应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
KVB Upay v1.1.41
57
安全评分
安全基线评分
57/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
2
高危
10
中危
2
信息
3
安全
隐私风险评估
0
第三方跟踪器
隐私安全
未检测到第三方跟踪器
检测结果分布
高危安全漏洞
2
中危安全漏洞
10
安全提示信息
2
已通过安全项
3
重点安全关注
0
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: org/npci/upi/security/pinactivitycomponent/e.java, line(s) 16,44,69,77 r/ao0.java, line(s) 9 r/fj0.java, line(s) 193,239,305,338 r/pj0.java, line(s) 56 r/rn0.java, line(s) 157,206 r/t3.java, line(s) 1814 r/wn0.java, line(s) 84,95,123,138
高危安全漏洞 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: r/fj0.java, line(s) 521,47,48,49,50
中危安全漏洞 Activity (com.mycompany.kvb.UI.Li1203A2019) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.google.firebase.iid.FirebaseInstanceIdService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: org/jsoup/helper/W3CDom.java, line(s) 27 org/jsoup/nodes/Comment.java, line(s) 6 org/jsoup/nodes/DataNode.java, line(s) 6 org/jsoup/nodes/TextNode.java, line(s) 9 org/npci/upi/security/pinactivitycomponent/CLConstants.java, line(s) 210,139
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/mycompany/kvb/UI/A12D03A2019.java, line(s) 94,125 com/mycompany/kvb/fileobserver/AppClass.java, line(s) 121 com/mycompany/kvb/mandates/M0510ActhkD2017A.java, line(s) 136,587,606 com/mycompany/kvb/mandates/M0510Ckh2154S.java, line(s) 92,113,133 com/mycompany/kvb/qrcode/GenerateQRcodeActivity.java, line(s) 260,288 r/ji0.java, line(s) 36 r/t3.java, line(s) 2407
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: org/jsoup/helper/DataUtil.java, line(s) 13 r/kt0.java, line(s) 3 r/lt0.java, line(s) 3
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: r/rn0.java, line(s) 219
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: r/on0.java, line(s) 4,4,4,4,4,4
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/mycompany/kvb/My14A03A2019.java, line(s) 176
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "google_crash_reporting_api_key" : "AIzaSyC4s3qAAZDMrczJFGveERRMdSzgs4P1ppo" "google_app_id" : "1:1093654337666:android:8c4b503146bcf9bf" "google_api_key" : "AIzaSyC4s3qAAZDMrczJFGveERRMdSzgs4P1ppo" "firebase_database_url" : "https://kvb-upay.firebaseio.com"
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/mycompany/kvb/B08V03A2019.java, line(s) 166,218 com/mycompany/kvb/HomeFragment.java, line(s) 450,465 com/mycompany/kvb/L07g03a2019.java, line(s) 232,234,303,330,344,429,610,621,676,687,692,699,703,715,903,908,979 com/mycompany/kvb/M07A03c2019.java, line(s) 154,344 com/mycompany/kvb/M08R03A2019.java, line(s) 364 com/mycompany/kvb/Numeric_Activity.java, line(s) 42 com/mycompany/kvb/Q07u03A2019.java, line(s) 140 com/mycompany/kvb/R11M03A2019.java, line(s) 465 com/mycompany/kvb/ResponseMsg.java, line(s) 99,157,162,184,203,234 com/mycompany/kvb/SplashActivity.java, line(s) 120 com/mycompany/kvb/UI/QuickreqpayFragment.java, line(s) 262,282,284,313,319,463,497,676 com/mycompany/kvb/UI/QuickreqpayListFragment.java, line(s) 549 com/mycompany/kvb/UI/S11M03A2019.java, line(s) 902 com/mycompany/kvb/common/I08S03A2019.java, line(s) 126 com/mycompany/kvb/info/FragementUseAppLinks.java, line(s) 62,64,75,189,191,193,195,197,199,201,203,205,207,209 com/mycompany/kvb/info/SecurityAlertFragment.java, line(s) 112,189 com/mycompany/kvb/new_aadh/SecondFragment.java, line(s) 133 com/mycompany/kvb/pa07032019.java, line(s) 135,141,144,194,197,199,201,205,219,241,382,532,538,550,554,576,582,583,589,601,617,665,709,730,783,805,923 com/mycompany/kvb/qrcode/GenerateQRcodeActivity.java, line(s) 411 com/mycompany/kvb/qrcode/ScanQrCodeActivity.java, line(s) 98,129,131,133,192,194 de/greenrobot/event/BackgroundPoster.java, line(s) 40 de/greenrobot/event/EventBus.java, line(s) 208,149,162,169,481 de/greenrobot/event/SubscriberMethodFinder.java, line(s) 83 de/greenrobot/event/util/AsyncExecutor.java, line(s) 98 de/greenrobot/event/util/ErrorDialogConfig.java, line(s) 43 de/greenrobot/event/util/ErrorDialogManager.java, line(s) 174 de/greenrobot/event/util/ExceptionToResourceMapping.java, line(s) 31 org/jsoup/examples/HtmlToPlainText.java, line(s) 113,118 org/jsoup/examples/ListLinks.java, line(s) 44 org/npci/upi/security/pinactivitycomponent/c.java, line(s) 45,51,54 org/npci/upi/security/pinactivitycomponent/h.java, line(s) 16 org/npci/upi/security/services/CLServices.java, line(s) 30,37,58,67,69,81,90,100,102,62,75,85,94,108 r/a0.java, line(s) 146 r/a50.java, line(s) 98,133,230,135,139 r/a70.java, line(s) 34,61 r/a80.java, line(s) 91,118,149,154,176,236,90,113,148,153,171,235,31,47,136,185 r/ah.java, line(s) 51,153 r/aq.java, line(s) 48 r/at.java, line(s) 37 r/az.java, line(s) 32 r/b70.java, line(s) 39,33,37,97 r/bj.java, line(s) 20,31 r/c0.java, line(s) 31 r/c70.java, line(s) 24 r/ch0.java, line(s) 41,43 r/co0.java, line(s) 59 r/d2.java, line(s) 329,157,162,169,234,312 r/d70.java, line(s) 48,98,114,44,60,47,97 r/dl.java, line(s) 49 r/dv.java, line(s) 16 r/ei.java, line(s) 17 r/ek.java, line(s) 2271,2272,2283,2162,2209 r/eo.java, line(s) 65,98,122 r/ev.java, line(s) 297,523,547,195,313,450,454,459,467 r/ey.java, line(s) 21 r/f2.java, line(s) 108 r/fj0.java, line(s) 539,556,574 r/fm.java, line(s) 182,187,194,198,214,224 r/fo.java, line(s) 22 r/fr.java, line(s) 51,188 r/ft.java, line(s) 25 r/fx.java, line(s) 14 r/g2.java, line(s) 338,42,57,82,229 r/g30.java, line(s) 184 r/g60.java, line(s) 40,35 r/g70.java, line(s) 55,54 r/gj.java, line(s) 604,624,33,43,54,63,614 r/gj0.java, line(s) 26,29,31,33 r/go.java, line(s) 23,46 r/gp.java, line(s) 65 r/gx.java, line(s) 65 r/h60.java, line(s) 74,123,72,95,119,148,163,181,210,96,149,164,182,211,64,131 r/h80.java, line(s) 175,182,93,123,141,158 r/hj0.java, line(s) 30 r/hv.java, line(s) 91,94,123,126,129,146,155 r/i70.java, line(s) 36 r/ii.java, line(s) 27 r/ij0.java, line(s) 25,28,30,32,34 r/iu.java, line(s) 31,94,64,66 r/iv.java, line(s) 15 r/j70.java, line(s) 17,16 r/jf.java, line(s) 757,129,672 r/jk.java, line(s) 40 r/jr.java, line(s) 23 r/k2.java, line(s) 85,174,156,222,236 r/k7.java, line(s) 17 r/k70.java, line(s) 19,26,18,25 r/kh0.java, line(s) 34 r/kj0.java, line(s) 26,29,31,33,35 r/kn0.java, line(s) 152,172,245,247,283 r/l2.java, line(s) 42 r/lf.java, line(s) 180,183,185,191,194 r/lh0.java, line(s) 30 r/ls.java, line(s) 125,126,286,291,296,305 r/lv.java, line(s) 124,144,160,172 r/lw.java, line(s) 128 r/m60.java, line(s) 51,46 r/m70.java, line(s) 37,41,49,74,82,101,124,58,67,113,36,40,44,73,81,96,119 r/mf.java, line(s) 175,198,212 r/mh0.java, line(s) 24 r/n.java, line(s) 166 r/nf.java, line(s) 98 r/nh.java, line(s) 18 r/nh0.java, line(s) 152 r/o0.java, line(s) 120,154,166,176,333 r/o60.java, line(s) 22 r/of.java, line(s) 717,1348,766,1272 r/oh0.java, line(s) 32 r/or.java, line(s) 199,206 r/ph0.java, line(s) 24 r/pi.java, line(s) 36,59,81,127,184,213,231 r/q60.java, line(s) 24,50,21,47 r/q70.java, line(s) 25 r/qh0.java, line(s) 31 r/qn0.java, line(s) 19,20,7,24 r/qv.java, line(s) 23 r/qw.java, line(s) 26 r/r.java, line(s) 372 r/r60.java, line(s) 59,78,95 r/ri0.java, line(s) 41 r/ro.java, line(s) 810 r/ru.java, line(s) 90,206 r/s1.java, line(s) 68,98,113,132 r/s2.java, line(s) 87,201 r/sa.java, line(s) 736 r/sp.java, line(s) 92,96,10,101 r/t3.java, line(s) 2819,1771,2111,2294,2390,2729,2740,2744,2817,2807,2814,2827 r/tg.java, line(s) 21,29 r/tm.java, line(s) 24 r/ts.java, line(s) 30 r/u00.java, line(s) 66,80,84,99 r/u20.java, line(s) 35 r/v1.java, line(s) 79,93,229,258 r/v2.java, line(s) 22,32,50,52,55 r/vn0.java, line(s) 38,43,19,29 r/w60.java, line(s) 35,44,30,39 r/wg.java, line(s) 45,50 r/wj.java, line(s) 329 r/wn0.java, line(s) 41,44 r/x1.java, line(s) 144 r/x60.java, line(s) 106,119,141,183,104,118,140,178,64,163,167 r/xf.java, line(s) 27 r/xg.java, line(s) 50 r/xj.java, line(s) 36,66,79,425 r/xr.java, line(s) 231,344 r/y60.java, line(s) 55,54 r/y70.java, line(s) 36 r/yf0.java, line(s) 81 r/yg.java, line(s) 43 r/ym0.java, line(s) 50 r/yt.java, line(s) 37,52 r/yu.java, line(s) 65 r/zd.java, line(s) 132 r/zg.java, line(s) 39
安全提示信息 应用与Firebase数据库通信
该应用与位于 https://kvb-upay.firebaseio.com 的 Firebase 数据库进行通信
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: org/jsoup/helper/HttpConnection.java, line(s) 581,493
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/1093654337666/namespaces/firebase:fetch?key=AIzaSyC4s3qAAZDMrczJFGveERRMdSzgs4P1ppo ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
已通过安全项 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。
综合安全基线评分总结
KVB Upay v1.1.41
Android APK
57
综合安全评分
中风险