应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
凤凰潮 v2.2.3
46
安全评分
安全基线评分
46/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
7
高危
44
中危
2
信息
2
安全
隐私风险评估
2
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
7
中危安全漏洞
44
安全提示信息
2
已通过安全项
2
重点安全关注
13
高危安全漏洞 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/dcloudym/views/InnerWebView.java, line(s) 209,53 com/dcloudym/views/X5WebView.java, line(s) 205,55
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/dcloudym/views/CommonWebView.java, line(s) 2344,2349,18 com/fl/saas/common/widget/h5/YdH5Activity.java, line(s) 205,12 com/octopus/ad/internal/nativead/c.java, line(s) 462,14,15 com/octopus/ad/internal/view/AdWebView.java, line(s) 377,26,27
高危安全漏洞 应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文
应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode Files: com/dcloudym/utils/i.java, line(s) 194
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/zx/a/I8b7/f1.java, line(s) 114 com/zx/a/I8b7/t.java, line(s) 19
高危安全漏洞 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/fl/saas/common/widget/h5/YdH5Activity.java, line(s) 189,12
高危安全漏洞 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/octopus/ad/internal/utilities/SPUtils.java, line(s) 149
高危安全漏洞 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/mt/uniplugin_mt_device_info/BuildConfig.java, line(s) 3,5
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 Service (com.kwad.sdk.api.proxy.VideoWallpaperService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_WALLPAPER [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.igexin.sdk.PushActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (uni.UNI45BB54E.wxapi.WXEntryActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (uni.UNI45BB54E.wxapi.WXPayEntryActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.fl.saas.s2s.sdk.helper.download.DownloadActionReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.dcloudym.activityComm.AppInstallReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.dcloudym.activityComm.SchemeActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPEntry0) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPEntry1) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPEntry2) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPEntry3) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPEntry4) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPNoRecentsEntry0) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPNoRecentsEntry1) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPNoRecentsEntry2) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPNoRecentsEntry3) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPNoRecentsEntry4) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPActivity0) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPActivity1) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPActivity2) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPActivity3) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(io.dcloud.feature.sdk.multi.DCUniMPActivity4) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.alipay.sdk.app.PayResultActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.alipay.sdk.app.AlipayResultActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.igexin.sdk.GTIntentService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.igexin.sdk.GService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.igexin.sdk.GetuiActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.huawei.openalliance.ad.activity.PPSLauncherActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Content Provider (com.huawei.openalliance.ad.provider.PPSECProvider) 未受保护。
[android:exported=true] 检测到 Content Provider 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 高优先级 Intent(1000) - {1} 个命中
[android:priority] 通过设置较高的 Intent 优先级,应用可覆盖其他请求,可能导致安全风险。
中危安全漏洞 IP地址泄露
IP地址泄露 Files: aegon/chrome/base/PiiElider.java, line(s) 20 aegon/chrome/net/AndroidNetworkLibrary.java, line(s) 66,65,70,62,61,69 aegon/chrome/net/X509Util.java, line(s) 43,42,45 com/fl/saas/config/utils/DeviceUtil.java, line(s) 535,552,555 com/fl/saas/videocache/HttpProxyCacheServer.java, line(s) 30 com/kwai/video/hodor/BuildConfig.java, line(s) 16 com/kwai/video/player/BuildConfig.java, line(s) 13 com/octopus/ad/Octopus.java, line(s) 89 com/octopus/ad/internal/a/h.java, line(s) 37,41,47,99 com/octopus/ad/internal/a/p.java, line(s) 5,9 com/octopus/ad/internal/m.java, line(s) 134 com/octopus/ad/internal/utilities/StringUtil.java, line(s) 100,101 com/octopus/ad/internal/utilities/UserEnvInfoUtil.java, line(s) 40 com/octopus/ad/utils/b/d.java, line(s) 66 uts/sdk/modules/DCloudUniGetDeviceInfo/EmulatorCheckUtil.java, line(s) 238
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: aegon/chrome/base/PathUtils.java, line(s) 135,188 com/czhj/devicehelper/cnoaid/a.java, line(s) 345,346 com/dcloudym/c/b.java, line(s) 378,392,422,462,558 com/dmcbig/mediapicker/utils/FileUtils.java, line(s) 23,24,26,52,106 com/fl/saas/config/oaid/DeviceID.java, line(s) 91,92 com/fl/saas/videocache/StorageUtils.java, line(s) 17,34 com/kwai/video/hodor/util/FileUtils.java, line(s) 48,59 com/nostra13/dcloudimageloader/utils/StorageUtils.java, line(s) 20,39,39,44 com/octopus/ad/internal/a/t.java, line(s) 16,33 com/octopus/ad/utils/a/a.java, line(s) 251,252 com/octopus/ad/utils/b/d.java, line(s) 129 com/octopus/ad/utils/b/e.java, line(s) 83,28,31,83,91 com/octopus/ad/utils/b/k.java, line(s) 13,13 com/octopus/ad/utils/b/n.java, line(s) 122,125 uts/sdk/modules/DCloudUniNetwork/SimpleDownloadCallback.java, line(s) 85 uts/sdk/modules/DCloudUniNetwork/UploadController.java, line(s) 322
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/dcloudym/c/a.java, line(s) 6,85,86,116 com/fl/saas/videocache/sourcestorage/DatabaseSourceInfoStorage.java, line(s) 6,7,71 com/octopus/ad/internal/a/b/a.java, line(s) 6,7,23 com/zx/a/I8b7/a.java, line(s) 4,5,22 com/zx/a/I8b7/u3.java, line(s) 5,73,79
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/dcloudym/views/InnerWebView.java, line(s) 306,302 com/dcloudym/views/X5WebView.java, line(s) 324,320
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/dcloudym/views/InnerWebView.java, line(s) 305,302 com/dcloudym/views/X5WebView.java, line(s) 323,320 com/octopus/ad/internal/utilities/WebviewUtil.java, line(s) 29,25 com/octopus/ad/internal/view/AdWebView.java, line(s) 145,158,144
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/czhj/devicehelper/cnoaid/impl/p.java, line(s) 29 com/dcloudym/e/a/g.java, line(s) 49 com/fl/saas/config/oaid/impl/OppoImpl.java, line(s) 62 com/octopus/ad/b/h/g.java, line(s) 61 com/octopus/ad/internal/utilities/HashingFunctions.java, line(s) 19 com/octopus/ad/utils/a/b/n.java, line(s) 68 com/zx/a/I8b7/a1.java, line(s) 443
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/dcloudym/d/c.java, line(s) 11 com/fl/saas/config/utils/Base64Utils.java, line(s) 127 com/fl/saas/config/utils/MD5Utils.java, line(s) 11,34 com/fl/saas/videocache/ProxyCacheUtils.java, line(s) 46 com/kwai/video/ksvodplayerkit/Utils/VodPlayerUtils.java, line(s) 95 com/octopus/ad/internal/a/q.java, line(s) 57 com/octopus/ad/internal/utilities/HashingFunctions.java, line(s) 9 com/octopus/ad/internal/utilities/StringUtil.java, line(s) 138,157
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/badlogic/gdx/math/a.java, line(s) 3 com/dcloudym/utils/c.java, line(s) 7 com/fl/saas/base/manager/loader/AdViewManager.java, line(s) 29 com/fl/saas/common/util/RandomUtils.java, line(s) 3 com/fl/saas/config/utils/DeviceUtil.java, line(s) 67 com/fl/saas/util/FLUtils.java, line(s) 9 com/hjq/permissions/PermissionFragment.java, line(s) 14 com/octopus/ad/internal/utilities/DeviceInfo.java, line(s) 12
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: aegon/chrome/base/EarlyTraceEvent.java, line(s) 13 com/fl/saas/base/custom/MedProConst.java, line(s) 5 com/fl/saas/common/saas/bean/AdSource.java, line(s) 400 com/fl/saas/common/util/CommConstant.java, line(s) 51 com/fl/saas/config/utils/AesUtils.java, line(s) 14 com/hjq/permissions/StartActivityManager.java, line(s) 9 com/octopus/ad/internal/utilities/DeviceInfo.java, line(s) 15 uts/sdk/modules/DCloudUniNetwork/RequestNetworkListener.java, line(s) 76
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/dmcbig/mediapicker/TakePhotoActivity.java, line(s) 22 com/dmcbig/mediapicker/utils/FileUtils.java, line(s) 34
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 个推–推送服务的=> "PUSH_APPKEY" : "etEgO4tp8YAfPRwXLE2Rx1" 微信分享的=> "WX_SECRET" : "ba4db9a859daa16ea09529273c1c301d" 卓信ID-SDK的=> "ZX_APPID_GETUI" : "913e6a50-c3b6-4989-8ac6-1ecb53649be3" DCLOUD的 "APPID" : "__UNI__45BB54E" DCLOUD的 "ApplicationId" : "uni.UNI45BB54E" 个推–推送服务的=> "GY_APP_ID" : "nvOkXlIfi57OxMpVjMkNa8" DCLOUD的 "CHANNEL" : "common" 凭证信息=> "UNIAD_KS_APPID" : "ks_535904230" 凭证信息=> "UNIAD_GDT_APPID" : "gdt_1205169642" DCLOUD的 "AD_ID" : "127747120904" 个推–推送服务的=> "PUSH_APPSECRET" : "CdwHq7SMhO7VgOkUThmnJ" 凭证信息=> "UNIAD_BD_APPID" : "bd_aa947e61" 卓信ID-SDK的=> "ZX_CHANNEL_ID" : "C01-GEztJH0JLdBC" 个推–推送服务的=> "GETUI_APPID" : "ixYMAA7Qhe9J2Dcvuwruc5" 高德地图的=> "com.amap.api.v2.apikey" : "dcc6d89b8018e0d77dfe1943097eb933" 凭证信息=> "UNIAD_SGM_APPID" : "sgm_25492" 微信分享的=> "WX_APPID" : "wxeaeab9866ce07fff" 个推–推送服务的=> "PUSH_APPID" : "ixYMAA7Qhe9J2Dcvuwruc5" DCLOUD的 "DCLOUD_STREAMAPP_CHANNEL" : "uni.UNI45BB54E|__UNI__45BB54E|127747120904|common" "dcloud_feature_oauth_weixin_plugin_description" : "wechat" "umcsdk_oauth_version_name" : "v1.4.1" "dcloud_permissions_reauthorization" : "reauthorize" BXR/YZEsZikKgydkACAIi9ZlpwlaFcVU0svFCdqK+9k= aHR0cDovL2FuZHJvaWQtc2RrLWxvZy56aGFuZ3l1eWlkb25nLmNuL3Nkay9yZXdhcmRVcmxSZXBvcnQ/dj0y aHR0cDovL2FuZHJvaWQtc2RrLWxvZy56aGFuZ3l1eWlkb25nLmNuL3Nkay9jcmFzaFJlcG9ydA== 0cdcc6158160790658d1f033d3db873603250124- aHR0cDovL2Fib3V0OmJsYW5r zyeyJkdXJhdGlvbiI6ODY0MDAsImRhdGEiOlt7InBrZyI6ImNvbS5iYWlkdS5zZWFyY2hib3giLCJzaWQiOiIzIn0seyJwa2ciOiJjb20uY3ViaWMuYXV0b2hvbWUiLCJzaWQiOiIyIn0seyJwa2ciOiJjb20uamluZ2RvbmcuYXBwLm1hbGwiLCJzaWQiOiIxIn0seyJwa2ciOiJjb20udGFvYmFvLnRhb2JhbyIsInNpZCI6IjQifSx7InBrZyI6ImNvbS5hdXRvbmF2aS5taW5pbWFwIiwic2lkIjoiNSJ9LHsicGtnIjoiY29tLmFsaWJhYmEuYW5kcm9pZC5yaW1ldCIsInNpZCI6IjYifSx7InBrZyI6ImNvbS5VQ01vYmlsZSIsInNpZCI6IjcifSx7InBrZyI6ImNvbS5lZy5hbmRyb2lkLkFsaXBheUdwaG9uZSIsInNpZCI6IjgifSx7InBrZyI6ImNvbS5zYW5rdWFpLm1laXR1YW4iLCJzaWQiOiI5In0seyJwa2ciOiJjb20uc2luYS53ZWlibyIsInNpZCI6IjEwIn0seyJwa2ciOiJjb20udGFvYmFvLmxpdGV0YW8iLCJzaWQiOiIxMSJ9LHsicGtnIjoiY29tLnRtYWxsLndpcmVsZXNzIiwic2lkIjoiMTIifSx7InBrZyI6ImNvbS50YW9iYW8ubGl2ZSIsInNpZCI6IjEzIn0seyJwa2ciOiJjb20uemhpaHUuYW5kcm9pZCIsInNpZCI6IjE0In0seyJwa2ciOiJjb20udGVuY2VudC5rYXJhb2tlIiwic2lkIjoiMTUifSx7InBrZyI6ImNvbS5xdWFyay5icm93c2VyIiwic2lkIjoiMTYifSx7InBrZyI6ImNvbS5zcy5hbmRyb2lkLnVnYy5hd2VtZSIsInNpZCI6IjE3In0seyJwa2ciOiJtZS5lbGUiLCJzaWQiOiIxOCJ9LHsicGtnIjoiY29tLlF1bmFyIiwic2lkIjoiMTkifSx7InBrZyI6ImNvbS54dW5tZW5nLnBpbmR1b2R1byIsInNpZCI6IjIwIn0seyJwa2ciOiJjb20uc21pbGUuZ2lmbWFrZXIiLCJzaWQiOiIyMSJ9LHsicGtnIjoiY29tLmt1YWlzaG91Lm5lYnVsYSIsInNpZCI6IjIyIn0seyJwa2ciOiJjb20uc2R1LmRpZGkucHNuZ2VyIiwic2lkIjoiMjMifSx7InBrZyI6ImNvbS5kaWRhcGluY2hlLmJvb2tpbmciLCJzaWQiOiIyNCJ9LHsicGtnIjoiYWlyLnR2LmRvdXl1LmFuZHJvaWQiLCJzaWQiOiIyNSJ9XSwidmVyc2lvbiI6IjE2ODYwNDE3MDMyMTIifQ== Y29tLmFzdXMubXNhLlN1cHBsZW1lbnRhcnlESUQuU3VwcGxlbWVudGFyeURJRFNlcnZpY2U= Y29tLmFzdXMubXNhLmFjdGlvbi5BQ0NFU1NfRElE 07e4f0e6649184ecdac0a6fd455dcc6b4 aHR0cDovL2FuZHJvaWQtc2RrLnpoYW5neXV5aWRvbmcuY24= aHR0cDovL2FuZHJvaWQtc2RrLWxvZy56aGFuZ3l1eWlkb25nLmNuL3Nkay93dA== 6214227cd0a1f50c2d7cde0837359bf496afaf3a aHR0cDovL2FuZHJvaWQtc2RrLnpoYW5neXV5aWRvbmcuY24vc2RrL2NvbmZpZz92ZXJzaW9uPQ== 944e91c4ed73a3267d43f9b9eee5bea Y29tLmFzdXMubXNhLlN1cHBsZW1lbnRhcnlESUQ= 50e2326ac25aa75936f45493dea50631eb8bd911 Y29tLmFzdXMubXNhLlN1cHBsZW1lbnRhcnlESUQuSURpZEFpZGxJbnRlcmZhY2U=
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a/a/a/a/a/a/a.java, line(s) 24,29,34,40 a/a/a/a/a/a/b.java, line(s) 23,28 a/a/a/a/a/a/c.java, line(s) 21,25,30,35,40,49 a/a/a/a/a/a/d.java, line(s) 21,25,30,35,40,49 a/a/a/a/a/a/e.java, line(s) 24,29,34,40 a/a/a/a/a/a/f.java, line(s) 24,29 a/a/a/a/a/a/g.java, line(s) 24,29,34,39,44,53,58,62 a/a/a/a/a/a/h.java, line(s) 23,27,32,37,42,51 aegon/chrome/base/AnimationFrameTimeHistogram.java, line(s) 102 aegon/chrome/base/ApkAssets.java, line(s) 21,27,34,44 aegon/chrome/base/CommandLine.java, line(s) 103 aegon/chrome/base/ContentUriUtils.java, line(s) 103,105,107,172 aegon/chrome/base/EventLog.java, line(s) 8 aegon/chrome/base/FileUtils.java, line(s) 34,118,97,137,145,158,166 aegon/chrome/base/Log.java, line(s) 83,85,145,147,34,125,127,41,43,135,137,155,157 aegon/chrome/base/PathUtils.java, line(s) 74 aegon/chrome/base/TraceEvent.java, line(s) 120,128 aegon/chrome/base/task/AsyncTask.java, line(s) 202 aegon/chrome/net/AndroidKeyStore.java, line(s) 27,39,52,56,68,72 aegon/chrome/net/AndroidNetworkLibrary.java, line(s) 103 aegon/chrome/net/CronetEngine.java, line(s) 122,121 aegon/chrome/net/CronetProvider.java, line(s) 82,77,96,81 aegon/chrome/net/X509Util.java, line(s) 76,78,80,171,175,248,312,292 aegon/chrome/net/impl/CronetBidirectionalStream.java, line(s) 356,501,569,609,616,583 aegon/chrome/net/impl/CronetLibraryLoader.java, line(s) 101 aegon/chrome/net/impl/CronetUploadDataStream.java, line(s) 143,238 aegon/chrome/net/impl/CronetUrlRequest.java, line(s) 338,371,377,466,495,538,543,579,598 aegon/chrome/net/impl/CronetUrlRequestContext.java, line(s) 586,485,488 aegon/chrome/net/impl/JavaUrlRequest.java, line(s) 568,706,832,845,859 aegon/chrome/net/impl/UrlRequestBuilderImpl.java, line(s) 74 aegon/chrome/net/urlconnection/CronetHttpURLConnection.java, line(s) 156,287 androidtranscoder/MediaTranscoder.java, line(s) 75,152,185,72,69 androidtranscoder/engine/MediaTranscoderEngine.java, line(s) 77,85,170,199 androidtranscoder/engine/QueuedMuxer.java, line(s) 95,97,105 androidtranscoder/engine/TextureRender.java, line(s) 50,62,63,78,79,97 androidtranscoder/format/ExportPreset960x540Strategy.java, line(s) 23 com/bun/miitmdid/core/MdidSdkHelper.java, line(s) 57,63 com/bun/miitmdid/core/Utils.java, line(s) 70,73,35,40,44 com/czhj/devicehelper/DeviceHelper.java, line(s) 37,61,107,111 com/czhj/devicehelper/cnoaid/com/qiku/id/b.java, line(s) 32 com/czhj/devicehelper/cnoaid/g.java, line(s) 21 com/czhj/devicehelper/cnoaid/impl/g.java, line(s) 81 com/czhj/devicehelper/cnoaid/impl/h.java, line(s) 43,67,80,107,122,145,148,179 com/czhj/devicehelper/honor/identifier/a.java, line(s) 35,31,40 com/czhj/devicehelper/honor/identifier/b.java, line(s) 33,35,55,57,76,118,39,61,68,72,92,110,112,114,117,129 com/czhj/devicehelper/msaoaId/a.java, line(s) 56,87,93,122,128,148,177 com/czhj/volley/CacheDispatcher.java, line(s) 36,48,67,176,59,87,164 com/czhj/volley/NetworkDispatcher.java, line(s) 58 com/czhj/volley/Request.java, line(s) 151,156 com/czhj/volley/RequestQueue.java, line(s) 91 com/czhj/volley/VolleyLog.java, line(s) 64,67,98,54,103,107,117,122,126 com/czhj/volley/VolleyThreadFactory.java, line(s) 11 com/czhj/volley/toolbox/BasicNetwork.java, line(s) 82,132,126,138,147,169 com/czhj/volley/toolbox/FileDownloadNetwork.java, line(s) 83,106,117,148 com/czhj/volley/toolbox/FileDownloadRequest.java, line(s) 50 com/czhj/volley/toolbox/HttpHeaderParser.java, line(s) 157 com/czhj/volley/toolbox/ImageRequest.java, line(s) 133 com/dcloudym/activityComm/AppInstallReceiver.java, line(s) 77,96 com/dcloudym/activityComm/CoinWebViewFragment.java, line(s) 1851 com/dcloudym/activityComm/WebViewFragment.java, line(s) 1821 com/dcloudym/activityComm/a.java, line(s) 35,40,45,50,56,62,68 com/dcloudym/b/a.java, line(s) 98,102,106,115,119,180,254,256,306 com/dcloudym/d/d.java, line(s) 69 com/dcloudym/utils/i.java, line(s) 73 com/dcloudym/utils/m.java, line(s) 60,68 com/dcloudym/utils/s.java, line(s) 200 com/dcloudym/views/CommonWebView.java, line(s) 1701,1706 com/dcloudym/views/X5WebView.java, line(s) 317 com/dmcbig/mediapicker/PreviewActivity.java, line(s) 239 com/fl/saas/base/widget/RainTextureView.java, line(s) 248 com/fl/saas/config/oaid/OAIDLog.java, line(s) 21 com/fl/saas/config/utils/DeviceUtil.java, line(s) 908 com/fl/saas/config/utils/LogcatUtil.java, line(s) 12,25,28,33,39,62,68,74,80,86,92 com/fl/saas/config/utils/SPUtil.java, line(s) 31 com/fl/saas/s2s/tobid/FLToBidCustomerProxy.java, line(s) 26,36 com/kirito/zip4j/UnZipModule.java, line(s) 57,76,107,116 com/kuaishou/aegon/AegonLoggingDispatcher.java, line(s) 22,33,26,28 com/kwad/lottie/LottieAnimationView.java, line(s) 269 com/kwad/lottie/b/a.java, line(s) 23 com/kwad/lottie/b/b.java, line(s) 32,72,82 com/kwad/lottie/c.java, line(s) 19,28 com/kwad/lottie/c/c.java, line(s) 66 com/kwad/lottie/d.java, line(s) 41 com/kwad/lottie/e.java, line(s) 167 com/kwad/lottie/f.java, line(s) 170,444 com/kwad/lottie/k.java, line(s) 105 com/kwai/library/ipneigh/KwaiIpNeigh.java, line(s) 39,42 com/kwai/player/vr/EglUtil.java, line(s) 29 com/kwai/player/vr/KwaiOrientationHelper.java, line(s) 110,115 com/kwai/player/vr/KwaiSensorHelper.java, line(s) 101,104,120,160,98,178 com/kwai/player/vr/KwaiVR.java, line(s) 95,102,108,115,179,223 com/kwai/player/vr/SurfaceTextureRenderer.java, line(s) 216,311,314,337,356,374,399,490,568,600,157,161,170,209,212,446,475,494,507,516,551,151,173,180,223,230,235,251,254,256,264,267,270,273,345,347,437,448 com/kwai/player/vr/SurfaceUtil.java, line(s) 13,25 com/kwai/video/hodor/util/Timber.java, line(s) 521,539 com/kwai/video/ksvodplayerkit/KSVodPlayer.java, line(s) 100 com/kwai/video/ksvodplayerkit/Logger/KSVodLogger.java, line(s) 71,94,117,140,163 com/kwai/video/player/AbstractNativeMediaPlayer.java, line(s) 230,234,225,237,259,93,256 com/kwai/video/player/KsDrm.java, line(s) 18 com/kwai/video/player/KsMediaCodecInfo.java, line(s) 145,147 com/kwai/video/player/KsMediaPlayer.java, line(s) 1622,1646,597,938,1317,1325,1426,1434 com/kwai/video/player/kwai_player/KwaiMediaPlayer.java, line(s) 577,865,1508,877,368,391,1449 com/kwai/video/player/pragma/DebugLog.java, line(s) 50,54,58,14,18,22,26,30,34,62,66,70,38,42,46 com/kwai/video/player/surface/DummySurface.java, line(s) 134,140,59 com/mt/uniplugin_mt_device_info/DeviceUtil.java, line(s) 94 com/mt/uniplugin_mt_device_info/KillSelfService.java, line(s) 23 com/mt/uniplugin_mt_device_info/MacUtil.java, line(s) 36,47 com/mt/uniplugin_mt_device_info/Main.java, line(s) 19,25,31,37 com/mt/uniplugin_mt_device_info/RestartAPPUtil.java, line(s) 26 com/octopus/ad/AdActivity.java, line(s) 63 com/octopus/ad/BannerAdView.java, line(s) 94 com/octopus/ad/b/a/a.java, line(s) 28,80,33,53,57,71,73,83 com/octopus/ad/b/f/a.java, line(s) 25,47 com/octopus/ad/b/h/g.java, line(s) 38,50,47,53,55 com/octopus/ad/b/j/a.java, line(s) 22,25 com/octopus/ad/b/j/b.java, line(s) 262,137,144,154,160,163,170,259,289 com/octopus/ad/b/j/c.java, line(s) 24 com/octopus/ad/internal/a/a/d.java, line(s) 44 com/octopus/ad/internal/a/a/e.java, line(s) 41,39 com/octopus/ad/internal/a/h.java, line(s) 118,133,161,164,110,150,206,235,48,74,219 com/octopus/ad/internal/a/j.java, line(s) 116,85 com/octopus/ad/internal/a/m.java, line(s) 39,42,53,87,84,44 com/octopus/ad/internal/a/o.java, line(s) 52,163,165 com/octopus/ad/internal/a/q.java, line(s) 50 com/octopus/ad/internal/a/t.java, line(s) 28,37,28,37 com/octopus/ad/internal/activity/DownloadDialogActivity.java, line(s) 140,326 com/octopus/ad/internal/activity/a.java, line(s) 114,156,162,189,202 com/octopus/ad/internal/activity/b.java, line(s) 181,159 com/octopus/ad/internal/activity/c.java, line(s) 45 com/octopus/ad/internal/c.java, line(s) 40,41,53,65,137,74,79,84,95,119 com/octopus/ad/internal/d.java, line(s) 146,172 com/octopus/ad/internal/f.java, line(s) 40,86,90,27,42,174,82 com/octopus/ad/internal/k.java, line(s) 64 com/octopus/ad/internal/m.java, line(s) 134,196 com/octopus/ad/internal/n.java, line(s) 26,48,55,28 com/octopus/ad/internal/nativead/a.java, line(s) 53,58,67,72,169,264,277 com/octopus/ad/internal/nativead/b.java, line(s) 43,35,45,72 com/octopus/ad/internal/nativead/c.java, line(s) 412 com/octopus/ad/internal/network/ServerResponse.java, line(s) 328,488,517,644,818,327,380,469 com/octopus/ad/internal/network/a.java, line(s) 104,138,241 com/octopus/ad/internal/o.java, line(s) 24 com/octopus/ad/internal/s.java, line(s) 25 com/octopus/ad/internal/utilities/DeviceInfo.java, line(s) 59 com/octopus/ad/internal/utilities/DeviceInfoUtil.java, line(s) 53 com/octopus/ad/internal/utilities/DownloadFactory.java, line(s) 209,143 com/octopus/ad/internal/utilities/ImageService.java, line(s) 47,66 com/octopus/ad/internal/utilities/UserEnvInfo.java, line(s) 19,32,37 com/octopus/ad/internal/utilities/ViewUtil.java, line(s) 302,299 com/octopus/ad/internal/utilities/WebviewUtil.java, line(s) 38,45,75 com/octopus/ad/internal/video/AdVideoView.java, line(s) 465,470,532,516,534,576,429,429,516,576 com/octopus/ad/internal/view/AdViewImpl.java, line(s) 745,750,1257,1541,1546,1551,1556,1561,1597,1610,1615,449,520,1039,1365,1999,1861,424 com/octopus/ad/internal/view/AdWebView.java, line(s) 166,618,654,355,650,592,285,480,486,953,964,547,557,579,611 com/octopus/ad/internal/view/BannerAdViewImpl.java, line(s) 142,153,422,428,443,450,453,467,471,474,477,480,482,485,488,491,495,502,507,513,518,528,535,540,549,562,177,225,438,645 com/octopus/ad/internal/view/InterstitialAdViewImpl.java, line(s) 141,144,146,149,153,168,256,279,284,291,204,270,136,274 com/octopus/ad/internal/view/a.java, line(s) 13,19 com/octopus/ad/internal/view/f.java, line(s) 339,369,400,413,504,522,245,276,289,302,311,320,329 com/octopus/ad/internal/view/h.java, line(s) 69,101,45,55,82,92 com/octopus/ad/topon/OctopusATBannerAdapter.java, line(s) 28,34,75,86,91,103,111,120 com/octopus/ad/topon/OctopusATInitManager.java, line(s) 68,94,97 com/octopus/ad/topon/OctopusATInterstitialAdapter.java, line(s) 24,30,67,78,89,94,102,110 com/octopus/ad/topon/OctopusATNativeAdapter.java, line(s) 77,88,29,35 com/octopus/ad/topon/OctopusATNativeExpressAd.java, line(s) 41,47,53,58 com/octopus/ad/topon/OctopusATNativeUnifiedAd.java, line(s) 67,73,79,84 com/octopus/ad/topon/OctopusATRewardVideoAdapter.java, line(s) 25,31,68,76,87,98,103,111,119,127 com/octopus/ad/topon/OctopusATSplashAdapter.java, line(s) 25,31,72,83,88,96,107,116 com/octopus/ad/utils/a/f.java, line(s) 13,21 com/octopus/ad/utils/b/d.java, line(s) 130 com/octopus/ad/utils/c.java, line(s) 128 com/sigmob/windad/Splash/WindSplashAD.java, line(s) 47,167 com/sigmob/windad/WindAds.java, line(s) 70,131,158,357,268,304,331,355,288 com/sigmob/windad/natives/WindNativeUnifiedAd.java, line(s) 82,99,124 com/zx/a/I8b7/h2.java, line(s) 55,61 com/zx/a/I8b7/p0.java, line(s) 13,24,17,9,19 com/zx/a/I8b7/r.java, line(s) 10,24 com/zx/a/I8b7/x2.java, line(s) 29 com/zx/sdk/api/ZXManager.java, line(s) 22,151 master/flame/danmaku/danmaku/model/objectpool/FinitePool.java, line(s) 56 tv/cjump/jni/DeviceUtils.java, line(s) 67 tv/cjump/jni/NativeBitmapFactory.java, line(s) 64,117
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/dcloudym/uniapp/IYmNovelModule.java, line(s) 5,233 com/dcloudym/utils/i.java, line(s) 6,170,354 com/octopus/ad/internal/network/ServerResponse.java, line(s) 5,208
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: aegon/chrome/net/X509Util.java, line(s) 166,165,201,164,164 com/dcloudym/d/d.java, line(s) 183,190 com/zx/a/I8b7/i0.java, line(s) 102,97,100,102,95,61,96,96
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/octopus/ad/utils/b/n.java, line(s) 82,82,82,82 uts/sdk/modules/DCloudUniGetDeviceInfo/DeviceUtil.java, line(s) 28,28,28,28,28
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (ads.adfunlink.com) 通信。
{'ip': '58.215.50.244', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (www.ibookstar.com) 通信。
{'ip': '121.40.56.194', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (aid.mobileservice.cn) 通信。
{'ip': '115.231.163.68', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '嘉兴', 'latitude': '30.752199', 'longitude': '120.750000'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (tools.ibookeee.com) 通信。
{'ip': '120.55.60.77', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (msg.cmpassport.com) 通信。
{'ip': '58.215.50.244', 'country_short': 'CN', 'country_long': '中国', 'region': '广东', 'city': '广州', 'latitude': '23.127361', 'longitude': '113.264572'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (id6.me) 通信。
{'ip': '58.215.50.244', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (www.adintl.cn) 通信。
{'ip': '117.85.70.230', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (ip.adipman.net) 通信。
{'ip': '58.215.50.244', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (boardy.huanqiu.com) 通信。
{'ip': '58.215.50.244', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '无锡', 'latitude': '31.569349', 'longitude': '120.288788'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (adtracker.adfunlink.com) 通信。
{'ip': '58.215.50.244', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (zxid-m.mobileservice.cn) 通信。
{'ip': '58.215.50.244', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '嘉兴', 'latitude': '30.752199', 'longitude': '120.750000'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (creative.medproad.com) 通信。
{'ip': '58.215.50.244', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '无锡', 'latitude': '31.569349', 'longitude': '120.288788'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (nisportal.10010.com) 通信。
{'ip': '120.232.74.115', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
综合安全基线评分总结
凤凰潮 v2.2.3
Android APK
46
综合安全评分
中风险