivity.java, line(s) 58 com/mopub/mobileads/TapjoyInterstitial.java, line(s) 41 com/mopub/mobileads/TapjoyRewardedVideo.java, line(s) 128 com/mopub/mobileads/view/CriteoBannerView.java, line(s) 159 com/mopub/mobileads/view/CriteoNativeView.java, line(s) 460,481 com/mopub/mraid/MraidController.java, line(s) 973 com/mopub/nativeads/CriteoNative.java, line(s) 176 com/mopub/nativeads/CriteoNativeAdRenderer.java, line(s) 109 com/mopub/nativeads/MintegralAdRenderer.java, line(s) 136 com/mopub/unity/MoPubUnityPlugin.java, line(s) 471 com/mopub/volley/CacheDispatcher.java, line(s) 37,49,68,183,60,88,171 com/mopub/volley/NetworkDispatcher.java, line(s) 49,103 com/mopub/volley/Request.java, line(s) 163,168 com/mopub/volley/VolleyLog.java, line(s) 64,67,97,54,101,105,11,111,116,121,125 com/mopub/volley/toolbox/BasicNetwork.java, line(s) 150,122,133,155 com/mopub/volley/toolbox/DiskBasedCache.java, line(s) 102,178,299,326,333,397,409,419,349,167,187 com/mopub/volley/toolbox/HttpHeaderParser.java, line(s) 127 com/mopub/volley/toolbox/ImageRequest.java, line(s) 170 com/mopub/volley/toolbox/JsonRequest.java, line(s) 62 com/ogury/consent/manager/cocoartf1671.java, line(s) 32 com/ogury/consent/manager/util/consent/cocoartf1671.java, line(s) 15,20 com/tapjoy/HmacSignature.java, line(s) 29,48 com/tapjoy/TJAdUnit$2.java, line(s) 71,84,95,109,59 com/tapjoy/TJAdUnit$3.java, line(s) 36 com/tapjoy/TJAdUnit$4.java, line(s) 27,50,45 com/tapjoy/TJAdUnit$5.java, line(s) 20,24 com/tapjoy/TJAdUnit$6.java, line(s) 19,23 com/tapjoy/TJAdUnit$7.java, line(s) 22 com/tapjoy/TJAdUnit.java, line(s) 72,160,204,524,286,406,394,454,485,491,507,275,297,115 com/tapjoy/TJAdUnitActivity.java, line(s) 53,59,84,91,113,182,212,218,229,239,257,98,167,198 com/tapjoy/TJAdUnitJSBridge.java, line(s) 169,173,295,430,492,530,535,579,583,590,612,630,668,677,806,854,884,905,941,950,986,1030,1044,1079,1101,1106,1139,1143,1178,1186,1189,1195,1204,123,144,138,199,427,793,803,848,869,932,974,1076,1127 com/tapjoy/TJCloseButton.java, line(s) 54 com/tapjoy/TJCorePlacement.java, line(s) 121,137,141,268,401,469,487,543,363,375,379,528,149,198,244,250,263,353,410,438,563,214 com/tapjoy/TJCurrency.java, line(s) 30,35,53,59,83,85,95,119,121,128,137,184,44,88,124 com/tapjoy/TJEventOptimizer.java, line(s) 32,47,77,53,85 com/tapjoy/TJPlacement.java, line(s) 126,144,181,95,133,157,171,98,188,192 com/tapjoy/TJPlacementManager.java, line(s) 39,45,144,148 com/tapjoy/TJSplitWebView.java, line(s) 114,119,141,380,159 com/tapjoy/TJWebViewJSInterface.java, line(s) 108,112,45,52,77,101 com/tapjoy/TapjoyAdIdClient.java, line(s) 39 com/tapjoy/TapjoyAppSettings.java, line(s) 21,30,87,90,39,43,64,81,98,104,44 com/tapjoy/TapjoyCache.java, line(s) 72,86,140,222,240,246,258,301,304,314,339,364,367,423,424,425,426,146,166,224,243,254,271,290,323,331,333 com/tapjoy/TapjoyCacheMap.java, line(s) 39,64 com/tapjoy/TapjoyCachedAssetData.java, line(s) 40,50 com/tapjoy/TapjoyConnectCore.java, line(s) 239,341,424,428,561,771,794,795,984,993,999,1003,1185,1187,1269,1289,1295,1304,1322,1348,1375,1396,1417,179,188,256,271,325,338,363,387,444,528,534,557,743,774,799,873,1006,1122,1141,1177,1181,1231,1235,221,263,397,950,951,953,955,956,957,1054,1115,1273,1300,1327,1345,1393,1421,478,483,526,532,369,1033,1094,1097 com/tapjoy/TapjoyGpsHelper.java, line(s) 77,79,82,83,88,90,93,104,105 com/tapjoy/TapjoyLog.java, line(s) 54 com/tapjoy/TapjoyURLConnection.java, line(s) 20,29,26,66,83,143,59,86,87,88,90,92,106,107,108,153,154,155,157,159 com/tapjoy/TapjoyUtil.java, line(s) 154,169,170,171,286,56 com/tapjoy/internal/dn.java, line(s) 7 com/tapjoy/internal/eq.java, line(s) 38,46,50,60,75,82,86,90,94,98,105 com/tapjoy/internal/es.java, line(s) 60,121,324,331,359,365,385,392,444,450,431,437,312,379,51,424 com/tapjoy/internal/fl.java, line(s) 52,62 com/tapjoy/internal/fm.java, line(s) 29,46 com/tapjoy/internal/fq.java, line(s) 39 com/tapjoy/internal/fz.java, line(s) 36,38 com/tapjoy/internal/gv.java, line(s) 61 com/tapjoy/internal/jg.java, line(s) 16 com/tapjoy/internal/jk.java, line(s) 44,58,62 com/tenjin/android/HttpConnection.java, line(s) 96,162,191,208 com/tenjin/android/TenjinReferrerReceiver.java, line(s) 17,21 com/tenjin/android/TenjinSDK.java, line(s) 725,731,735,741,751,752,753,826,1348,1366,1384,1438,1459 com/unity/purchasing/googleplay/BillingServiceManager.java, line(s) 83 com/unity/purchasing/googleplay/GooglePlayPurchasing.java, line(s) 310,274 com/unity/purchasing/googleplay/IabHelper.java, line(s) 456,452,460 com/unity/purchasing/googleplay/PurchaseActivity.java, line(s) 24 com/unity3d/ads/metadata/MetaData.java, line(s) 30,45 com/unity3d/gametune/MetaData.java, line(s) 30,45 com/unity3d/gametune/Question.java, line(s) 61,65,69,74,78,85 com/unity3d/gametune/UnityGameTune.java, line(s) 95,288,300,320,333,94,100,107,113,131,294,34,43,56,65,135,242,254,257,327 com/unity3d/gametune/broadcast/BroadcastEventReceiver.java, line(s) 36 com/unity3d/gametune/cache/CacheDirectory.java, line(s) 49,53,63,43,58 com/unity3d/gametune/configuration/Configuration.java, line(s) 85 com/unity3d/gametune/configuration/EnvironmentCheck.java, line(s) 32,45,35,48,51,54,57 com/unity3d/gametune/configuration/InitializeThread.java, line(s) 41,44,51,140,168,179,202,54,57,81,182,210,214 com/unity3d/gametune/connectivity/ConnectivityMonitor.java, line(s) 53,82,91 com/unity3d/gametune/core/DeviceInfo.java, line(s) 157,175,191,329,355,369,422 com/unity3d/gametune/core/Intent.java, line(s) 48,62,205,229,244 com/unity3d/gametune/core/Request.java, line(s) 33,45,96,108,126,138 com/unity3d/gametune/core/Sdk.java, line(s) 21,27,37,43,49,55 com/unity3d/gametune/device/AdvertisingId.java, line(s) 128,145,155 com/unity3d/gametune/device/Device.java, line(s) 74,158,251,256,265,274,357,365,374,524,569,582 com/unity3d/gametune/device/Storage.java, line(s) 52,45 com/unity3d/gametune/log/DeviceLog.java, line(s) 64,209,216 com/unity3d/gametune/misc/JsonStorage.java, line(s) 153,26,32,51,72,83,95,162,168 com/unity3d/gametune/misc/Utilities.java, line(s) 35,56 com/unity3d/gametune/misc/ViewUtilities.java, line(s) 17,26 com/unity3d/gametune/preferences/AndroidPreferences.java, line(s) 14,26,38,50,62 com/unity3d/gametune/properties/ClientProperties.java, line(s) 38,77,89,91 com/unity3d/gametune/properties/SdkProperties.java, line(s) 114,116 com/unity3d/gametune/request/WebRequest.java, line(s) 81,177,183,192 com/unity3d/gametune/request/WebRequestRunnable.java, line(s) 60,45,64 com/unity3d/gametune/request/WebRequestThread.java, line(s) 61,121,136 com/unity3d/gametune/webview/WebView.java, line(s) 109,31,41,57 com/unity3d/gametune/webview/WebViewApp.java, line(s) 59,71,90,164,196,239,278,52,78,81,84,113,128,135,140,232,261,291 com/unity3d/gametune/webview/bridge/Invocation.java, line(s) 62 com/unity3d/gametune/webview/bridge/NativeCallback.java, line(s) 41 com/unity3d/gametune/webview/bridge/WebViewBridge.java, line(s) 60 com/unity3d/gametune/webview/bridge/WebViewBridgeInterface.java, line(s) 20,35 com/unity3d/gametune/webview/bridge/WebViewCallback.java, line(s) 50 com/unity3d/services/UnityServices.java, line(s) 29,39,44,52,75,60,62,72,34 com/unity3d/services/ads/UnityAdsImplementation.java, line(s) 60,86,169,177,147 com/unity3d/services/ads/adunit/AdUnitActivity.java, line(s) 392,394,57,69,146,205,241,285,319,341,410,246 com/unity3d/services/ads/adunit/VideoPlayerHandler.java, line(s) 17,35 com/unity3d/services/ads/api/AdUnit.java, line(s) 202,208,257,260,264,267,324,327,330,333,360,110,132,155,162,338,351,363,367,407,498 com/unity3d/services/ads/api/VideoPlayer.java, line(s) 60,78,101,119,170,181 com/unity3d/services/ads/api/WebPlayer.java, line(s) 53 com/unity3d/services/ads/configuration/AdsModuleConfiguration.java, line(s) 67,78,84 com/unity3d/services/ads/load/LoadBridge.java, line(s) 26 com/unity3d/services/ads/video/VideoPlayerView.java, line(s) 40,58,93,98,116,150,162,196 com/unity3d/services/ads/webplayer/WebPlayerView.java, line(s) 65,75,420,518,561,619,634,648,660 com/unity3d/services/ar/view/ARView.java, line(s) 302,381,198,325,340,214,219,227,372 com/unity3d/services/ar/view/GLSurfaceView.java, line(s) 160,174,277,596,231 com/unity3d/services/ar/view/ShaderLoader.java, line(s) 14,29 com/unity3d/services/banners/BannerView.java, line(s) 122 com/unity3d/services/banners/UnityBanners.java, line(s) 334 com/unity3d/services/core/api/Cache.java, line(s) 160,174,53,126,179 com/unity3d/services/core/api/DeviceInfo.java, line(s) 209,227,248,391,417,431,484 com/unity3d/services/core/api/Intent.java, line(s) 48,62,206,230,245 com/unity3d/services/core/api/Request.java, line(s) 33,45,96,108,126,138 com/unity3d/services/core/api/Sdk.java, line(s) 20,35,42,48,54,60 com/unity3d/services/core/broadcast/BroadcastEventReceiver.java, line(s) 36 com/unity3d/services/core/cache/CacheDirectory.java, line(s) 26,28,65,69,79,101,105,111,114,31,58,74 com/unity3d/services/core/cache/CacheThread.java, line(s) 73 com/unity3d/services/core/cache/CacheThreadHandler.java, line(s) 43,46,50,71 com/unity3d/services/core/configuration/Configuration.java, line(s) 106 com/unity3d/services/core/configuration/EnvironmentCheck.java, line(s) 32,45,35,48,51,54,57 com/unity3d/services/core/configuration/InitializationNotificationCenter.java, line(s) 48 com/unity3d/services/core/configuration/InitializeThread.java, line(s) 98,193,208,299,311,335,388,105,108,136,256,285,392,70,202,234 com/unity3d/services/core/connectivity/ConnectivityMonitor.java, line(s) 53,82,91 com/unity3d/services/core/device/AdvertisingId.java, line(s) 128,145,155 com/unity3d/services/core/device/Device.java, line(s) 74,158,258,263,272,281,368,376,385,535,580,593 com/unity3d/services/core/device/Storage.java, line(s) 52,45 com/unity3d/services/core/log/DeviceLog.java, line(s) 64,209,216 com/unity3d/services/core/misc/JsonStorage.java, line(s) 153,26,32,51,72,83,95,162,168 com/unity3d/services/core/misc/Utilities.java, line(s) 35,53 com/unity3d/services/core/misc/ViewUtilities.java, line(s) 26,35 com/unity3d/services/core/preferences/AndroidPreferences.java, line(s) 14,26,38,50,62 com/unity3d/services/core/properties/ClientProperties.java, line(s) 38,69,81,83 com/unity3d/services/core/properties/SdkProperties.java, line(s) 134,136 com/unity3d/services/core/request/WebRequest.java, line(s) 83,179,185,194 com/unity3d/services/core/request/WebRequestRunnable.java, line(s) 91,76,95 com/unity3d/services/core/request/WebRequestThread.java, line(s) 61,121,136 com/unity3d/services/core/sensorinfo/SensorInfoListener.java, line(s) 28 com/unity3d/services/core/webview/WebView.java, line(s) 109,31,41,57 com/unity3d/services/core/webview/WebViewApp.java, line(s) 63,75,112,184,219,262,309,56,82,85,88,106,133,148,155,160,255,284,322 com/unity3d/services/core/webview/bridge/Invocation.java, line(s) 66 com/unity3d/services/core/webview/bridge/NativeCallback.java, line(s) 41 com/unity3d/services/core/webview/bridge/WebViewBridge.java, line(s) 59 com/unity3d/services/core/webview/bridge/WebViewBridgeInterface.java, line(s) 20,35 com/unity3d/services/core/webview/bridge/WebViewCallback.java, line(s) 50 com/unity3d/services/monetization/UnityMonetization.java, line(s) 37 com/unity3d/services/monetization/core/utilities/JSONUtilities.java, line(s) 22,36,48 com/unity3d/services/monetization/placementcontent/core/PlacementContent.java, line(s) 33,67 com/unity3d/services/purchasing/core/TransactionDetailsUtilities.java, line(s) 38 com/unity3d/services/purchasing/core/TransactionErrorDetailsUtilities.java, line(s) 23 com/unity3d/services/purchasing/core/api/CustomPurchasing.java, line(s) 69 com/unity3d/services/store/StoreBilling.java, line(s) 60,26,29,33,37 com/verizon/ads/Logger.java, line(s) 41,47,53,59,65,71,77,83,89,95 com/vungle/warren/AdLoader.java, line(s) 171,328,362,503,532,551,608,690,104,302,391,402,706,199,538,530 com/vungle/warren/AdvertisementPresentationFactory.java, line(s) 135,167,195 com/vungle/warren/Plugin.java, line(s) 11,15,21 com/vungle/warren/Vungle.java, line(s) 264,370,559,630,703,826,200,214,220,380,425,440,447,455,463,485,492,500,603,871 com/vungle/warren/VungleApiClient.java, line(s) 191,390,344,350,354,371,392,396,406,419 com/vungle/warren/VungleJobRunner.java, line(s) 41 com/vungle/warren/analytics/MoatTracker.java, line(s) 135,145,148,68 com/vungle/warren/analytics/VungleAnalytics.java, line(s) 52,57,35,37 com/vungle/warren/download/APKDirectDownloadManager.java, line(s) 70,118,125,139,208,234,54,106,191,236,270 com/vungle/warren/downloader/AssetDownloader.java, line(s) 74,121,140,152,213,224,237,240,243,247,254,262,271,279,280,282,288,295,340,367,381,226 com/vungle/warren/persistence/GraphicDesigner.java, line(s) 33,87 com/vungle/warren/persistence/Repository.java, line(s) 76,89,397,421,612,640 com/vungle/warren/tasks/CleanupJob.java, line(s) 39,68,75,77,90,83,55,59 com/vungle/warren/tasks/JobInfo.java, line(s) 26 com/vungle/warren/tasks/SendReportsJob.java, line(s) 35,45,54 com/vungle/warren/tasks/runnable/JobRunnable.java, line(s) 41,49,51,57,43,61,63 com/vungle/warren/ui/JavascriptBridge.java, line(s) 23 com/vungle/warren/ui/VungleActivity.java, line(s) 119,121,201,209,219,159 com/vungle/warren/ui/VungleFlexViewActivity.java, line(s) 16 com/vungle/warren/ui/VungleWebViewActivity.java, line(s) 75,118 com/vungle/warren/ui/presenter/LocalAdPresenter.java, line(s) 287,153,120 com/vungle/warren/ui/presenter/MRAIDAdPresenter.java, line(s) 258,262,266,448 com/vungle/warren/ui/view/BaseAdView.java, line(s) 87,91 com/vungle/warren/ui/view/FullAdWidget.java, line(s) 318 com/vungle/warren/ui/view/LocalAdView.java, line(s) 169,108,95 com/vungle/warren/ui/view/VungleNativeView.java, line(s) 181,187,60,191 com/vungle/warren/ui/view/VungleWebClient.java, line(s) 84,165,109,110,123,124,167 com/vungle/warren/utility/ExternalRouter.java, line(s) 23,31 com/vungle/warren/utility/NetworkProvider.java, line(s) 157,134 com/vungle/warren/utility/UnzipUtility.java, line(s) 119 io/fabric/unity/android/BundleKitDataProvider.java, line(s) 49 io/fabric/unity/android/FabricInitializer.java, line(s) 28,46 io/presage/ads/Ads.java, line(s) 11,13 io/presage/ads/AdsSdkType.java, line(s) 18 io/presage/ao.java, line(s) 14 io/presage/common/PresageSdk.java, line(s) 207,230 io/presage/core/IIIIIIII.java, line(s) 40,276 io/voodoo/ads/sdk/shared/Logger.java, line(s) 54,50,44,39,47 org/fmod/FMODAudioDevice.java, line(s) 66 org/fmod/a.java, line(s) 75
信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: a/a/splashscreen/CacheManager.java, line(s) 53,55,53,55 io/presage/StMarcellin.java, line(s) 49,49 io/voodoo/ads/sdk/service/manager/CreativeAssetsCachePrefs.java, line(s) 28,28 io/voodoo/ads/sdk/service/manager/CreativeCacheManager.java, line(s) 62,62 io/voodoo/ads/sdk/service/manager/LogEventReporter.java, line(s) 194,194 io/voodoo/ads/sdk/service/manager/SettingPrefs.java, line(s) 33,33
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/mintegral/msdk/base/utils/a.java, line(s) 4,46
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/chartboost/sdk/Libraries/CBUtility.java, line(s) 144,152,148,152,152,152,152 com/gameanalytics/sdk/GAPlatform.java, line(s) 93,74,82,78,82,82,82,82,215,298
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: a/a/splashscreen/a/a/utils/SSLHttpClient.java, line(s) 44,41,40,40 com/inmobi/media/cg.java, line(s) 67,70 com/vungle/warren/VungleApiClient.java, line(s) 297,328,329,379,380,381,384,476,477,478,479,500,501,502,505,506,508,517,518,519,540,541,542,547,549,200,420 io/voodoo/ads/sdk/a/api/utils/SSLHttpClient.java, line(s) 38,35,34,34 io/voodoo/ads/sdk/data/api/utils/SSLHttpClient.java, line(s) 37,34,33,33
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (hybird.rayjump.com) 通信。
{'ip': '58.220.75.19', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '扬州', 'latitude': '32.397221', 'longitude': '119.435600'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (analytics.rayjump.com) 通信。
{'ip': '182.92.120.219', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (config.unityads.unitychina.cn) 通信。
{'ip': '117.21.189.59', 'country_short': 'CN', 'country_long': '中国', 'region': '江西', 'city': '九江', 'latitude': '29.733330', 'longitude': '115.983330'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (setting.rayjump.com) 通信。
{'ip': '112.126.23.181', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}